Study suggests ways to make blockchain GDPR-compliant
unsplash/Clint Adair

Study suggests ways to make blockchain GDPR-compliant

Blockchain applications could comply with the GDPR by using closed networks and storing data off the system – though the regulation could still have a “chilling” effect on public, open use of the technology without further guidance from regulators, a UK study has found.

A report published by researchers at Queen Mary University of London and Cambridge University yesterday said there is significant uncertainty about how the GDPR affects blockchain, which risks deterring European companies from innovating with the technology. “There can be no one-size-fits-all legal response,” it said.

Speaking to GDR, Dave Michels, one of the study’s authors and a researcher at the Cloud Legal Project at Queen Mary, said the authors chose to focus on blockchain because “there is so much hype – and so many poorly informed opinions” about the technology. “There was so much noise out there, with some people saying you can’t use blockchain under GDPR at all, and others saying it will solve all sorts of data protection problems,” he said.

Blockchain technology, which at its most basic creates a tamper-proof record of transactions, clashes with data subject rights under the GDPR, most notably the right to be forgotten and data minimisation.

To get around this problem, Michels said that "instead of taking all personal data and storing it on chain, you store it off chain, and link it to a hash that is stored on the chain". That way, data could be deleted without affecting the integrity of the network too much, he said.

The report also suggests encrypting entries then deleting relevant encryption keys as another workaround, as it would leave only indecipherable data on the chain.

But Michels acknowledged that European case law suggests that the hash remaining on the chain could still be considered personal data. Citing Breyer v Germany he said there is question of whether combining data that is on and off the chain is “a means likely reasonably to be used” to identify someone.

However, he told GDR that this interpretation would be “far-fetched” in practice, especially if off-chain data were kept secure.

Aside from rubbing up against data subject rights, the technology also raises questions around liability, since the GDPR was drafted around the idea of centralised processing. In open, public blockchain systems, it can be difficult to determine processors and controllers.

The solution, according to Michels, is to have a closed system. “Blockchain technology doesn’t have to be implemented as a public blockchain like Bitcoin. Instead, you could have a private, more limited system – a closed group of participants, with controller-processor agreements like anywhere else,” he said.

For public systems, he suggested a system of binding network rules, where people have to sign up to a standard set of rules to participate in the network. “That way you can use those rules to allocate controller and processor roles and responsibilities to participants,” he said.

The report’s authors concluded that their analysis “illustrates the significant uncertainty as to how EU data protection law might apply to blockchain applications and in particular to open, distributed blockchain platforms”, and said it “might be helpful” for the European Data Protection Board to issue guidance.

The EDPB told GDR that blockchain guidance is not currently on its agenda, but it “might be envisaged for 2019”.

Michels praised the French data protection agency’s recent blockchain guidance, and urged other regulators to follow suit. The UK Information Commissioner’s Office has launched a programme to fund research into various new technologies, including blockchain.

The report also studied the effects of blockchain on IP law, concluding that a blockchain database could receive EU database rights protection, with “right holders of a centralised databases [having] the right to prevent extraction and re-utilisation of (all or substantial parts of) the contents of a database”.

But determining whether there had been a substantial investment – and, if so, who the rights holders are – would be more challenging for distributed platforms, the report noted.

“Various groups may contribute to the creation of an open, distributed blockchain, with developers writing the initial software, and nodes and miners investing in hardware that stores and updates the database,” the report said. “It is unclear whether these activities, taken separately, amount to ‘substantial investments’, and if so, which of the activities would suffice for a party to qualify as one of the database ‘makers’,” the authors said.

Blockchain-powered smart contracts, on the other hand, are inappropriate for contracts that contain confidential information, according to the report: in the worst case scenario, revealing information through a smart contract could lead to a loss of trade secrets.

The authors of ‘Blockchain Demystified: A Technical and Legal Introduction to Distributed and Centralised Ledgers’, published yesterday in the Richmond Journal of Law and Technology, were Michels; Christopher Millard, who leads the Cloud Legal Project at Queen Mary and is a senior counsel at Bristows in London; and Cambridge University computer scientists Jean Bacon and Jatinder Singh.


  • ECJ Breyer v Germany judgment

  • Blockchain Demystified