One may be led to think that the data that is fed into the blockchain formation process, being encrypted, is itself protected, or even that it should not even be considered as personal data. For this reason, one might conclude that what goes into a blockchain does not fall under the scope of the rules dictated to protect privacy.
This is not necessarily the case.
Summary
Privacy and personal data within the blockchain
Complicating the matter is the fact that the legal notion of “personal data” is broader than one might think. If a piece of data does not allow for the identification of a person, one cannot exclude that the same piece of data, combined or cross-referenced with others, may be associated with an identified individual.
The Alba – Cooper case is emblematic. Data from taxi rides in New York, cross-referenced with photos and articles in gossip magazines, allowed some readers to find out whether or not celebrities (including Jessica Alba and Bradley Cooper) had tipped their taxi drivers. An apparently anonymous piece of data, cross-referenced with other data, allowed a unique association to a person’s identity.
The GDPR and, before it, Directive 95/46/EC, have established a broad and “dynamic” notion of personal data. This means that personal data is considered not only that which allows the concrete identification of the individuals, but also that type of data that makes them potentially identifiable. This depends on the specific contexts, taking into account not only the content but also the final result of the data collection.
Blockchain and regulatory obligations
Understanding whether or not what is collected in a blockchain (essentially, public keys and hash codes) should be considered personal data according to this notion is crucial to determine whether a blockchain should be subject to the application of the many obligations stemming from privacy legislation.
The problem is that there are opposing views on whether or not public keys and hash codes should be considered personal data.
Public keys would not be completely anonymous data, but pseudonymous data (and thus, in combination with other data, lend themselves to revealing personal identities). Moreover, they would be inherently personal data and their qualification would depend on the specific architecture of the individual blockchain.
Deciding whether one is inside or outside this perimeter makes a difference to a cascade of further problems. In a blockchain, data management and processing takes place in a distributed manner along all nodes of the network. How will it be possible to identify all the entities that take on any of the roles envisaged by the GDPR, or the specific domestic law regulations of the various countries, in the processing of data? Territoriality is also a relevant issue, in cases where a blockchain is spread across several countries, each with its own domestic law.
There is the issue of the right to be forgotten. A right that risks not being able to be exercised on data irreversibly engraved in a blockchain.
On all these issues, jurists continue to measure themselves and to seek a balance between the substantial features of blockchain and the formal limits of the sector’s rules.
The privacy issue as a field of confrontation
This balance, however, is hard to find, also because the blockchain has multiple applications outside of the cryptocurrency sphere. Because of the specific purposes for which it is used, it can present significant particularities that can make a difference. This is with respect to the qualification of the personal data collected, to the issue of the identifiability of data subjects, and with respect to the relevance of privacy legislation.
Even when the framework of legal interpretations is clarified, the privacy issue will remain a crucial field of confrontation for initiatives and projects based on blockchain and decentralization.
In the general mosaic of compliance of this kind of projects, the correct application of privacy regulations will be an important piece and will have to be combined with that of anti-money laundering regulations.
This translates not only into a monumental amount of bureaucracy but also into a range of legal obligations and responsibilities that can affect the success of many projects.
Claiming that data such as public keys and hash codes should be treated tout court as personal data has a paradoxical effect. And the rainfall of constraints that this entails falls on the blockchain itself. This is a technology that was created to preserve confidentiality and anonymity, and to erect a barrier to protect the fundamental freedoms of the individual through cryptography.
