Blockchain has become a revolutionary force in the rapidly changing digital
technology ecosystem, with the ability to completely change how we save, share,
and handle data. Concurrently, the General Data Protection Regulation (GDPR),
which places strict guidelines on the processing of personal data, serves as a
pillar in the defence of peoples’ right to privacy. The convergence of these two
powerful forces presents a critical study of how blockchain technology and GDPR
may coexist peacefully, as well as a number of difficult obstacles and
opportunities.

Rise in the blockchain technology and Imperative of General Data protection
Regulation:
Blockchain is a distributed and decentralised ledger technology that is
frequently credited as being the foundation of cryptocurrencies like Bitcoin.
Blockchain was first used as the foundational design for cryptocurrencies, but
it has since expanded its use to encompass a number of sectors. A blockchain is
essentially a series of blocks, each of which has a record of transactions. Its
decentralised structure, made possible by a network of nodes that stores and
verifies information collectively without the aid of a central authority, is
what makes it unique.

The General Data Protection Regulation (GDPR), on the other hand, was
implemented by the European Union (EU) in 2018 as a legal reaction to the
growing concerns about data privacy in the digital age. By offering people
control over their personal data and imposing stringent rules on organisations
that handle it, the GDPR aims to empower individuals. It highlights the
significance of openness and accountability in data processing by introducing
concepts like data minimization, purpose limitation, and the right to erasure. A
wide range of rights for data subjects are also introduced by the GDPR,
including the ability to view, update, and transfer personal data.

It also
requires data controllers and processors to put strong security measures in
place, evaluate the impact of those measures, and notify data breaches as soon
as they occur. The GDPR’s reach extends outside the EU due to its
extraterritorial nature, which requires organisations operating globally to
comply with its principles when managing the data of EU residents.

The Confluence: The Significance of Blockchain-GDPR Intersection
The General Data Protection Regulation (GDPR) and blockchain technology create a
crucial convergence in the age of digitization that requires close scrutiny.
Blockchain, well-known for its transparent and decentralised ledger, brings
about a revolution in data management. Simultaneously, the GDPR, a formidable
legal framework, imposes strict guidelines to safeguard the privacy rights of
individuals. Their intersection has substantial implications for the privacy and
data protection landscape that go beyond academic discourse.

The GDPR’s dedication to giving people control over their data is one of the key
elements emphasising the relevance of this intersection. GDPR promotes the idea
of data minimization, calling for the gathering of only the information required
for certain, legal reasons. This focus is in line with the overarching
objectives of increasing openness, giving people control over their personal
data, and cutting down on pointless data processing.

The immutable nature of blockchain stands out as a crucial feature with broad
consequences. Data becomes impervious to manipulation once it is stored on a
blockchain, guaranteeing a high degree of data security and integrity. However,
this immutability makes it difficult to reconcile with the GDPR’s erasing right.
The junction becomes important because it calls for creative ways to balance the
rights of individuals to have their data destroyed when it is no longer needed
for its intended purpose with the security provided by blockchain.

The decentralised design of blockchain networks challenges the traditional
understanding of data controllership that is outlined in the GDPR. In contrast
to conventional centralised systems, blockchain allocates accountability among
network users. This decentralised approach makes it difficult to identify a
single organisation in charge of data processing, which raises important
questions about GDPR compliance. This difficulty is significant because it calls
for reviewing and modifying regulatory frameworks to take into account the
special characteristics of blockchain networks while maintaining the fundamental
principles of the GDPR.

From a practical standpoint, the intersection is extremely important for sectors
that handle sensitive data. Supply chain management, healthcare, and finance are
just a few of the industries that stand to gain a great deal from the
integration of blockchain applications with GDPR regulations. Blockchain
technology’s security and transparency have the potential to completely
transform these sectors by enabling the development of systems that not only
abide with GDPR laws but also foster stakeholder trust.

Blockchain Technology: Fundamentals and Characteristics:
Originally envisioned as the foundational structure of cryptocurrencies,
blockchain technology has evolved to become a game-changing force across
multiple industries. Fundamentally, a blockchain is a distributed, decentralised
ledger that makes record-keeping safe, open, and impervious to tampering.
Examining the definition and constituents of blockchain reveals that its
distinct attributes have consequences for legal frameworks that oversee data,
transactions, and contracts, in addition to technology.

