Nowadays, Distributed Ledger Technologies (DLTs) are being used in more and more contexts, from cryptocurrencies to non-fungible tokens and supply chains. Therefore, it is extremely important that we are aware of the legal challenges they raise and that we work towards solving or, at least, mitigating them. This article will focus particularly on the interplay between blockchain technologies and the right to be forgotten.
What is a DLT?
DLTs consist of systems that store data in a similar way to traditional databases. However, unlike those, they are consensually synchronized and accessible across different sites and geographies by multiple participants, representing a breakthrough. Its decentralized nature eliminates the need for a centralised authority tasked to ensure that there was no data manipulation, replacing the role of that authority with the existence of a peer-to-peer network.
One of the key features of DLTs is their immutability since they are designed to keep the data unchangeable once inserted into the system. Giving every participant a copy of the ledger guarantees data integrity and generates trust in the network.
The right to erasure established in the GDPR
The question now is to understand how these systems can comply with the GDPR’s right to erasure (or right to be forgotten) since “GDPR aims to regulate the world of centralised data control, whereas the aim of blockchain is to challenge it”.
The right to erasure is both a qualified and a limited right:
1. On one hand, it enables the data subject to ask the data controller for the erasure of their personal data, if one of the conditions listed in Article 17(1) applies;
2. On the other hand, however, it should be balanced against the considerations in Articles 17(2) and 17(3), which to some extent restrict its scope of application.
Given that “in a blockchain environment, erasure is technically impossible because the system is designed to prevent it”, how can a data subject exercise their right to erasure?
1. Do DLTs actually deal with personal data?
DLTs may indeed process personal data, even if we are referring to encrypted personal data. Even in that case, if enough effort is put into it by experts or if someone holds the key to decryption, we will probably still be able to trace the data back to the individual. That is the reason why “encrypted data will often qualify as personal data and not as anonymous data”. However, this has been a long debated.
Two types of personal data can be at stake: participants’ and miners’ identifiers and additional data contained within a transaction.
2. The uncertain definition of the terminology of “erasure” in Article 17 GDPR
Neither GDPR nor its recitals define the concept of erasure. Therefore, it is difficult to assess whether erasing data from a blockchain is even necessary since we do not know exactly how this concept should be interpreted.
Some entities such as the Austrian Data Protection Authority and the UK Information Commissioner’s Office claim that it does not necessarily demand the outright destruction of data and several regulators have already agreed, defending that there may be other alternatives to that.
The need for a case-to-case analysis
Considering the privacy by design principle, the French Data Protection Authority (CNIL) states that it is extremely important to assess, from a very early stage, whether blockchain or DLTs, in general, are the most suitable solution for the processing activity in question.
The data controller shall start by evaluating necessity and proportionality since its usage can be a source of difficulties in terms of compliance with the obligations set out by the GDPR. One problem that may raise concerns is the international transfers of personal data, particularly in the case of public blockchains, since the data controller has no real control over the location of the participants.
In fact, as the European Union Blockchain Observatory and Forum (EUBOF) highlights, “GDPR compliance is not about the technology, it is about how the technology is used”. This means compatibility cannot be discussed at an abstract level. Instead, a tailored analysis of the technology application should be carried out. Aspects such as what personal data is processed on the blockchain and who the data controller is must be considered.
Blockchain is not necessarily the most suitable technology for all data processing and data controllers should have no problem accepting that and using other mechanisms instead, when necessary.
Are there any solutions?
After concluding that a blockchain system is indeed the best approach in a particular case, it is time to look at possible ways to comply with the requirements imposed by the GDPR.
From a technical point of view, there are cryptographic solutions that can be used to record data. Even if there is not a complete erasure stricto sensu, this enables the data subject to move closer to an effective exercise of their rights, by blocking access to data depending on the format chosen. Mechanisms such as commitment schemes, encryption and fingerprints must be considered, meaning that storing data in cleartext cannot be an option anymore.
There are also midterm solutions like the Enigma system, which is based on the concept of Secure Multi-Party Computation (SMPC) combined with blockchain since it computes functions together without leaking information to other nodes. This means no single party has ever access to data in its entirety but has instead a meaningless piece of it. This solution is commonly mentioned concerning smart contracts.
As last resort, one could also follow a more moderate option by storing personal data off-chain and having in the chain only a hash linked to an encrypted database where full data is stored – a technique called “Hashing-Out”. From a legal perspective, it would make the whole process much easier, given that data would be stored by an identifiable data controller. However, in a way, this would also go against the decentralisation principle of blockchains, since “a certain degree of control on data remains in the hands of a single centralised party”.
In conclusion, one should not argue that blockchain technologies are inherently incompatible with the GDPR. Instead, we should look at this topic with precaution and look for technical solutions that can reconcile DLTs and the right to erasure.
At this point, we should call for a strong and harmonised approach at the European level that specifically clarifies the concept of erasure and determines whether any of the existing processes may be used to achieve erasure under Article 17 GDPR. For the enthusiasts of DLTs, not all hope is lost: we still can and should work towards a compatibility answer that allows us to reap their full benefits, as long as we are aware that there is no perfect one-size-fits-all solution.
 Since the article focuses on a common characteristic – immutability – we will be using the terms Distributed Ledger Technologies and Blockchain indistinctly, even though they do not have the exact same definition.
 Horst Treiblmaier and Trevor Clohessy, Blockchain and Distributed Ledger Technology Use Cases: Applications and Lessons Learned (Springer Nature 2020) 137