2 min Reading time

Blockchain and the right to be forgotten

Is the blockchain and EU privacy laws a bad marriage? One might think so. Isn’t the EU privacy law all about the right to be forgotten? To be erased from a system one wants to break free from? And isn’t it impossible to be forgotten once your data are on a blockchain? And therefore, isn’t the blockchain in this respect always totally incompatible with the EU law?

The short answer is no.

The right to be forgotten isn’t an absolute right. Relevant here is that a person has the right to be forgotten and the data must be deleted only in the event that keeping those data doesn’t serve the purpose for which they were stored. Data integrity, the very reason blockchain has come into existence, is such a purpose and therefore one could argue that storing is necessary to serve that purpose.

Does that mean that anything goes on the blockchain? That the integrity of the chain always supersedes the right to be forgotten?

The short answer is no again.

The EU law is all about data minimalization. The right to be forgotten is in its essence a species of the general rule that one should use as little personal data as possible. One should further have a ground on which one may process such data. In this case such ground must be legitimate interest of the controller. Such interest however needs always to be balanced against the right to privacy of the people concerned. If one stores too much data on the blockchain this will be against the EU law because, basically, both criteria are not met any more: no data minimalization and no ground anymore.

Therefore App developers and the blockchain provider should always abide by a few essential rules:

  1. don’t store the data on chain but only the hash (zero-knowledge proof);
  2. store as little data on the blockchain as possible;
  3. don’t store data that directly identify a person (such as personal identification numbers, pictures);
  4. ensure that the data stored can be separated from the person (authentication offline).

Should App developers follow these rules, blockchain could even enhance data protection. Should they not, chances are that EU bodies will move against them which could endanger the entire chain. Please note that the right to be forgotten is just one of the rights a data subject has. Further: being and remaining compliant demand more than just being able to grant these rights. However, given the natural tensions between the blockchain and the right to be forgotten I thought it wise to clarify this issue first.

Looking forward to your comments!

18 五月 2018 - Blockchain and law

About Jetse Sprey

Jetse Sprey advocaat

相对于找出问题,Jetse善于找出解决方案,并且总能一次次打破僵局。他擅长撰写清晰易读的合同和其他文件,并且在技术领域拥有丰富的经验,特别是区块链、信息通信技术(ICT)和多元治理方面。他本人就是一名区块链企业家,所以深谙国际化和文化多样化环境中做生意的门路。

More about Jetse Sprey