• Blocks: A blockchain’s blocks are collections of transactions. A block is appended to the chain in a sequential, linear order after it exceeds a predetermined size or time threshold. The integrity of the complete transaction history is guaranteed by this block chaining.
• Decentralised Network: A peer-to-peer network of nodes underpins the blockchain. Every node keeps a copy of the complete blockchain and conducts its own independent transaction validation. Because it is decentralised, security and transparency are improved because no one entity is in charge.
• Consensus Mechanism: To come to a consensus among nodes on the legitimacy of transactions, consensus mechanisms�such as proof-of-work or proof-of-stake�are essential. These procedures help the ledger become more reliable, which is crucial in legal situations where verifiability is crucial.
• Cryptography: To protect transactions and manage network access, blockchain uses cryptographic methods. In order to verify participant identity and guarantee data integrity and secrecy, public and private keys are utilised.

Blockchain and law:
Legal frameworks are significantly impacted by blockchain features, especially in the following areas:

• Legal Agreements and Smart Contracts: Blockchain-enabled smart contracts offer the ability to automate and simplify contractual arrangements. This has implications for contract law because smart contracts’ self-executing nature calls into question established methods of contract enforcement and the function of middlemen.
• Data Security and Privacy: The blockchain’s cryptographic methods improve data security and privacy. Blockchain technology’s data protection features are in line with legal frameworks, especially those governed by rules such as the General Data Protection Regulation (GDPR), which prioritise the reduction of data, accuracy, and security of personal information.
• Regulatory Compliance: Regulatory control is challenged by the decentralised and global nature of blockchain technology. According to Jones (2020), legal frameworks need to change to handle jurisdictional concerns and guarantee adherence to current laws, particularly when it comes to securities and financial activities.
• Immutable record keeping and evidence: The blockchain ledger’s immutability produces a trustworthy, time-stamped record of transactions. This feature has the potential to be a valuable source of evidence in court, influencing the resolution of disputes and the verification of transactions.

General Data Protection Regulation (GDPR)- Fundamentals:

Enacted by the European Union (EU) to improve the protection of peoples’ rights to privacy and the responsible treatment of personal data, the General Data Protection Regulation (GDPR) is a comprehensive legislative framework. With its implementation on May 25, 2018, the GDPR seeks to solve the issues brought about by the rapidly changing digital ecosystem and the growing ubiquity of data-driven technology. The rule provides a strong framework for the processing of personal data by defining its application and establishing precise goals. The GDPR’s main goals and its reach are as follows:

1. Empowerment of Data subjects:
   Objective: By granting people more control over their personal data, the GDPR aims to empower people. It highlights the idea that people have the right to know how their data is processed and to exercise their rights in relation to it.
    
2. Bringing Data Protection Laws into Unison:
   Objective: All member states of the European Union will have uniform data protection legislation thanks to the GDPR. It simplifies the legal environment and guarantees a uniform standard of data protection across the EU by offering a single set of legislation.
    
3. Enhancement of Data Security Protocols:
   Objective: The GDPR requires organisations to put in place the necessary organisational and technical safeguards in order to improve the protection of personal data. This entails encryption, routine risk analyses, and safeguards for data availability, confidentiality, and integrity.
    
4. Enabling the Transfer of Data:
   Objective: By creating a uniform framework for cross-border data transfers, the GDPR seeks to enable the unrestricted flow of personal data across countries. It offers safeguards to guarantee data protection during transfers outside the European Union, including Standard Contractual Clauses and Binding Corporate Rules.
    
5. Governance and Accountability:
   Objective: By compelling organisations to prove that they are in line with its principles, the GDPR highlights the idea of accountability. Adopting privacy-by-design and privacy-by-default guidelines is encouraged, encouraging a proactive approach to data security.
    
6. Higher Penalties for Failure to Comply:
   Objective: Organisations that violate the GDPR’s rules will now be subject to
   much higher fines. As a result, companies are encouraged to take data protection
   seriously and invest in strong data security solutions.

