Blockchain and Data Protection in Germany
Decentralized blockchain vs. centralized data protection
Blockchain technology is considered to be one of the greatest and most promising innovations of recent years. Thanks to its decentralized, unalterable, and transparent nature, it can provide a high degree of security to users. The technology offers countless business opportunities.
But is the European General Data Protection Regulation (GDPR) already thwarting the rapid development of blockchain technology even before it can reach its full potential?
For some time, many experts have debated whether and how, if at all, blockchain technology may be used in Europe in compliance with data protection regulations. Because: As GDPR pursues a centralized data processing concept, it seems to be in contradiction with the decentralized nature of blockchain technology.
Blockchains use personal data
Various data qualify as personal data within the meaning of the GDPR. Typically, the data stored on blockchains also include personal data. These data are at the heart of the protection provided by the GDPR.
Article 4 no. 1 of the GDPR defines personal data as any information relating to an identified or identifiable natural person. A identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
A blockchain does not store data falling within the scope of this definition. But it keeps a record of a hash which is visible to all users. This hash marks a transaction and refers to the associated data record.
While it is contentious whether a single hash falls within the definition of “personal data”, several connected hashes can undoubtedly be used to make a natural person identifiable. As a result, blockchain technology falls into the GDPR’s scope of application.
Right to erasure and the blockchain
Application of the GDPR to blockchain technology gives rise to a number of additional legal issues, which developers will have to deal with in the future.
- How to make sure that a blockchain guarantees the right to rectification, pursuant to art. 16 GDPR, in the best possible way?
- How to make sure that a blockchain guarantees the right to erasure, pursuant to art. 17 GDPR, in compliance with laws and regulations.
- How to achieve the required security within a blockchain by technical and organizational measures?
- Does using a blockchain automatically mean you are a “controller” as defined in art. 4 no. 7 of the GDPR?
- What do developers of Smart Contracts have to observe in this context?
- How do you deal with the fact that data transfers outside the EU cannot be excluded in a public blockchain scenario?
Your attorney for data protection on blockchains
Our attorneys specializing in blockchain and data protection law will be pleased to answer these questions individually for your project. We develop a legally watertight data protection concept for your blockchain idea and provide support in all aspects of data protection. Your contact partner for questions relating data protection on blockchains is Attorney Olga Stepanova. The easiest way to reach us is via e-mail (firstname.lastname@example.org) or, if you prefer, by phone (+49 (0) 69 76 75 77 80). Please do not hesitate to contact us with your questions.
Attorney Olga Stepanova contributed a chapter on German data protection regulations again.