In this briefing, Colin Rooney and Hugh McCarthy examine a question at the intersection of blockchain technology and the GDPR - does the ledger contain personal data? - and consider the importance of applying the GDPR's data protection-by-design principle at an early stage.
At least some of the data on the blockchain ledger will likely constitute personal data depending on: (i) the encryption and hashing techniques applied; and (ii) the architecture of the framework; The architecture of a particular blockchain framework is a key part of ensuring GDPR compliance. To meet the GDPR's data protection-by-design principle, a data protection risk / opportunity analysis should be conducted as early as possible in the design stage of the blockchain framework; and Blockchain presents certain challenges to GDPR compliance but innovative approaches can also present potential solutions to many of the GDPR's most challenging requirements. Personal data in a blockchain context
While blockchain technology potentially presents a range of innovative technical solutions to many GDPR compliance issues, the important threshold question is whether data on a blockchain ledger constitutes personal data.
The concept of personal data is central to any consideration of the application of the General Data Protection Regulation (EU Regulation 679/2016) (the "GDPR"). A fundamental question arising in the context of blockchain is whether data contained in the blockchain constitutes personal data for GDPR purposes.
The focus of the GDPR is on personal data of natural persons and accordingly, it does not in principle "cover the processing of personal data which concerns legal persons and in particular the undertakings established as legal persons, including the name and the form of the legal person and the contact details" (Recital 14 GDPR). In addition, the GDPR should not apply to "[F]iles or sets of files, as well as their cover pages, which are not structured according to specific criteria" (Recital 15 GDPR). Hence where a legal person such as a corporation or partnership makes use of a blockchain solution for the purposes of a transaction, to the extent that this does not involve personal data relating to a natural person, such data will generally be outside the scope of the GDPR.
Personal data is defined broadly in Article 4(1) GDPR as "any information relating to an identifiable or identified natural person ('data subject')". An identifiable natural person is one "who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" (Art. 4(1) GDPR).
When assessing whether a natural person is...