On 25 May 2018, the General Data Protection Regulation (GDPR) of the European Union entered into force, accompanied by some uncertainties regarding its application. For example, some legal commentators believe there are “irreconcilable” differences between blockchain technologies and some of GDPR’s core principles, raising doubts as to whether the technology can achieve widespread adoption under the new data protection regime.
Blockchain technology rose to fame as the underpinning of the Bitcoin system, but there are a myriad of applications for it beyond transacting in cryptocurrencies, such as executing contracts and even authenticating fine art.
Nigel Houlden, head of technology policy at the Information Commissioner’s Office (ICO)—the body responsible for enforcing data protection and privacy regulations in the United Kingdom—stated that he has “nightmares” about the future relationship between blockchain and some of GDPR’s core principles. One of the tensions revolves around the so-called “right to be forgotten.”
Pursuant to Article 17, “[t]he data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.“ However, this might not be possible if that personal data is stored on an immutable, open blockchain, in which each block of data contains a hash of the previous one. By design, a blockchain is resistant to modification of the data, which is argueably one of the technology’s core advantages. There are, of course, exemptions from the right to erasure in Article 17. However, it is unclear whether any of those exemptions might apply to blockchain. It is also unclear whether cryptographic information on a blockchain will qualify as personal information in all circumstances.