Blockchain and GDPR — Frenemies?
In a nutshell, GDPR mandates that individuals have access and control over the use and maintenance of their data in certain circumstances, while the foundation of blockchain relies on the immutability of data. On the surface, these concepts seem in direct conflict with each other. This article discusses the points where GDPR and blockchain share common ground, where conflicts may exist and possible approaches for mitigating those conflicts.
July 03, 2018 at 02:53 PM
4 minute read
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
General Data Protection Regulation (GDPR)Hype Check
spending billions fully compliant banking global trade voting property records cybersecurity healthcare help refugees capital flowing into the space Gartner prognosticates expert opinions investor responseCommon Ground
Consumer Demand for Increased Security Consumer Demand for Visibility and Control identification monetization Erosion of Consumer Trust In Institutions news insuranceConflict
Los Angeles Times Chicago Tribune shut down access ceased EU operations shut down completelyA Path Forward
- Increased use of private or enterprise blockchains, which are blockchain systems used by one company or amongst companies in a particular industry. Unlike public blockchains, which provide decentralized utility and access to as many users as possible, private and enterprise blockchains limit the dissemination of personal information to just one company or a limited number of companies. In reducing the scale of the chain, fewer individuals have access to sensitive information and the possibility of data breaches significantly diminish.
- Use of pseudonymization techniques in combination with data stored off-chain. In order for data to be considered pseudonymous under GDPR, the data must “no longer be attributed to a specific data subject without the use of additional information” (GDPR Art. 4(5)). Pseudonymous data, unlike anonymous data, therefore still allows for re-identification. While pseudonymization techniques make it more challenging for users to identify data subjects, it does not scrub all identifying personal information. Pseudonymization with pointers to personal data stored off-chain in a manner which allows the personal data to be destroyed and thus removes the link to the data on the chain and renders it anonymized may allow a user to remove all of their personal information from the chain, as required by the GDPR's right to erasure.
- Development of mutable blockchains. For example, the R3 Corda team is currently exploring “sophisticated anonymization techniques” that would allow users to edit and/or delete their personal information shared on a private blockchain, giving them 100% control over their own data. This “self-sovereign solution” would “ensure provisions in GDPR that allow individuals to access and correct their personal data would be fulfilled and provides a compliant solution to restrict data processing.”
- Reliance on exceptions to the right to erasure. The right to erasure is not absolute in all circumstances. For instance, the right to erasure does not apply to the extent that processing is necessary for compliance with a legal obligation that requires processing by Union or Member State law, and it does not apply to the extent that processing is necessary to establish, exercise or defend legal claims. (GDPR Art. 17(3)(b) and (e).) Other exceptions may also apply. Businesses might reject a request for erasure of personal data based on recognized exceptions in the GDPR, but there is little guidance in this area and whether these exceptions will successfully apply to blockchain solutions has yet to be tested.
Conclusion
***** Justin Hectus Cybersecurity Law & Strategy Kristy Sambor This information has been prepared for informational purposes only and is not intended to be legal advice. Individuals and/or companies should not act upon this information without seeking professional counsel from an attorney.This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
FTC's Info Security Action Against GoDaddy Sends 'Clear Signal' to Web Hosting Industry: Expert
Avoiding Legal Risks: Crafting a Strong Do Not Call Policy for Compliance
7 minute read
'Be Prepared and Practice': Paul Hastings' Michelle Reed Breaks Down Firm's First SEC Cybersecurity Incident Disclosure Report
Trending Stories
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