Scope of GDPR:
Geographic Applicability:
Scope: The GDPR covers processing of personal data of people residing in the
European Union, irrespective of the location of the processor or data
controller. This also holds true for non-EU organisations who provide goods or
services to EU citizens or keep an eye on their behaviour.

Relevance to Processors and Controllers of Data:
The GDPR covers data processors (businesses that handle data on behalf of
controllers) as well as data controllers (organisations that choose how and why
to process personal data. According to the rule, controllers and processors
have different duties and responsibilities.Definition of Personal Data:
Scope: Any information pertaining to an identified or identifiable natural
person falls under the purview of the GDPR and is subject to processing. This
broad term covers a lot of territory, from simple identification information to
more sophisticated data like genetic and biometric information.

Cross-Border Operation:
Scope: Personal data processing that includes cross-border data transfers inside
the European Union or the European Economic Area (EEA) is subject to the General
Data Protection Regulation (GDPR). It guarantees an equivalent degree of
protection and offers a framework for the legitimate transfer of data outside
the EU.

Bodies and Public Authorities:
Scope: The GDPR ensures that governmental organisations follow strict data
protection guidelines while processing personal data. It applies to public
authorities and bodies as well.

To navigate the complicated world of data protection and privacy within the
European Union and beyond, organisations and people must have a thorough
understanding of the goals and scope of the GDPR. Respecting the General Data
Protection Regulation (GDPR) protects people’s right to privacy while also
promoting confidence in the ethical management of personal information in the
digital era.

Data Subject rights:
Data subjects are granted a number of special rights under GDPR Articles 15 to
22. It is the duty of data controllers to enable the exercise of these rights;
they are not permitted to assign this responsibility to processors.[1] The
different data subject rights under the GDPR are looked at one by one below. It
will be seen that although some present no unique issues within the framework of
blockchain technology, others give rise to technical and legal issues, the
resolution of which may be influenced by the identity of the data controller and
its authority over blockchain data. Of course, as is always the case, a
case-by-case examination that takes into consideration the unique technological
and contextual circumstances of each personal data processing operation is
necessary in order to fully evaluate the application of these diverse data
subject rights to distributed ledgers.

The right to access:
As stated in GDPR Article 15

1. The data subject has the right to receive confirmation from the controller on whether or not personal data pertaining to them is being processed. If so, they also have the right to view their personal data along with the following details:
   1. the purposes of the processing;
   2. the categories of personal data concerned;
   3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
   4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
   5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
   6. the right to lodge a complaint with a supervisory authority;
   7. where the personal data are not collected from the data subject, any available information as to their source;
   8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. In cases where personal data is transmitted to an international organisation or a third country, the data subject is entitled to know about the relevant measures in accordance with Article 46.
3. A copy of the personal data being processed must be given by the controller. The controller may impose a reasonable fee based on administrative costs for any additional copies that the data subject requests. If the request is made electronically, the information will be sent in a frequently used electronic format unless the data subject requests something else.
4. The right to get a copy mentioned in paragraph 3 will not negatively impact other people’s freedoms and rights.

The prioritisation of the right to access at the beginning of the list of data
subject rights is not a mere coincidence. The recognition of the right to access
should be seen as a fundamental right within the framework of European data
protection legislation, since it facilitates and frequently serves as a
prerequisite for the exercise of all other rights granted to individuals
regarding their personal data. Accessing personal data allows individuals to
gain insight into the specific information that is being handled by the entity
responsible for data processing. This initial step is often essential in order
to exercise any subsequent rights effectively.

For example, the right to access
empowers the individual to verify the potential inaccuracy of personal data, so
potentially motivating them to exercise their right to rectification as outlined
in Article 16 of the General Data Protection Regulation (GDPR). Article 15 of
the General Data Protection Regulation (GDPR) holds substantial importance in
shaping the framework of data protection legislation in Europe. When a data
subject submits a request for access, it is incumbent upon the controller to do
a comprehensive search of all its records, both electronic and paper-based, in
order to furnish the relevant information to the data subject.

