image
04/23/2019

GER: Does blockchain technology and data protection work together?

2B Advice
In March 2019, the German Bundestag invited experts to discuss the regulatory issues of blockchain technology. The expert opinions on the handling of data using blockchain ranged from clear approval to some skepticism. Why is this "revolutionary" technology, including the sophisticated combination of validation procedures and encryption mechanisms, often question-marked? Among other things, the incompatibility with the Data Protection law is an important reason.
 

Whether and under what circumstances the blockchain is relevant to data protection law depends on whether it involves personal data.

In the case of Bitcoin (the most well-known use case of blockchain), blockchain technology ensures that all Bitcoin transactions are recorded in a decentralized database and that these can be accessed by anyone at any time as unencrypted data.

In other words: Using this digital currency for some kind of business, unlike cash, it is easy for anyone to see where that money actually came from or what it actually bought. This traceability even applies to the entire history since the emergence of Bitcoin. By replacing their name with assigned public keys (which serves as an account number), the people involved remain pseudonymous, but there are still various ways to identify them.

People have two ways to obtain bitcoins: Either by creating them with their own power (so-called mining) or via a Bitcoin marketplace, where it is possible to  transfer, exchange or bid for Bitcoins.

In order to join in a Bitcoin marketplace, it is sometimes necessary to provide personal information such as name, email or bank account. Although this data cannot be easily disclosed by the marketplace operators, as they are also responsible for the generation and assignment of public keys, there is always the risk of identifying a real person with the help of an assigned public key. For this reason, personal data as defined in Article 4 No. 1 GDPR is available in the blockchain.

Another privacy-related problem is that the use of consent as a general legal basis for the processing of personal data in blockchains can lead to a conflict. Especially if the data subject revokes this legal basis. A Blockchain is a continuously growing list of records, which are linked and secured using cryptography. This means that when a record is completed, the next one containing the checksum of the previous record will be generated.

However, a revocation leads to the fact that an individual part must be deleted from the blockchain, which would affect all subsequent data records and thus contradict the irreversibility of the blockchain.

The issue of consent in the blockchain can lead to another problem: At the moment the user can give consent, as the data subject they do not know who is responsible for their data and who is classified as a processor in the sense of Art. 4 No. 8 GDPR.

Compared to the classical data processing models, in which the data is centrally managed by certain entities, the decentralized Data-Governance-Model of blockchain and many participants involved in data processing could lead to a more complex definition of their roles. For example, when determining the controllers and processors in the case of Bitcoin, it is necessary to distinguish between the transactions made via a Bitcoin marketplace and the transactions which are performed directly by the user.

Despite the problems mentioned above, the discussion in the Bundestag still indicates its willingness to encourage the development and introduction of blockchain platforms and to regulate them through standards and best practices.

Photo: © imageteam - Fotolia

Further Information:
https://www.cnil.fr/en/blockchain-and-gdpr-solutions-responsible-use-blockchain-context-personal-data
https://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P8-TA-2018-0373+0+DOC+XML+V0//DE
https://www.bitkom.org/Bitkom/Publikationen/Faktenpapier-Blockchain-und-Datenschutz.html

Rating: 3 (2)
Wildcard SSL Certificates

© 2003 - 2019 | 2B Advice GmbH - the privacy benchmark | Company Registration No.: Bonn HRB 12713
Joseph-Schumpeter-Allee 25 | D-53227 Bonn | Germany | 
Phone +49 228 926165-100 | Fax_+49 228 926165-109 | Email info@2b-advice.com 
No responsibility for the accuracy of the information. Please also note: Privacy Notice | Legals
2B Advice GmbH Italy | 2B Advice LLC USA | 2B Advice s.r.o.Slovakia
United States of America | Slovakia | Germany |
Bonn | Berlin | München | San Diego | Brezno | Verona | Vienna