A study conducted by the European Parliamentary Research Service concluded that there are many points of tension between blockchains and data protection laws, in this case the European Union’s General Data Protection Regulation (GDPR). These points are basically due to two macro factors – the decentralization and the immutability of this technology.
First, GDPR assumes that there is always a person or entity – the data controller – related to personal data. However, most blockchains are characterized by decentralization. In this way, the attribution of responsibilities is costly and complex.
Secondly, GDPR assumes that data can be modified and erased when needed. However, as we know, blockchains are immutable records, therefore humanly impossible to erase and modify. In fact, that’s what guarantees its integrity.
Therefore, private blockchains with permission can more easily fulfill GDPR requirements than the ones without permission. In this way, it will only be possible to evaluate the compatibility of blockchains with data protection laws in case-by-case approach, the study points out.
The study also points out that many of the uncertainties brought by GDPR are not directly related to the context of blockchains. There are a number of conceptual uncertainties in the regulation concerning both blockchain and other technologies. For example, the concept of what are anonymous data, the definition of the data controller, and the meaning of data erasure.
On the other hand, the study found that blockchains can bring benefits from the perspective of protecting personal data. But to do so, they have to be designed targeting the protection of personal data. In this way, they can offer new forms of data management that will bring benefits to a data-based economy.
Based on these observations, the study formulated three recommendations. First, there is additional regulatory guidance on the interpretation of certain elements of GDPR when applied to blockchains. Secondly, the creation of codes of conduct and certification mechanisms. And thirdly, conducting research to determine how the technical design and governance of blockchains can be adapted to the requirements of GDPR.
Several countries, including Brazil, have personal data protection laws. It is therefore important to note how the compatibility between the blockchain and the European Data Protection regulation will be assessed. The result can be a benchmark for the rest of the world.