Out-Law / Your Daily Need-To-Know

MEPs call for business GDPR 'guarantee' on using blockchain

Out-Law News | 22 Nov 2018 | 9:47 am | 2 min. read

Businesses should not begin using blockchain technology to process personal data until they can "guarantee compliance" with EU data protection laws, a committee of MEPs has said.

The Committee on Civil Liberties, Justice and Home Affairs (LIBE) said that businesses using blockchain must, in particular, be able to respect the rights of data subjects under the General Data Protection Regulation (GDPR) to the rectification and erasure of their data.

Madrid-based blockchain expert Cristina Carrascosa Cobos of Pinsent Masons, the law firm behind Out-Law.com, said that it is possible to use blockchain in compliance with the GDPR. Guidance issued by the French data protection authority on the topic supports that view, she said.

The LIBE Committee's opinion was published in response to an earlier draft report published by the European Parliament's Committee on International Trade (INTA) which flagged the potential for blockchain to cut up to $1 trillion in costs associated with global trade.

The LIBE Committee said, though, that while blockchain "represents a new paradigm of data storage and management that is capable of decentralising forms of human interaction, the markets, banking and international trade", innovative uses of the technology have the potential to "clash" with data protection law and privacy rights.

In one example, the LIBE Committee cited the "immutable nature of some blockchain technologies", where information written onto the blockchain can thereafter not be altered or deleted. This, it said, "is likely to be incompatible with the ‘right to erasure’ set out in Article 17 of the GDPR, in cases where the blockchain contains personal data".

It also raised concern that "the proliferation of copies of data in a blockchain" would not comply with the GDPR's "data minimisation principle".

In its opinion, the LIBE Committee highlighted the fact that personal data in a blockchain is "normally not anonymous" and said businesses using the technology should store personal data "off the chain". It further urged developers of "future blockchain applications" to "implement mechanisms that protect personal data and the privacy of users and ensure that data can be fully anonymous".

"Blockchains and applications should integrate mechanisms that ensure that data can be fully anonymous, thereby guaranteeing that they only store data that does not relate to an identified or identifiable natural person," the MEPs said.

The Committee said the European Data Protection Board should issue "guidelines and recommendations" to help businesses comply with EU law when using blockchain technology.

Blockchain, also known as distributed ledger technology, is the process of creating a shared database that is distributed across many participants in a network, with data packaged into identifiable 'blocks' which, once verified by the participants, create linked 'chains'.

Blockchain is perhaps best known for being the technology that underpins the cryptocurrency bitcoin, but it has been identified as having a wide-range of other potential uses. Examples include within corporate reporting, for settling payments,  supporting ID authentication in public services and energy trading, and to enable universities to share intellectual property and manage student data.

Earlier this year, the data protection authority in France, the Commission Nationale de l’information et des Liberties (CNIL), said businesses should embrace the principle of 'privacy by design' when planning to use blockchain technologies.

CNIL gave businesses guidance on when they might store personal data on the blockchain.

"If justified by the purpose of the processing and if a data protection impact assessment (DPIA) has proven that the residual risks are acceptable, personal data may exceptionally be stored on the blockchain, in the form of a traditional fingerprint (without a key) or even in cleartext," it said.