Skip to content
City PM
  • Germany
  • France
  • Europe
  • Markets
  • Business
  • Opinion
  • DE
  • Germany
  • France
  • Europe
  • Markets
  • Business
  • Opinion
  • DE
Wednesday 09 December 2020 11:57 am  |  Updated:  Wednesday 09 December 2020 12:29 pm

Privacy laws and blockchain

By: Crypto AM: Talking Legal in association with INX

Add as a preferred source on Google
Price Of Bitcoin Sinks As Cryptocurrency Sell-off Continues
Getty Images

The very nature of Distributed Ledger Technology (DLT) raises some interesting issues around privacy laws and their application to DLT. It is important for industry participants to understand this important area of law and its application to their business.

Blockchain is a technology that enables the secure validation, recording, and sharing of data. The data is stored in a distributed database, meaning there is not one centralised database controlled by a single person, but rather multiple copies of the database which are continuously updated in real time across the network of participants. Not only does this eliminate one single point of failure risk, but it also makes tampering with the data a significantly more onerous task, as a person would need to tamper with all copies of the data near simultaneously.

Blockchain utilises cryptographic methods to protect the data from unauthorised access. Crytopgraphy is a type of data security measure which converts any type of data into a new format that can be read only by users who are permitted to access it, therefore the data cannot be accessed by users with no authorisation.  Cryptography involves several steps to securely alter the format of the data. This is achieved through the following steps:  firstly, converting the data into a coded form, which is referred to as a hash, that bears no resemblance to the original data; secondly, designing  the hash such that it cannot be reverse-engineered, meaning it can only be decoded by guessing the underlying original data; and thirdly, storing the hashes in a manner which enables a user to easily confirm whether any of the original underlying data or hashes have been tampered with. This enables a user to trust the integrity of the data once stored, without necessarily having to trust its counterparts.

Blockchain technology utilises cryptography for wallets, transactions, security, and privacy-preserving protocols.  

How does this structure tie into compliance with privacy law? 

One of the key features of blockchain is its purported immutability, meaning that data stored in a blockchain-based database cannot be subsequently altered. The immutability of blockchain is often held out as incompatible  with data privacy laws, such as the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), that empower data subjects to have control over their personal data, including how it is collected and stored, and dictates that persons collecting and storing such data must agree to hand over, correct, and delete that data on request.   In addition to the data subject rights, the GDPR also contains a principle on data minimisation, whereby organisations should only process personal data that is relevant and necessary for the defined purpose, and the principle of storage limitation, whereby organisations should only keep personal data for as long as necessary for the purposes for which it was collected. 

On the face of it these obligations are in conflict with the inherent “immutable” feature of the blockchain. However, understanding whether a particular network is compatible with the obligations under respective data protection frameworks requires a case-by-case analysis. And, it is possible that technological mechanisms can be built into the blockchain network and relevant consensus protocol to facilitate regulatory compliance. In practice, many of the privacy “challenges” which  are raised under the GDPR can in fact be addressed through transparency, such as clearly communicating with participants how the blockchain works and uses personal data and also how the exercise of an individual’s rights will be treated given the nature of the technology. This requires that companies utilising blockchain technologies thoroughly understand the nature of data processing activities. 

Key to understanding the obligations of a party is to accurately designate the respective roles (i.e. controller or processor) under the data protection framework. Often in these complex relationships 

between stakeholders, it is not black or white as to which party is acting as a controller or a processor. Indeed, in some scenarios, a party may take multiple roles depending on the processing activity. Nevertheless, being clear about the roles of a party in respect of processing is central to assessing both risk and the applicable obligations under the GDPR. For example, controllers have to comply with the transparency principle, part of which requires that they provide individuals with a fair processing notice stating (amongst other things) the ways in which their data is used, who else may have access to it, how long it is kept for, and so on. However, it may be that a party that it quite far removed from the end-user is acting as a controller, and it would be impracticable for that party to provide the individual with a notice.

The solution, more often than not, is to contractually delegate the responsibility to notify the end-user to the party with the direct relationship.  We now see many businesses providing template wording for counter-parties to include in their privacy notices to address this issue.

Read more

Icon Solutions Showcases How Banks Can Accelerate Digital Asset Innovation with IPF

Separately taking a more principles based assessment of GDPR obligations, it seems that blockchain technologies have many shared objectives with the GDPR. For example, the GDPR recognises “pseudonymisation” (i.e. ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.’) as a security measure and risk mitigation technique. It follows that there is a good argument that blockchain use of cryptography is a ‘Privacy by Design and Privacy by Default’ technology and offers increased security of data.