Therefore, in
cases where a data controller utilises Distributed Ledger Technology (DLT) to
handle personal data either independently or in conjunction with other methods,
it is necessary for them to investigate if this database includes any
information pertaining to the data subject. In general, there are no inherent
obstacles that would prevent the implementation of Article 15 of the General
Data Protection Regulation (GDPR) in relation to blockchains. However, it is
assumed in this context that there are sufficient governance systems in place
that facilitate efficient exchange and administration of data.

The right to rectification:
According to Article 16 of GDPR
The data subject shall have the right to obtain from the controller without
undue delay the rectification of inaccurate personal data concerning him or her.
Taking into account the purposes of the processing, the data subject shall have
the right to have incomplete personal data completed, including by means of
providing a supplementary statement[2]

Blockchains are a type of ledger that is intentionally built to make it
extremely difficult to delete or modify data. This design feature is implemented
to ensure the integrity of data and establish confidence within the
network.[3]

This concept inherently creates a conflict with the GDPR’s mandate
for data to be modifiable in order to facilitate its deletion, or, as stipulated
by Article 16 of the GDPR, its correction. Blockchains frequently lack the
capability to facilitate reversibility, as exemplified by scenarios when a
client requests a service provider, who operates on a blockchain, to amend the
information contained within their record.

Private and/or permission less blockchains have the capability to accommodate these requests by modifying the
corresponding transaction record through the re-hashing of following blocks,
which can be facilitated by the specific technical and governance framework in
place.

However, rectifying data on public and/or permission less blockchains
poses significant challenges, as individual players lack the ability to comply
with such demands. This is not due to technical limitations, as each node has
the ability to modify its own local version of the ledger. However, identifying
the specific data to be corrected is challenging, particularly when the relevant
data is encrypted.

Nevertheless, it should be noted that designating all nodes,
miners, and users as data controllers responsible for enforcing data subject
rights may not guarantee adequate safeguards for the protection of data
subjects. This is because, despite the possibility of nodes reaching a consensus
to transition to a new version of the blockchain periodically in response to
requests for data removal, the coordination required for such an action has been
deemed challenging to accomplish among a potentially vast number of nodes.

The provision outlined in Article 16 of the General Data Protection Regulation (GDPR)
specifically allows for the completion of incomplete data through the provision
of a supplementary statement. Implementing changes in distributed ledgers is far
more feasible due to the ability of any authorised entity to append new data to
the ledger, hence rectifying previously recorded information.

For instance, in
cases where a user’s existing records identify their marital status as single,
further information can be appended to a separate data block to signify a change
in status following a recent marriage. However, it is worth considering whether
the inclusion of fresh data on the blockchain will always be an effective method
of fulfilling the underlying purpose of Article 16 of the General Data
Protection Regulation (GDPR).

It is noteworthy to mention that Advocate General Kokott contended in the Nowak case that the evaluation of the right to
correction should be conducted by considering the purpose for which the data was
gathered and processed.[4] In this particular instance, it was contended that
the utilisation of Article 16 of the General Data Protection Regulation (GDPR)
was not applicable for the purpose of seeking the correction of responses in an
examination.

By employing a purposive approach, it becomes apparent that the
inclusion of an additional statement may not always be a sufficient method for
ensuring adherence to the right to rectification. This is particularly true in
situations where there is a compelling argument that the data in question should
not merely be supplemented, but rather completely removed and replaced.

This
circumstance arises, for instance, when a data subject is unable to invoke the
right to erasure due to the absence of any of the grounds outlined in Article
17(1) of the General Data Protection Regulation (GDPR). On the other hand, one
could posit that in cases where Article 17(1) of the General Data Protection
Regulation (GDPR) does not apply, the data subject’s interest in data erasure
may not be deemed significant, and instead, the mere providing of supplementary
information should be deemed satisfactory.

The right to be forgotten(the right to erasure):
In accordance with Article 17 of the General Data Protection Regulation (GDPR),
individuals possess the entitlement to request the deletion of their personal
data from the data controller promptly and without unnecessary delay. The data
controller, in turn, bears the responsibility to promptly erase personal data
when any of the following circumstances are present:

There are several circumstances under which personal data may no longer be
necessary for the purposes for which they were collected or processed. These
include situations where the data subject withdraws their consent, and there is
no other legal basis for the processing. Additionally, if the data subject
objects to the processing and there are no overriding legitimate grounds for it,
or if the data subject objects under specific circumstances, the personal data
may need to be erased.

