The European Parliament published a study that examines whether distributed ledgers can be squared with European data protection law. The study consists three main parts: (i) it discusses blockchain technology and the tensions between the use of such technology and the GDPR, (ii) it explores the possibilities to use this technology to enhance GDPR-compliance and (iii) it recommens policy options available to help in solving (potential) collisions between the characteristics of the technology and the requirements of data protection law. 

The main GDPR issues in connection with blockchain technology

First, it must be noted that blockchain technology (or distributed ledgers technology, DLT) can be regarded as a class of technologies, which means that some general statements can be made and conclusions can be drawn but a more detailed analysis shall be made on a case by case basis in line with the special characteristics of a given use of this type of technology. 

The following issues are discussed in the study: 

• applicability of the GDPR to blockchain technologies (i.e. territorial and material scope), 
• the definition of personal data in the context of DLT, including various questions relating to anonymistaion and pseudonymisation,  
• the definition of roles in connection with the processing personal data by the use of blockchain technologies (i.e. who can be regarded as data controller(s), data processor or third party?), 
• the legal basis of data processing in the course of using DLT, 
• blockchain and the applicability of the principles set out in the GDPR (especially data minimisation and purpose limitation), 
• the exercise of data subject rights (with special regard to the right to erasure, and the right to rectification). 

On the basis of the examination of the above (and some other related) topics, the study draws two main conclusions:

First, that the very technical specificities and governance design of blockchain use cases can be hard to reconcile with the GDPR. Therefore, blockchain architects need to be aware of this from the outset and make sure that they design their respective use cases in a manner that allows compliance with European data protection law. Second, it will however also be stressed that the current lack of legal certainty as to how blockchains can be designed in a manner that is compliant with the regulation is not just due to the specific features of  this technology. Rather, examining this technology through the lens of the GDPR also highlights significant conceptual uncertainties in relation to the regulation that are of a relevance that significantly exceeds the specific blockchain context. 

Based on the above, the study recommends three policy options:

• Regulatory guidance: regulatory guidance is needed regarding how specific concepts of the GDPR ought to be applied where such technology is used,
• Support codes of conduct and certification mechanisms: such tools of the GDPR may help to apply and intepret the general concepts in a given field or sector, 
• Research funding: further interdisciplinary research may also contribute to find solutions that are in compliance with data protection rules by design. 

Blockchain as a means to achieve GDPR objectives

A very interesting part of the study is the section about potential uses of blockchain technology that can support GDPR compliance and may enhance data sovereignty. As one of the aims of the GDPR is to give data subjects more control over their data, solutions that can increase control and transpareny are very welcomed. For example, an Estonian use case is presented where "a blockchain-like technical infrastructure has long been used to provide data subjects with more control over their health data. This structure enables data subjects to 'a patient can assess any and all authorisations regarding her data access. By default medical specialists can access data, but any patient can choose to deny access to any case related data, to any, or all care providers; including one's own general practitioner/family physician'." 

Some other important reading regarding blockchains

The French Data Protection Authority (CNIL) published guidance on relevant issues concerning blockchain last November. CNIL discusses, among others, the following issues: 

• Who is the data controller in a blockchain?
• What happens if several participants jointly decide to carry out processing operations on a blockchain?
• Are there data processors, within the meaning of the GDPR, in a blockchain?
• How to minimize the risks for data subjects when a processing is carried out on a blockchain?
• How to ensure the effective exercise of rights?

The Hungarian Data Protection Authority (NAIH) also discussed this topic in 2017 and the following main topics were examined by NAIH in its opinion (my short summary is available here in Hungarian): 

• Who is the data controller and the data processor?
• What is the legal basis for processing?
• Which supervisory authority has competence to act?
• Can the use of blockchain technology mean profiling?

The European Blockchain Observatory and Forum also examined the interaction between blockchain technology and GDPR.

There are also very insigtful materials regarding the potential uses of blockchain: e.g. report of the European Parliament on  Blockchain: a forward-looking trade policy; blockchain applications for telco sector.