Blockchain-based DLTs and articles 16 and 17 of the GDPR : a study

Abstract

When Satoshi Nakamoto launched the first implementation of Distributed Ledger Technology on 9 January 2009 to serve as the infrastructure for the peer-to-peer electronic cash system that he had proposed a few months earlier, he did not foresee the hornet’s nest that he had kicked over. While Bitcoin is perceived primarily as a challenge to prevailing monetary policy, the subsequent adoption of the underlying DLT infrastructure for a host of other purposes brought the properties of this infrastructure, including distribution and immutability, into conflict with a number of other policies, including those governing data protection. Meanwhile, during the years of Bitcoin’s infancy, the EU, acutely aware of the implications for fundamental rights of contemporary technology, had been updating its data protection framework leading to the adoption of the General Data Protection Regulation on 14 April 2016. At first glance, DLT and the GDPR are fundamentally incompatible on two main grounds, the issue of identifying a controller, and compliance with Article 16, the right to rectification, and Article 17, the right to erasure. However, DLTs come in two main types - permissioned and permissionless. Permissioned DLTs do not have significant problems in complying with Articles 16 and 17 since their governance model makes it possible to implement technologies that permit their ledger to be changed as required to comply with the law. Permissionless DLTs however will find it very difficult to achieve the network consensus to effect changes required by the law. Nonetheless, it is not impossible to do so if there is majority consensus for such change. Ultimately, the designation of a controller on a DLT is what makes it possible to achieve or co-ordinate the consensus required to comply with the law.