Furthermore, if the personal data has been processed
unlawfully or if its erasure is required to comply with a legal obligation, it
should be erased. Lastly, if the personal data has been collected in relation to
the provision of information society services, it may also need to be erased.

The controller of personal data is responsible for ensuring that controllers
processing the data are informed of the data subject’s request for erasure. This
includes taking reasonable steps, such as implementing technical measures, to
notify these controllers and ensure the removal of any links to, copies of, or
replications of the personal data in question. The controller should consider
the available technology and the associated costs when determining the
appropriate measures to be taken. Paragraphs 1 and 2 of the aforementioned
provision shall not be applicable in cases where processing of personal data is
deemed necessary for the following reasons:

1. to exercise the right of freedom of expression and information;
2. to comply with a legal obligation that requires processing under Union
   or Member State law, which the controller is subject to, or for the
   performance of a task carried out in the public interest or in the exercise
   of official authority vested in the controller;

The right to erasure, as outlined in the Regulation, plays a significant role in
promoting informational self-determination by granting individuals the ability
to exercise control over personal data that pertains to them, whether directly
or indirectly. According to Article 17 of the General Data Protection Regulation
(GDPR), individuals have the right to request the deletion of their personal
data from the entity responsible for its processing, known as the data
controller, under certain specified circumstances. The right to erase is a right
that is both qualified and limited.

The invocation of this provision is limited
to the conditions specified in Article 17(1) of the General Data Protection
Regulation (GDPR) and must also be weighed against the reasons outlined in
Article 17(2) of the GDPR. Furthermore, the European Court of Justice (ECJ) has
emphasised that the invocation of the right to erasure must not be employed in a
manner that contradicts the underlying intention of this regulation.[5]

The right to erasure, as stipulated in the Regulation, plays a crucial role in
advancing the concept of informational self-determination by granting
individuals the authority to exercise control over personal data that pertains
to them, either directly or indirectly.

According to Article 17 of the General
Data Protection Regulation (GDPR), individuals have the right to request the
deletion of their personal data from the entity responsible for its processing,
known as the data controller, if certain specified conditions are met. The right
to erase is a right that is both qualified and limited. [6]

The invocation of
this provision is contingent upon the requirements outlined in Article 17(1) of
the General Data Protection Regulation (GDPR) and must also be weighed against
the reasons specified in Article 17(2) of the GDPR. Furthermore, the European
Court of Justice (ECJ) has emphasised that the invocation of the right to
erasure must not be used in a way that contradicts the underlying intention of
this Article.

Numerous scholars and experts have underscored the challenges associated with
implementing the right to erasure within the context of blockchain technology.
The act of removing data from distributed ledger technology (DLT) systems can be
arduous due to intentional design features that make it difficult to
unilaterally modify data. This design aims to foster trust within the network by
ensuring the integrity of the data.

For instance, in the case where the
prevailing consensus mechanism employed is proof-of-work, it would be necessary
for the majority of all peer-to-peer connected nodes to revalidate the
authenticity of each affected transaction in a reverse manner. This would
involve dismantling the entire blockchain, block by block, and subsequently
reconstructing it. Each transaction step would need to be disseminated to all
currently active nodes in a block-wise manner.

The challenge of adhering to
Article 17 of the General Data Protection Regulation (GDPR) is compounded by
both technological considerations and governance design. In the context of
public and permission less blockchains, it might be challenging to achieve
universal implementation of database modifications across all nodes, even if
technical mechanisms for assuring compliance exist.

This section undertakes an
evaluation of the relationship between distributed ledgers and the right to
erasure as outlined in the General Data Protection Regulation (GDPR), with the
aim of offering additional insights on this matter.

First and foremost, it is
imperative to highlight the lack of clarity surrounding the precise definition
of the term ‘erasure’ as used in Article 17 of the General Data Protection
Regulation (GDPR). The feasibility of eradicating personal data from blockchains
remains uncertain due to the lack of specific guidelines on the interpretation
of this term.

