How does the EU’s GDPR apply to hashed data on the blockchain?
Despite blockchain’s superior technical capacity for data privacy and security, lack of control over personal data is a major issue for the many companies subject to the European Union’s new digital data privacy law — the General Data Protection Regulation (GDPR) — which comes into effect May 2018.
In May 2015, the European Commission published its Digital Single Market strategy, designed to produce a seamless commercial market across national borders to improve online access to goods and services, set a level playing field for competing firms, and spur economic growth. As part of this regulatory harmonization, the EU adopted the GDPR to facilitate net neutrality, cloud computing, access to big data and protection of citizens’ personal data.
…
Enter blockchain, dubbed “data protection by design and default” in which data is either two-way encrypted, so as to be unreadable without a private key, or “hashed” in one direction. Blockchain hashing is very important for commercial functions like automated cross-border authentication of documents that do not contain personally identifiable information. But what happens when personal data is being processed in a blockchain?
The GDPR does not apply to anonymized data that cannot be traced back to an individual person. But hashing of personal data such as an ID card or medical record accomplishes only pseudonymisation, not anonymisation. GDPR protects pseudonymised data because of the “linkability” of an unreadable hash. Encrypted personal data might also be protected by the GDPR. Re-use of public keys, which were designed to identify a corporate entity in a blockchain transaction, could in other circumstances identify a private individual party to a transaction.
…
As a distributed ledger technology, transactions on a blockchain are permanently recorded in multiple nodes globally, data is immutable and cannot be compromised or deleted. Blockchains maximize transparency through public verification, thereby reducing vulnerability to fraud and cyberattacks. Financial applications such as cryptocurrencies transfer assets such as bitcoins directly peer to peer without a central intermediary, such as a bank. This makes it difficult to identify a responsible “data controller” in a non-permissioned system, much less hold them legally accountable.
Continue reading on LegalConsortium.org.
