The Major Concerns About Blockchain and Data Protection

By Kapil Gauhar

One of the most crucial drivers of the digital revolution, blockchain technology and its applications have become one of the most discussed global topics today.

A blockchain keeps track of an unlimited number of data assets and transactions via a P2P network. It’s a registry maintained by a consensus algorithm and then stored in a network of nodes, i.e. computers which allow data to be included in blocks chained with one another.

Blockchain Not Limited to Cryptocurrencies

The usage of blockchain is not limited to digital currencies any longer, since blockchain databases might be deployed in various circumstances and scenarios, such as within the insurance sectors and financial services for money transfer, P2P lending and security transfer, and automatic execution of contracts.

The advantages of blockchain include transparency, tamper-proof processing, cost-reductions, disintermediation, security and more generally an additional layer of trust since a wider audience of nodes verifies each transaction.

Regulators on Blockchain Technology

Regulators are designing a legal framework to operate a blockchain in a safe environment, including blockchain smart contracts.

With that said, the connection between blockchain and other distributed ledger technologies to personal data protection is yet to be addressed.

Though technology neutral, the GDPR is based upon a centralized approach, with a data controller while possessing full as well as ultimate responsibility for the data storage.

Difficulty in Identifying Data Controllers

But blockchain is a form of the distributed ledger, which makes it decentralized in its actual definition. This implies a difficulty in identifying the data controllers. As a matter of fact, either no node is a data controller, or each node is a data controller in the absence of a centralized determination of such purposes since it’s not subject to external instructions.

These nodes may be located in several jurisdictions, which means potential data transfers to jurisdictions which don’t grant enough level of protection of personal data.

In addition to the practical issues in identifying the nodes to submit the data requests, certain rights may not be effectively exercised by the data subject. For example, the GDPR offers the principle of data minimization, whereby data need to be processed among other things for the specified purposes and for the time necessary for the processing.

Once the Data Gets Added, It’s Added

However, in most instances, once the data gets added to the blockchain, it remains stored in perpetuity, as part of an append-only database.

Similar issues arise for the right of rectification and amendment, and the right to be forgotten since it’s usually impossible to erase the data.

Just like it’s happening with AI, regulators are facing the challenge of protecting the fundamental rights of the individual, not affecting the technology and innovation. The regulatory authorities will take further steps to tackle these concerns. Meanwhile, when using blockchain technologies and databases, a careful assessment via a data protection impact assessment remains advisable.