Is the blockchain and EU privacy laws a bad marriage? One might think so. Isn’t the EU privacy law all about the right to be forgotten? To be erased from a system one wants to break free from? And isn’t it impossible to be forgotten once your data are on a blockchain? And therefore, isn’t the blockchain in this respect always totally incompatible with the EU law?
The short answer is no.
The right to be forgotten isn’t an absolute right. Relevant here is that a person has the right to be forgotten and the data must be deleted only in the event that keeping those data doesn’t serve the purpose for which they were stored. Data integrity, the very reason blockchain has come into existence, is such a purpose and therefore one could argue that storing is necessary to serve that purpose.
Does that mean that anything goes on the blockchain? That the integrity of the chain always supersedes the right to be forgotten?
The short answer is no again.
The EU law is all about data minimalization. The right to be forgotten is in its essence a species of the general rule that one should use as little personal data as possible. One should further have a ground on which one may process such data. In this case such ground must be legitimate interest of the controller. Such interest however needs always to be balanced against the right to privacy of the people concerned. If one stores too much data on the blockchain this will be against the EU law because, basically, both criteria are not met any more: no data minimalization and no ground anymore.
Therefore App developers and the blockchain provider should always abide by a few essential rules:
- don’t store the data on chain but only the hash (zero-knowledge proof);
- store as little data on the blockchain as possible;
- don’t store data that directly identify a person (such as personal identification numbers, pictures);
- ensure that the data stored can be separated from the person (authentication offline).
Should App developers follow these rules, blockchain could even enhance data protection. Should they not, chances are that EU bodies will move against them which could endanger the entire chain. Please note that the right to be forgotten is just one of the rights a data subject has. Further: being and remaining compliant demand more than just being able to grant these rights. However, given the natural tensions between the blockchain and the right to be forgotten I thought it wise to clarify this issue first.
Looking forward to your comments!