Skip to main content

Blockchain and the General Data Protection Regulation

Blockchain is a much-discussed instrument that, according to some, promises to inaugurate a new era of
data storage and code-execution, which could, in turn,stimulate new business models and markets. The
precise impact of the technology is, of course, hard to anticipate with certainty, in particular as many
remain sceptical of blockchain’s potential impact. In recent times, there has been much discussion in
policy circles, academia and the private sector regarding the tension between blockchain and the
European Union’s General Data Protection Regulation (GDPR). Indeed, many of the points of tension
between blockchain and the GDPR are due to two overarching factors.
First, the GDPR is based on an underlying assumption that in relation to each personal data point there
is at least one natural or legal person – the data controller – whom data subjects can address to enforce
their rights under EU data protection law. These data controllers must comply with the GDPR’s
obligations. Blockchains, however, are distributed databases that often seek to achieve decentralisation
by replacing a unitary actor with many different players. The lack of consensus as to how (joint-)
controllership ought to be defined hampers the allocation of responsibility and accountability.
Second, the GDPR is based on the assumption that data can be modified or erased where necessary to
comply with legal requirements, such as Articles 16 and 17 GDPR. Blockchains, however, render the
unilateral modification of data purposefully onerous in order to ensure data integrity and to increase
trust in the network. Furthermore, blockchains underline the challenges of adhering to the requirements
of data minimisation and purpose limitation in the current form of the data economy.
This study examines the European data protection framework and applies it to blockchain technologies
so as to document these tensions. It also highlightsthe fact that blockchain may help further some of the
GDPR’s objectives. Concrete policy options are developed on the basis of this analysis.

Back to the Top