Blockchain and GDPR

Processes and Hyper-automation


The blockchain, defined as a shared database that records all transactions made by users in a ledger, has been elevated to axiomatic status in recent years. This is because the blockchain bases its activity on the principle of inviolability of transactions, which, in addition to being unique, have a guaranteed traceability that certifies the transaction.

As often happens, legal and technological progress have not gone hand in hand so there is currently some legal and jurisprudential uncertainty about how data protection aspects affecting blockchain should be articulated, for example, the following casuistries have been presented:

First of all, the general data protection structure established in the General Data Protection Regulation (RGPD), contemplates a series of principles and rights that are difficult to apply to the blockchain , The main characteristic of this system is the immutability of the information contained in the blocks, i.e., it seeks to guarantee the security and reliability of the information.

Among these principles, the GDPR establishes that data should only be processed for the purposes for which they were collected (purpose limitation), and for the time strictly necessary (limitation of the retention period). On the other hand, the blockchain is divided into several databases that are continuously growing and whose information is replicated in different computers.

This raises several questions regarding whether the purpose of the use of data in blockchain , only includes only the initial transaction, or whether it also covers the ongoing or further processing of personal data (such as its storage and use for compatible purposes), bearing in mind that once information is incorporated into the blockchain, it becomes unique and inviolable, i.e., the data stored in the blockchain are stored indefinitely in its network and therefore it is practically impossible to comply with the aforementioned principles of the GDPR.

Secondly, incompatibilities with the accountability principle of the GDPR, i.e. on the accountability of the wide variety of actors that may arise during the processing of personal data. The General Data Protection Regulation is based on the underlying assumption that for each processing of personal data there is a controller to whom the data subject can address to exercise his or her rights. However, in the blockchain this is not so straightforward, dealing with databases that sometimes seek to achieve decentralization by removing intermediaries and replacing a unitary actor with many different unrelated participants.

With this, it is most likely that even though a user is considered a data controller, he/she is unable to guarantee the rectification or erasure of data, since he/she has no real influence over the processing he/she is carrying out.

Hey, but then there are only problems? Nothing could be further from the truth, blockchain technologies can be used as a tool to support alternative forms of data management, processing and communication. Blockchains can be designed in a way that allows data to be exchanged without the need for a trusted central intermediary, providing transparency about who has accessed the data. Likewise, this technology could be applicable to smart contracts, automating the exchange of data and reducing transaction costs.

In summary, the technological neutrality of the structure of the data protection regulation means that it is sometimes difficult to apply its content; however, this same regulation provides mechanisms designed to deal with some of the problems presented, among them are the certifications or codes of conduct that aim to ensure that a company offers adequate and sufficient guarantees to comply with the principles established in the GDPR.

However, there is a clear and additional need for the supervisory authorities, together with the Commission and the European Data Protection Committee, to draw up homogeneous guidelines, recommendations and best practices, in order to establish basic rules on the design, development and use of the technology. blockchain.