GDPR blockchain technology: Since blockchain data is immutable, is it impossible to apply the right to be forgotten?
Leggi qui l’articolo in italiano.
Many people had this doubt after the new European privacy regulations.
The way it is written though, the European GDPR legislation is not structured to be incompatible with blockchain technology.
The lawyer Stefano Casartelli of Jenny Avvocati, an expert in commercial law and competition law, explains to Cryptonomist.
“The GDPR“, he says, “unfortunately does not contain rules regarding blockchain technology, a reality that does not seem to have been considered by the European legislator in the preparation of the Regulation”.
The immutability of the information running on the distributed and decentralized network is one of the strengths of the technology and it is unthinkable that it should be modified.
In the same way, the current legislation, which is the result of four years of preparation, and the most important innovation of the last 20 years in the area of personal data privacy, as the EU authorities call it, certainly cannot be revised.
For these reasons, the problems of compatibility between the “chain of blocksâ” system and the regulatory apparatus that entered into force on May 25 must be tackled with the utmost reason and in the spirit of cooperation between the parties involved, being able to adapt to each case.
In other words, maximum flexibility is required from everyone
Casartelli continues: “GDPR’s regulation on the right to be forgotten (art. 19) undoubtedly generates problems of compatibility with blockchain systems, as is known to ensure – through the distributed nature of the chain of blocks – the storage and unchangeability of data for an unlimited period.”
The question is therefore difficult to resolve and the answers will depend not only on the characteristics of the individual blockchain systems (which include the identification of the data controller for privacy purposes) but also on the future interpretation of the new regulations.
The right to be forgotten is not recognized in an absolute way
Although in a context of uncertainty, some general observations can be made. Casartelli tried the same thing, explaining how blockchain can continue to work without threatening the protection of personal data.
“First, the right to be forgotten is not absolutely recognized in the GDPR either, as it is provided for only under certain conditions (e.g. data no longer necessary for the purposes of collection, withdrawal of consent by the entity concerned, object to the processing).”
Moreover, the obligation of the data controller to delete the data made public is “expressly subject to the requirement of reasonableness, taking into account available technology and implementation costs. These are subjects that, in light of the purposes and nature of each blockchain system, could be useful to those who manage it in order to emphasize the legality of their work.”
Finally, “it would always be desirable to include encryption and/or pseudonymisation mechanisms in blockchain systems”. If well structured, in fact, “these measures could make inaccessible personal data entered in the blockchain (for example, in the case of double key encryption, through the elimination of the private key by the person concerned)“. This could help to reduce the risk of disputes related to possible violations of the right to be forgotten.