How do Blockchain and data protection relate to each other? Blockchain technology is currently booming and increasingly present in various fields. But how does it affect data protection? At Letslaw we tell you the main aspects you should know about this technology and its impact on data protection.

Conflict between blockchain technology and data protection

The Blockchain is a means of both validating and certifying information of any kind in a decentralised way, which cannot be manipulated and in which everything is recorded. Therefore, the stored information cannot be modified, but neither can it be deleted.

Each block forming the chain is mathematically connected to the next block and, in case of modification of any of the blocks, the chain will be broken, leaving the rest and the information contained in them immutable.

But the main question here is whether privacy can be guaranteed in this type of technology.

Mainly, the following problems can be distinguished:

  1. It is difficult to identify data controllers, as each participant in the chain or network has access to all the transactions that take place and to all the information.
  2. The information on the blockchain cannot be modified, rectified or deleted. Databases are therefore indelible.
  3. This immutability conflicts with data protection as it goes against the right to erasure or the right to be forgotten, which is enshrined in the General Data Protection Regulation (GDPR).
  4. Moreover, this immutability also affects the limitation of processing, as the GDPR itself provides that personal data should only be kept for a period no longer than is necessary for the purposes for which they are collected.

Blockchain and the right to be forgotten

With regard to the aforementioned right to be forgotten, it should be borne in mind that the data subject, according to Article 17 GDPR, has the right to obtain from the data controller the erasure of the data when:

  • The personal data are no longer necessary for the purposes for which they were collected.
  • The data subject withdraws the consent on which the processing is based.
  • The data subject objects to such processing and there are no other grounds for the processing.
  • The data have been processed unlawfully.
  • The data must be deleted in order to comply with a legal obligation.
  • The data have been obtained in connection with the provision of information society services in accordance with the provisions of the GDPR.

However, this is currently not possible in this type of technology, which can lead to problems and conflicts between blockchain and data protection.

Possible solutions to the right to be forgotten

Solutions to the impossibility of exercising this right that could be applied could be a deletion of existing credentials as well as passwords, making it inaccessible to anyone.

This is complicated and does not offer full guarantees, as it is difficult to ensure that they will not be available to anyone or that a brute force attack (a procedure to recover keys by trying all possible combinations) will not occur.

It would also be possible to obtain consensus among all blockchain administrators by agreeing on a set of rules with editing commands.

Absence of a data controller

As previously mentioned, it is difficult in these cases to determine the controller as it is a decentralised network and the information is not processed from any central body.

That is why this point complicates the exercise of users’ rights under the GDPR itself.

Impact with the Internet of Things (IoT)

In the case of the Internet of Things or IoT, the main lines that have been developed and will continue to be developed are those referring to the possibility of integrating systems to achieve automation of production lines, application to storage or product distribution systems. It can also be applied to homes or community systems, and this is where it can be further developed to help a large number of people.

In short, blockchain technology has great potential and a promising future.

At Letslaw we have a team of professionals specialised in digital law and new technologies.