What does the right to erasure mean?
Prior to any analysis on the compatibility of blockchain technology with Article
17 of the General Data Protection Regulation (GDPR), it is important to
emphasise that there is a lack of clarity regarding the exact definition of the
term ‘erasure’. [7] The definition of erasure is not provided in Article 17 of
the General Data Protection Regulation (GDPR), and the explanatory statements
within the Regulation also do not elaborate on the interpretation of this term.

It could be posited that an acceptance of a vernacular comprehension of this
language is advisable. As to the definition provided by the Oxford English
Dictionary, erasure refers to the act of eliminating or inscribing over recorded
content or data. It can also denote the complete elimination of any remnants of
a certain entity, resulting in its obliteration. From this particular
standpoint, the concept of erasure can be interpreted as synonymous with the act
of annihilation. However, it has been previously emphasised that the eradication
of data on blockchains, specifically those that are public and permissionless,
is not a simple task.

Nevertheless, there are signs suggesting that the obligation stipulated in
Article 17 of the General Data Protection Regulation (GDPR) does not necessarily
need the complete eradication of data. The act of removing material from search
results in Google Spain was regarded as a form of erasing. It is noteworthy to
acknowledge that the claimant specifically sought only this information from
Google, without having any authority over the original data source, which
happened to be an online newspaper publication.

If the claimant desired complete
eradication of the pertinent data, they would have needed to approach the
newspaper rather than Google. This statement suggests that the General Data
Protection Regulation (GDPR) mandates data controllers to make every effort
within their factual capabilities to achieve an outcome that closely resembles
the destruction of their data.

Furthermore, national and international
regulatory bodies have also suggested that there might exist other approaches to
the complete eradication of data, which could effectively ensure adherence to
the erasure requirement outlined in the General Data Protection Regulation (GDPR).
The Article 29 Working Party, in its assessment of cloud computing, posited that
the potential destruction of hardware might potentially be deemed as erasure
within the context of Article 17 of the General Data Protection Regulation (GDPR).

In addition, it has been acknowledged by national data protection authorities
that the act of erasure does not necessarily equate to complete destruction. An
instance of the Austrian Data Protection Authority has recently acknowledged
that the data controller possesses a certain degree of flexibility in terms of
the technical methods employed to achieve erasure.

Furthermore, it has been
suggested that anonymization can be seen as a viable approach to achieve the
desired outcome of erasure.The number provided by the user is in addition, the
UK Information Commissioner’s Office has consistently contended that rendering
data ‘put beyond use’ could potentially be deemed acceptable.

Right to restriction of processing:
In accordance with Article 18 GDPR:

1. The data subject shall have the right to obtain from the controller
   restriction of processing where one of the following applies:
   1. the accuracy of the personal data is contested by the data subject, for a
      period enabling the controller to verify the accuracy of the personal data;
   2. the processing is unlawful and the data subject opposes the erasure of
      the personal data and requests the restriction of their use instead;
   3. the controller no longer needs the personal data for the purposes of the
      processing, but they are required by the data subject for the establishment,
      exercise or defence of legal claims;
   4. the data subject has objected to processing pursuant to Article 21(1)
      pending the verification whether the legitimate grounds of the controller
      override those of the data subject.
2. Where processing has been restricted under paragraph 1, such personal
   data shall, with the exception of storage, only be processed with the data
   subject’s consent or for the establishment, exercise or defence of legal claims or for the
   protection of the rights of another natural or legal person or for reasons of
   important public interest of the Union or of a Member State.
3. A data subject who has obtained restriction of processing pursuant to
   paragraph 1 shall be informed by the controller before the restriction of
   processing is lifted.

End-Notes:

1. Article 12 (2) GDPR.
2. Article 16 GDPR.
3. Bacon J et al (2018), ‘Blockchain Demystified: A Technical and Legal Introduction to Distributed and Centralised Ledgers’ Richmond Journal of Law and Technology 1, 76.
4. Opinion of AG Kokott in Case C-434/16 Peter Nowak [2017] EU:C:2017:582, para 35.
5. Case C-434/16 Peter Nowak [2017] EU:C:2017:994, para 52.
6. Case C-398/15 Salvatore Manni [2017] EU:C:2017:197.
7. https://en.oxforddictionaries.com/definition/erasure

Written By: Madiya Mushtaq

Advocate, Supreme Court of India