From a legal point of view, many aspects have to be considered when applying effective legal frameworks to rather new technical systems like Blockchain – national legislation as well as EU law have to be taken into account. One of the most recent Acts on EU level creating implementation requirements of great impact for companies is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, in the following ‘GDPR’), which entered into force on 25 May 2018.
The objective of the GDPR is to strengthen and unify data protection for individuals within the EU by trying to give citizens full and ultimate control over all their data . Its scope of application is based on the definition of ‘personal data’ – the principles of data protection set up by the GDPR should apply to any information concerning an identified or identifiable natural person.
Blockchain databases allow or even promote transactions between parties without having to disclose their identity to the contracting party or the public –- at least in theory, where only private and public keys, ie numeric codes, are subject of conversation. Anonymity ranks amongst the most prominent features of Blockchain technology – and, remarkably enough, the terms ‘anonymity’ and ‘pseudonymity’ are also used in the GDPR, where ‘pseudonymisation’ is explicitly mentioned as an instrument to reduce data protection risks.
Austria has adopted the EU Money Laundering Directive into its national law as part of the international drive to combat and prevent money laundering. These laws impose obligations on the following institutions to report suspicious transactions to the public authorities: Banks, attorneys, notaries and tax advisors, among others.
Pseudonymisation means the processing of personal data in such a manner that the personal data no longer can be attributed to a specific data subject (= an identified or identifiable natural person). Still, studies showed (based on Bitcoin, the most popular Blockchain) that there are possibilities for the de-anonymization of entries in blockchains: transaction analysis eventually allows that public keys can be traced back to IP addresses via a specific internet connection or connection owners. Since IP addresses are considered to be ‘personal data’ according to international and national jurisdiction, this could potentially lead to unrestricted application of the GDPR to Blockchain technologies – always under the condition that ‘personable data’ is ‘processed’ within the meanings of the GDPR, causing numerous problems, of which only a few shall be pointed out in the following:
The GDPR obliges so-called ‘controllers’, who determine the purposes and means of the processing of personal data, and ‘processors’, who process personal data on behalf of the controller, thus everyone who processes personal data, to correct behavior and to comply with the principles set up by the GDPR (transparency, data minimization, purpose limitation, to invoke just a few). Between controllers and processors, contracts must be filed which set out the subject-matter and numerous details of the processing. Within the blockchain environment, countless contracts would thus be necessary – the concept of GDPR, creating responsibilities (Article 24 ff GDPR) for controllers of personal data, seems just not compatible with a blockchain system, where data is processed without individual controllers for individual processing operations.
In this context, it may be also be added that the rights of the data subject (eg the right to basic information, right to rectification) are difficult to be fulfilled, again because of the missing responsibilities due to the whole construction of blockchain. In addition, one of the most significant rights provided by the GDPR, the right to erasure or so-called ‘right to be forgotten’, stands in contrast with the fact that the public ledger cannot be modified or deleted after the data has been approved.
Previous Section | Next Section |