The GDPR introduces a number of enhanced rights for individuals in respect of their personal data, such as the right to be forgotten, the right to data portability, the right to not be subject to automated decision-making, and the right to object.  Organisations should consider, at the outset, how a data subject request will be handled and implemented, as well as, how to ensure that the network of stakeholders, which may be in receipt of the data, are also notified, and assist with such requests.

What are enforcement penalties for breach?

Under the GDPR, businesses may also be exposed to significant fines for non-compliance or other sanctions from regulators (such as undertakings to remediate areas of non-compliance or orders to cease non-compliant processing). Fines associated with infringements by an organisation of its obligations to comply with a data subject request to exercise his or her rights, may result in the higher tier of fine available under the GDPR of up to 4% of global turnover, or €20 million. Importantly non-compliance may also result in lack of consumer trust and reputational damage, either of which is likely to materially impact the adoption of blockchain technologies and potential innovation. Accordingly, it is vital for businesses to give serious consideration to compliance and take proper legal advice to avoid being penalised. 

Given the unique nature of blockchain technologies, how can one manage the coexistence of blockchain and GDPR?

In parallel with the plethora of digital technologies, the GDPR came into effect in May 2018 and introduced the highest standard for data protection laws globally, as well as new rights for individuals that are aimed at enabling greater control in respect of their data. It follows as no surprise that data protection regulators acknowledge the tension between technology innovation and regulatory compliance, often emphasising that data protection should be seen as an opportunity, rather than a barrier to innovation. With proper upfront legal advice and planning the challenges faced by businesses that use DLT can be managed.

The UK ‘s Information Commissioner’s Office (‘ICO’) has published its Technology Strategy 2018- 2021, in which it states: “The most significant data protection risks to individuals are now driven by the use of new technologies… and the ICO ‘s approach to technology will be underpinned by the concept that privacy and innovation are not mutually exclusive”. When they both work together this creates true trust and data confidence. Technology is therefore viewed by the ICO as a risk and an opportunity. That is a fair and balanced approach. Yes it does require some resource to manage compliance with data and privacy laws when utilising blockchain technologies, it is however conducive to a sustainable ecosystem where users are afforded some protection which will in the medium to long term lead to a sustainable use and growth of this wonderful technology.

By Abradat Kamalpour, Partner Ashurst LLP and Architect of FinTech Legal Labs (www.fintechlegallabs.com), Gita Shivarattan, Counsel Ashurst LLP and  Ida Mokhtassi, Associate Ashurst LLP.

Crypto AM: Talking Legal in association with INX

Read more

DFNS Rebrands as the Core Banking Platform for Digital Assets

Share this article

  • Facebook
  • X
  • LinkedIn
  • WhatsApp
  • Email

Similarly tagged content:

Sections

  • Blockbeat

Trending Articles

  • Citroën 2CV returns as a £13,000 electric car, and the timing is no accident

  • Wimbledon: HMRC set to slap Sinner and Noskova with £1.6m tax bill

  • Rachel Reeves to unveil next steps for ring-fencing reform at Mansion House

  • Barclays and Lloyds back calls to digitalise UK markets and unlock £33bn boost

  • The former African gold miner taking on the billionaire Issa brothers

More from City PM

  • Icon Solutions Showcases How Banks Can Accelerate Digital Asset Innovation with IPF

    Business Wire
  • DFNS Rebrands as the Core Banking Platform for Digital Assets

    Business Wire
  • MSCI Announces the Results of the MSCI 2026 Market Classification Review

    Business Wire
  • Over Half of Consumers Will Pay More for Brands That Are Transparent About AI Data Use, New Usercentrics Research Finds

    Business Wire
  • VPN demand rockets as UK prepares for under-16 social media ban

    Tech
    Getty Images logo on a digital screen, symbolizing media and photography industry presence in news and business contexts
  • UK law clears hurdle for airlines to ban unruly passengers from travelling

    Aviation
    The Government’s ambition is for the UK to have 50 million international visitors a year by 2030.
  • Options Technology Offers Immediate Access to the Texas Stock Exchange (TXSE)

    Business Wire
  • Kendall blasts ‘unacceptably slow’ online safety laws as VPN loophole grows

    Tech
    Work and Pensions Secretary Liz Kendall is in charge of reforming the state pension and benefits system

City PM — European politics, business and analysis.

Europe

  • Germany
  • France
  • Europe
  • UK & Ireland

Topics

  • Business
  • Markets
  • AI
  • Technology
  • Opinion
  • Energy

More

  • Politics
  • Economics
  • Fintech
  • Legal
  • Sport
  • Life

Company

  • About City PM
  • Editorial Policy
  • Corrections
  • Contact
  • Terms of Use
  • Privacy Policy
  • Cookie Policy
© 2026 City PM · Published by CityPM Media, Bahnhofstrasse 65, 8001 Zürich, Switzerland
About · Editorial Policy · Corrections · Contact · Privacy · Facebook