Right to erasure: EU data protection experts lay down rules for blockchain use
The European Data Protection Board has adopted guidelines on the processing of personal data by blockchains, including cryptocurrencies.
(Image: Davidstankiewicz CC BY-SA 4.0 Intl.)
"The distributed nature of blockchain and the associated complex mathematical concepts entail a high degree of complexity and uncertainty," explains the European Data Protection Board (EDPB) in its recently published guidelines on the use of decentralized database technology. "In principle, the storage of personal data in a blockchain should be avoided if it conflicts with data protection principles."
Blockchains are designed to ensure the integrity of data and its traceability. Correcting errors retroactively or deleting data is not intended, as conceptually only new information can be added. In order to ensure that blockchain use complies with the General Data Protection Regulation (GDPR), those responsible must "carefully assess the risks to the rights and freedoms of data subjects".
In its document, the EDPB clarifies that the roles and responsibilities for processing personal information with blockchain should already be defined in the design phase. Furthermore, organizations must carry out a data protection impact assessment in advance if blockchain use is "likely to result in a high risk to the rights and freedoms of natural persons".
Problems with the right to be forgotten
According to the association of data protection authorities of the EU member states, blockchain operators should "ensure the greatest possible protection of personal data during processing so that it is not made accessible to an indefinite number of people by default". Data protection must be integrated directly into the technology from the outset, i.e. privacy by design).
This includes the implementation of principles such as storage limitation and data minimization. In addition, data subjects' rights, such as the right to rectification, erasure and to be forgotten, must be observed. Therefore, the controller must carefully examine every blockchain solution envisaged.
Videos by heise
Blockchain data only anonymous
Legal experts such as Malte Engeler have already pointed out that the right to be forgotten is not feasible with blockchains. The EDPB explains: "Since the entire blockchain or the information stored in it may not be easily deleted, data controllers should consider this requirement as early as the design phase." They must ensure "that all personal data stored in the blockchain can be effectively anonymized in the event of a deletion request or objection". This presupposes that stored relevant transaction data does not allow the direct identification of data subjects.
All additional off-chain information that enables indirect identification by appropriate means would then have to be deleted. In view of the associated implementation difficulties, the EDPB advises considering instruments other than blockchains where appropriate.
(ds)
