2 min Reading time

Blockchain and the right to be forgotten

Is the blockchain and EU privacy laws a bad marriage? One might think so. Isn’t the EU privacy law all about the right to be forgotten? To be erased from a system one wants to break free from? And isn’t it impossible to be forgotten once your data are on a blockchain? And therefore, isn’t the blockchain in this respect always totally incompatible with the EU law?

The short answer is no.

The right to be forgotten isn’t an absolute right. Relevant here is that a person has the right to be forgotten and the data must be deleted only in the event that keeping those data doesn’t serve the purpose for which they were stored. Data integrity, the very reason blockchain has come into existence, is such a purpose and therefore one could argue that storing is necessary to serve that purpose.

Does that mean that anything goes on the blockchain? That the integrity of the chain always supersedes the right to be forgotten?

The short answer is no again.

The EU law is all about data minimalization. The right to be forgotten is in its essence a species of the general rule that one should use as little personal data as possible. One should further have a ground on which one may process such data. In this case such ground must be legitimate interest of the controller. Such interest however needs always to be balanced against the right to privacy of the people concerned. If one stores too much data on the blockchain this will be against the EU law because, basically, both criteria are not met any more: no data minimalization and no ground anymore.

Therefore App developers and the blockchain provider should always abide by a few essential rules:

  1. don’t store the data on chain but only the hash (zero-knowledge proof);
  2. store as little data on the blockchain as possible;
  3. don’t store data that directly identify a person (such as personal identification numbers, pictures);
  4. ensure that the data stored can be separated from the person (authentication offline).

Should App developers follow these rules, blockchain could even enhance data protection. Should they not, chances are that EU bodies will move against them which could endanger the entire chain. Please note that the right to be forgotten is just one of the rights a data subject has. Further: being and remaining compliant demand more than just being able to grant these rights. However, given the natural tensions between the blockchain and the right to be forgotten I thought it wise to clarify this issue first.

Looking forward to your comments!

18 May 2018 - Blockchain and law

Over Jetse Sprey

Jetse Sprey advocaat

Hij vindt oplossingen in plaats van problemen en is telkens weer in staat om impasses te doorbreken. Hij zegt wat hij ergens van vindt en niet wat hij denkt dat zijn cliënten willen horen.

Hij schrijft scherpe contracten die goed te lezen zijn. Hij heeft veel ervaring met Blockchain en onderneemt daar zelf in. Hij schrijft processtukken en adviezen die overtuigen. Hij weet veel van intellectueel eigendom, privacy en ondernemingsrecht.

More about Jetse Sprey