Law and Autonomous Systems Series: Blockchains and the Right to be Forgotten

Blockchain technology is the new word on the street. A blockchain is in essence an append-only decentralized database that is maintained by a consensus algorithm and stored on multiple nodes (computers). While the technology is still immature and applications remain rare, it is widely viewed as a disruptive force, capable of decentralizing business models, forms of human interaction and markets. Given that they are new forms of data storage and management, questions surrounding the relation between blockchains and the EU’s General Data Protection Regulation (‘GDPR’) abound. Whereas the GDPR was fashioned for a world where data is centrally collected, stored, and processed, blockchains decentralize these processes. With a paradigm shift of such radical contours, the applicability of a legal framework constructed for a sphere of centralization to one of decentralization is not without difficulties. This brief article focuses on one specific aspect of the GDPR: the so-called ‘right to be forgotten’.

Article 17 GDPR mandates that the data subject (the identified or identifiable natural person to which the data in question relates) shall have the right to obtain from the data controller (the natural or legal person that determines the purposes and means of personal data processing) ‘the erasure of personal data concerning him or her without undue delay’. Controllers are obliged to delete personal data under a number of conditions, such as: (i) the personal data is no longer necessary for the purposes it was collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based or where there is no other ground for processing; (iii) the data subject objects to the processing and that there are no overriding legitimate grounds for processing; (iv) personal data has been unlawfully processed; (v) personal data has to be erased for compliance with national or supranational law to which the controller is subject; or (vi) personal data has been collected in relation to the offer of an information society service to a child under 16 years of age.

Tamper-resistance is one of the most heralded features of blockchains. They are, by definition, unable to easily forget as they were specifically designed to be censorship-resistant. While the modification of data on a blockchain is possible in principle, it is in most cases extremely expensive and burdensome to realise. Such modification moreover alters a blockchain’s character as a coherent chain of blocks. Where the data of one block is tampered with, the associated hash, as well as the hash of all subsequent blocks, is modified. Given the difficulties of changing or deleting data from a blockchain, we can exclude a straightforward application of the right to be forgotten to this emergent technology.

On a blockchain, both public keys and transactional data likely qualify as personal data. With regard to transactional data a number of possible solutions can be envisaged. Where personal data is recorded in a referenced, encrypted and modifiable database (conventionally referred to as ‘off-chain storage’), as opposed to the blockchain itself, it can be deleted in line with data protection requirements without the need to touch the blockchain itself.

With regard to public keys, compliance is more burdensome. First, it must be recalled that the right to be forgotten is not an absolute right. Article 17(2) GDPR rather provides that when faced with a request for erasure, the data controller shall take ‘account of available technology and the cost of implementation’ and then take ‘reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of those personal data’.

Here, the question arises as to whether the reference to ‘available technology’ could lead to an interpretation of the GDPR that dispenses with outright erasure in light of blockchains’ technical limitations, in favour of an alternative solution. Indeed, some have suggested that formalized procedures of transmitting a key to the data subject or deleting the private key in a supervised setting could amount to erasure for the purposes of the GDPR. Unlike outright erasure, the encrypted data would still exist on-chain but could only be accessed by the data subject (through her exclusive control of the private key) or simply no longer be accessed at all. Moreover, pruning can be used to delete obsolete transactions in older blocks that are no longer necessary for the continuation of the chain. However, the idea remains controversial.

A further option would be the use of chameleon-hashes to re-write the content of blocks on a blockchain by authorized authorities under specific constraints, and with full transparency and accountability. However, there are a number of problems with this approach. First, if the lock key is destroyed or lost the chain reverts to being de facto immutable. This solution would further reintroduce the need for a trusted third party such as governments, special bodies or arbitrators, which some will find unacceptable as it arguably defeats the very benefit of using a blockchain. Secondly, chameleon-hashes can’t eliminate old copies of the blockchain that will still contain the redacted information, and miners also have discretion as to whether to accept the changes or not. 

It should be stressed that hard forks, which can be used to mutate blockchains in very exceptional cases, are likely not viable GDPR compliance-tools. Hard forks only make sense for the most recently mined block, as all subsequent blocks are rendered invalid so that all the transactions stored in these blocks would have to be reprocessed. This would be too costly, regardless of the consensus protocol that is used, and take a very long time (equal to the time that has passed since the block was mined, assuming equal mining power).

Whether any of these solutions can satisfy the requirements of Article 17 GDPR remains to be seen. The precise meaning of ‘erasure’ is not defined in the GDPR, potentially opening the door to other interpretations than absolute deletion. It is worth noting that certain national ‘implementing’ laws have already directed themselves towards a softer version of the right to be forgotten. The German legal framework accepts that data must not be deleted where the specific mode of storage makes this impossible.

How this will apply to blockchains remains to be seen given that, as long as personal data is on the blockchain, it will always be ‘processed’ in the sense that it forms part of the chain of blocks to which new blocks are hashed. The German approach is nonetheless interesting as it shows that the GDPR can be interpreted to combine its objectives with the respective technological characteristics of the instrument at issue. This further seems to, at least as a matter of principle, open the door for interpretations of the right to be forgotten that account for the ledger’s immutability and the need for alternative solutions. Other Member States have not, however, foreseen that option. This risks fragmenting applicable rules, which is precisely what the GDPR sought to eliminate.

Hence, the tension between the GDPR’s right to be forgotten and blockchains as censorship-resistant databases is evident. The technology was set up to avoid interference with (personal) information by third parties, including governments and the judiciary. The real world, however, is unlikely to accept blockchains that are perfectly ‘immutable’. For blockchains to be accepted by the real world they need to be compliant with law, and for law to accept such technology, the technology needs to be capable of amendment (i.e. not immutable). The right to be forgotten is one example but there are many others. For example, where tokens function as avatars of real-world goods, the chain needs to be able to reflect changes in ownership in light of off-chain transfers, such as those resulting from judicial decisions.

Discussions concerning the GDPR are thus only one facet of the question of how interoperability between blockchain technology and legal systems can be ensured. Here, as in all other scenarios, we need to build bridges to overcome present challenges. These bridges need to be interdisciplinary (such as collaborations between lawyers and computer scientists) but also interinstitutional (uniting regulators, industry, other stakeholders and experts) to collectively determine how this new wave of technological innovation can be best managed.

Michèle Finck is a Senior Research Fellow at the Max Planck Institute for Innovation and Competition and a Lecturer in EU Law at Keble College, University of Oxford.