The Puzzle of Squaring Blockchain with the General Data Protection Regulation
Jurimetrics Journal, 2020
61 Pages Posted: 22 Jul 2020
Date Written: June 29, 2020
Blockchain is a revolutionary technology that enables the secure recording and storage of transactions without the need for a trusted third-party intermediary. This distributed ledger technology has the potential to mainstream entirely new, decentralized business models where determining the operation of a blockchain-based product or service is decided democratically among the systems users. Because of the way that it works, blockchain presents a significant challenge for the European Union’s General Data Protection Regulation (GDPR). The GDPR is the leading privacy law in the world, serving as a template for privacy laws in many countries and affecting a vast number of multinational organizations. Blockchain, unfortunately, fits rather poorly in the GDPR’s regulatory framework. This is primarily because the legislation makes the assumption that the entities that define the means and purpose of processing users’ personal data, that is, the Data Controllers, are readily identifiable and remain constant. In blockchains with decentralized data governance, where a user’s role can vary over time, this assumption is often false. Several commissions in the European Union have tried to tackle the conundrum of how to fit blockchain into the GDPR’s framework, but the analysis and recommendations of these bodies has failed to adequately resolve the conflicts. This Article is the first to provide an overview of blockchain technology that distinguishes between the variety of centralized and decentralized data governance models. To bring about the truly revolutionary applications of blockchain while ensuring adequate individual personal data protections, this Article proposes that the European Union eliminate untenable GDPR data controller obligations for blockchains with decentralized data governance models.
Keywords: GDPR, blockchain, bitcoin, distributed ledger technology, information privacy law, cryptocurrency, data controller, data subject
Suggested Citation: Suggested Citation