Forget erasure: why blockchain is really incompatible with the GDPR
Whether blockchain-based projects can comply with the GDPR is a question of much debate and controversy at present. Many projects make bold claims that they are “GDPR compliant” or that the GDPR does not apply in the first place because they “don’t put personal data on the ledger.” At the same time, these projects often use the pseudonymous identifiers of individuals to write transactions to the ledger. Such pseudonymous identifiers are personal data,¹ so those claims are questionable.
Other projects claim to be compliant on the basis that they have solved the question of erasure, i.e. how to give effect to the data subject’s “right to be forgotten” in the context of an immutable, append-only ledger. This narrow focus on erasure loses sight of other core GDPR challenges in respect of distributed ledgers, including how to identify the relevant data controller(s) and processor(s) in a network, how to (reversibly) restrict processing, how to explain and honor objections to automated processing, and how to achieve compliant cross-border data transfers, among others.
Moreover, participants tend to dive head first into debating technical and nuanced details about the implementation of specific features or functionality in a given network, often losing sight of the bigger picture. In this way, solving one…
