Antoine Demicoli is the Senior Manager at the Taxation Department of KPMG. He writes about the compatibility of GDPR with block tech.
Left to their own devices, organisations, both private and public, hoard personal data. The General Data Protection Regulation (GDPR) is a unified privacy regulation that introduced more privacy rights to data subjects by introducing new procedural and organisational obligations for data processors. GDPR curtails the unnecessary hoarding of data by data processors and also introduced a right for individuals to have their personal data erased.
However, technology has a habit of running ahead of legislators. For instance take blockchain: it relies on a distributed ledger system that is decentralised and immutable, and is intended to be a permanent and a tamper-proof record that sits outside the control of any one governing authority. Anne Toth, Head of Data Policy, at the World Economic Forum contends that because data stored on the blockchain, including personal data, cannot be deleted, there is no way to exercise “the right of erasure” that people are granted under GDPR. Toth further argues that Blockchain is not designed to be GDPR-compatible. Or rather, we believe that GDPR is not blockchain-compatible the way the regulation was written to date.
Others have propounded that the “right of erasure” can be reconciled with blockchain technology by persuading regulators that “erasure” does not have to imply that data is literally deleted and that making data permanently inaccessible without deletion should produce the same result.
Where personal data is saved on a blockchain in hashed form (meaning that the data is transformed in a way that it cannot be reverse engineered to its original state) one can argue that the existence of the hashes on the blockchain are not in violation of GDPR, as data is sufficiently anonymised,such that it falls outside the definition of personal data under the GDPR regulation in the first place.
However the Article 29 Working Party (now replaced by the European Data Protection Board) in its opinion 05/2014 on Anonymization Techniques had partially concluded that hashing may still leave some small possibility of a successful brute force attack. A brute force attack is an instance where an attacker tries an extremely large number of guesses with the hope of eventually guessing correctly, thereby exposing hashed personal data stored on blockchain.
Still others contend that an alternative solution might be that of encrypting all personal data with a key and in the event that a data subject would request his blockchain data to be erased, the key would be deleted, which in layman’s terms should be tantamount to deletion for GDPR purposes. The challenge is however that GDPR does not define what it means to “erase” data. Another possible reconciliatory solution in respect of the “right of erasure” might be that of keeping personal data in separate “off-chain” databases, but to do so would sacrifice several of the benefits of using blockchain in the first instance.
In the light of the above, companies should be aware of the risk of developing blockchain technologies that will include personal data of EU based individuals until such time as we have clarification on the interpretation of the obligation to “erase” date, or until GDPR is amended to take blockchain into account, to our mind a matter of time.
Antoine commenced his career with KPMG in 2008 and has since then assisted a wide range of clients in legal and corporate law matters. Antoine leads KPMG’s implementation team and is involved in the setting up of companies, trusts and foundations, the preparation of board and shareholders’ resolutions, shareholders’ agreements and the drafting and vetting of agreements falling within the commercial sphere generally. Antoine also lectures in the Advanced Diploma in Taxation organised by the UK Chartered Institute of Taxation. In 2011, Antoine was a speaker on the Mutual Assistance Directive at the MIM International Tax Conference. Antoine leads the KPMG CFO Agenda (Tax Slot) focussing on the budget measures. Antoine has also advised and delivered presentations to a number of KPMG clients on data protection issues and the General Data Protection Regulation (GDPR).
Check out our latest events in the videos below: