Michèle Finck was visiting Luxembourg on 4 March, presenting her new book “Blockchain Regulation and Governance in Europe” at an event held by Infrachain, the non-profit organisation supporting the blockchain industry in the grand duchy, held at Allen & Overy.
Finck delved into two current concerns surrounding the compatability between blockchain and the General Data Protection Regulation, specifically the questions raised between centralisation vs. decentralisation, and mutability vs. immutability. In the former case, she explained, GDPR assumes one legal entity which can be identified and held to compliance. “But blockchains try to achieve resilience through replication. This doesn’t just mean that a database itself is spread across different [nodes], but also many different actors. This makes the question more complex.”
In the case of mutability vs. immutability, the fundamental problem lies in the fact that blockchains are built to be append-only, meaning it is not possible to delete or alter data previously entered–and this is one of the qualities making them so resilient. GDPR, however, does require alterations sometimes, but then does that defeat the whole purpose of blockchain?
Finck, who works as a senior research fellow at the Max Planck Institute for Innovation and Competition in Munich, research fellow at University College London and academic fellow at the Centre for Regulation in Europe (CERRE), narrowed down the tensions surrounding blockchain and the GDPR even further.
One tension, she says, concerns data minimisation. Article 5(1)(c) of GDPR states: “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). In simplest terms, data should be kept to a minimum level, but it isn’t straightforward for blockchains because of their append-only and replicating design.
“If we look at it from a blockchain perspective,” says Finck, “this forces us to be more specific about what data minimization means and this, perhaps surprisingly, is an area where there isn’t much clarification by courts or relevant regulators in various jurisdictions.”
The right to erasure
Next, Finck highlighted the GDPR’s Article 17 on the ‘right to erasure’ or ‘right to be forgotten’. In its strictest sense, erasure would appear to mean destruction of data, but Finck says the legal interpretation is “far from clear” on the matter.
The Google v. Spain case in 2014, for example, brought to light the question of the obligation of search engines to remove links to pages linked to data subjects who should no longer be linked in this manner. The European Court of Justice here argued that European citizens do have the right for these search engines to remove links to private data which is no longer relevant when they ask it.
However, “national data protection authorities have diverged or what is required exactly”. She cited, for example, the British ICO which she says declares that “you can erase data without destroying it, it is sufficient if you put it beyond use.”
So what about anonymisation? Finck says this brings up a whole other debate in terms of the GDPR. She further cited that while the Austrian data protection authority (DPA) agreed with the Brits, whereas what was critical for the French DPA was the destruction of the public key. Finck added that in the 2017 Nowak case, as a side line, the court said that erasure essentially means destroyed, so it’s even less clear.
Question of controllership
A third tension Finck tweaked out concerned accountability and responsibility in terms of the data controller–a topic which she says is “really interesting right now because there are many developments”.
To start with, Article 4 (7) of the GDPR defines a controller as “…the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…”
Furthermore, there Article 26 (1) of the GDPR specifically addresses joint controllers.
Finck cited several decisions over the last months, including the Wirtschaftsakademie Schleswig-Holstein (PDF), which highlights the function of implicit agreement when it comes to a data controller, as well as the Jehovah’s Witnesses case, which determined exerting influence as a criterion.
“In general, you could say there’s a group of various actors that could qualify as data controllers,” she says. While software developers and miners are less likely to qualify as controllers, says Finck, there are three that are more likely: the nodes within the blockchain, which have “intrinsic motivation” over their control, applications on the blockchain network, and users, anyone as private individual or company, for example, who have specific purposes to use blockchain. The question then falls into whether a household exemption would apply, determined by whether nature is private and also to how many people it is being made available.