Data Protection in the Blockchain Environment: GDPR is not a Hurdle to Permissionless DLT Solutions
Ciberspazio e diritto, vol. 19, n. 61 (3 - 2018), pp. 457-20
13 Pages Posted: 17 May 2019 Last revised: 9 Aug 2019
Date Written: May 1, 2018
Abstract
Public keys and hashes are the two fundamental cryptographic solutions commonly used to develop blockchain networks. They are considered almost unanimously pseudonymous data, that is personal data concealed behind an alphanumeric string that, in combination with additional information, can be nevertheless linked to a specific individual. If this were true, the development of blockchain technology would be hurdled by the necessity to comply with GDPR. In this paper, I held that the definition of personal data, albeit in the form of pseudonymous data, set forth in Directive 95/46/EC and today in the GDPR (taking into account the CJEU interpretation and Article 29 Working Party opinion) does not apply to either the public keys or the hashes as they are used in a blockchain. Indeed, they are not used for concealing identities but rather to solve a technical problem (the so-called double spending problem) creating trust in a peer-to-peer network. Hence, although they could be (and sometimes are) used to carry out advanced digital forensic searches to track down the identity of the private key holders, they are not actually designed to conduct or allow for such searches and, consequently, they should be considered neither personal nor pseudonymous data.
Keywords: blockchain, permissionless, GDPR, hash, DLT, personal data, pseudonymous data
Suggested Citation: Suggested Citation