If you are on instagram, chances are you have seen your favourite artists start selling their pieces as NFTs. If you read the newspaper, you will have read about the first tweet selling for millions. If you are more of a long-read article enthusiast, you may have read about the environmental impact associated with NFTs. The point is, where we described the trend around NFTs as fairly inconspicuous in our first blog, the topic is ubiquitous nowadays. With this surge in popularity, myriad questions arise, especially since the NFTs do not fit neatly into existing regulatory frameworks and neither does the blockchain they live on. We have already addressed some of these questions. In our first blog, we explain what NFTs are and what you can do with them. In a second, we delve into the ownership rights. Now, we tackle a third topic: privacy and data protection. As NFTs are stored on the blockchain, the information recorded is immutable. Is this compatible with the GDPR? What are the challenges that NFTs face in terms of data protection laws?
Previously, in this season of NFTs: non-fungible tokens are essentially positions on the blockchain connected to objects. They are – for the most part – metadata files which are encoded using a digital file. They are not the digital works they are connected to. I.e., when you purchase an NFT from an artist you like, you do not own the actual image. Hypothetically, the artist could create many more NFTs of the same image, if they wish. The metadata files contain information about the work it is connected to, and whatever additional info the creator of the NFT wishes. You can regard this as a type of receipt, collectible, authenticity certificate or museum label: a numbered or sometimes unique proprietary stamp. This data is then made permanent and unalterable by recording it on the blockchain. If an NFT changes accounts, this too, is recorded on the blockchain.
Herein may lie some issues considering the GDPR. Consider, for example, the (in)famous ‘right to be forgotten’ of article 17 “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.”
At first glance the right to be forgotten seems to be fully incompatible with blockchain. However, the right to be forgotten is not an absolute right. Would that have been the case, that would have meant the end of all blockchains storing personal data which is the vast majority of them. Though there is some debate as to whether an account name is considered to be personal data, because it may be hard or seemingly impossible to identify an individual with it, it should be considered as such. Not only out of precaution, but also because many will be identifiable (think ‘B_Obama61’ or other accounts that are either published, are KYCd even, or can be connected to an individual through combining data), which means that under the GDPR, all of them have to be considered as such. So, yes, there is more often than not personal data stored on the blockchain.
The right to be forgotten takes the purpose of processing into account: if the personal data is no longer needed such data must be deleted following a request to be forgotten. So are the personal data needed for the purposes they have been stored or used on the blockchain? In case of a blockchain transaction (and thus an NFT transaction) public keys, account names and transaction details need to be stored, among other things. Then, the GDPR lists six legal grounds for data processing and therefore storing on the blockchain in article 6. These are: consent, execution of a contract, legal obligation, protection of vital interests, carrying out a public task and legitimate interest. Consent and the execution of a contract are tricky because they are generally not eternal or immutable whereas blockchain is. That is, consent can be withdrawn and the current view on agreements is that they cannot be eternal. However, if one clause (regarding the immutability) could live on, then this ground may be applicable. Of the remaining legal grounds, only legitimate interest will currently be relevant for longtime storage (though this may change in the future, if for example governmental agencies start using blockchain). This is important since the right to be forgotten applies when processing does not have a legal ground anymore.
For NFTs, there are legitimate interests to be considered. The continuation of blockchain, which is based on immutability and provides innovative and important digital infrastructure to society; the creation of a novel market for artists to be able to function and profit in digital society; possibly the recording of historic details and important information if the NFT is connected to a real-life object, such as a vintage watch or a property. These interests of great importance which will vary on a case-to-case basis, but will always include the immutability of blockchain itself, will have to be weighed against the data subject’s interest in rectification or erasure. Here, the type of information that the data subject wishes to change or remove (which can be transaction details, user names, hashes, etc.) will also have to be considered. Mind here that other users will also be impacted by a single data subject’s request for either such action, as it will require a drastic measure (hard fork), if it is even possible. Their interests, too, should be taken into account.
Article 17(1)(a) further states that the right to be forgotten applies where: ‘the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed’, but in the case of blockchain, immutability is one of its purposes. If there is an NFT, there will be blockchain. If there is blockchain, there has to be immutability. If there is immutability, it is impossible that the personal data are no longer necessary in relation to the purpose, because then they would be mutable.
Though we do not yet know what the outcome of all of these balancing acts will be, it is unlikely that a single data subject’s interest will override the interests of blockchain, its users and the NFT community as a whole. I have written a more in-depth overview on blockchain and GDPR compliance for Europechain, which you can read here.