Blockchain & data protection…and why they are not on a collision course

Research output: Contribution to journalArticleScientificpeer-review

Abstract

Recent publications on the data protection aspects of blockchain technology
focus on the characteristics of the initial public (Bitcoin) blockchain, and do so in a generalized manner. The authors then conclude that the characteristics of a public blockchain are profoundly incompatible at a conceptual level with the principles of the EU General Data Protection Regulation (GDPR). The GDPR requires identification of acentral ‘controller’ who is responsible for compliance with the GDPR, while a public blockchain decentralizes the storage and processing of personal data, as a result whereof there is no such central point of control. For lack of a better alternative, the authors conclude that all ‘nodes’ involved in operating a blockchain qualify as a controller under the GDPR, raising enforcement and jurisdictional issues that make it impossible for individuals to enforce their rights. The transparency and immutability of a public blockchain would further not sit well with principles of data confidentiality, data
minimization, data accuracy and the rights of individuals to correction and deletion of their data.

I disagree with the analysis of these authors for a host of different reasons, the main one being that the authors focus on the shortcomings of the initial public (Bitcoin) blockchain when already many new types of permissioned private and consortium blockchain have been developed that significantly diverge from the original, permissionless public blockchain. In fact, these types of permissioned blockchain have been developed in response to the shortcomings of public blockchain. The authors further consider the data processing implications of blockchain as if this technologymean that they are probably unsuitable
for personal data.
825
Original languageEnglish
Article number6
Pages (from-to)825-851
Number of pages28
JournalEuropean Review of Private Law
Volume26
Issue number6
Publication statusPublished - 2018

Fingerprint

data protection
regulation
personal data
transparency
EU
lack

Cite this

@article{d492515b2d6e41c288f4d739ad149f51,
title = "Blockchain & data protection…and why they are not on a collision course",
abstract = "Recent publications on the data protection aspects of blockchain technologyfocus on the characteristics of the initial public (Bitcoin) blockchain, and do so in a generalized manner. The authors then conclude that the characteristics of a public blockchain are profoundly incompatible at a conceptual level with the principles of the EU General Data Protection Regulation (GDPR). The GDPR requires identification of acentral ‘controller’ who is responsible for compliance with the GDPR, while a public blockchain decentralizes the storage and processing of personal data, as a result whereof there is no such central point of control. For lack of a better alternative, the authors conclude that all ‘nodes’ involved in operating a blockchain qualify as a controller under the GDPR, raising enforcement and jurisdictional issues that make it impossible for individuals to enforce their rights. The transparency and immutability of a public blockchain would further not sit well with principles of data confidentiality, dataminimization, data accuracy and the rights of individuals to correction and deletion of their data.I disagree with the analysis of these authors for a host of different reasons, the main one being that the authors focus on the shortcomings of the initial public (Bitcoin) blockchain when already many new types of permissioned private and consortium blockchain have been developed that significantly diverge from the original, permissionless public blockchain. In fact, these types of permissioned blockchain have been developed in response to the shortcomings of public blockchain. The authors further consider the data processing implications of blockchain as if this technologymean that they are probably unsuitablefor personal data.825",
author = "Lokke Moerel",
year = "2018",
language = "English",
volume = "26",
pages = "825--851",
journal = "European Review of Private Law",
issn = "0928-9801",
publisher = "KLUWER LAW INT",
number = "6",

}

Blockchain & data protection…and why they are not on a collision course. / Moerel, Lokke.

In: European Review of Private Law, Vol. 26, No. 6, 6, 2018, p. 825-851.

Research output: Contribution to journalArticleScientificpeer-review

TY - JOUR

T1 - Blockchain & data protection…and why they are not on a collision course

AU - Moerel, Lokke

PY - 2018

Y1 - 2018

N2 - Recent publications on the data protection aspects of blockchain technologyfocus on the characteristics of the initial public (Bitcoin) blockchain, and do so in a generalized manner. The authors then conclude that the characteristics of a public blockchain are profoundly incompatible at a conceptual level with the principles of the EU General Data Protection Regulation (GDPR). The GDPR requires identification of acentral ‘controller’ who is responsible for compliance with the GDPR, while a public blockchain decentralizes the storage and processing of personal data, as a result whereof there is no such central point of control. For lack of a better alternative, the authors conclude that all ‘nodes’ involved in operating a blockchain qualify as a controller under the GDPR, raising enforcement and jurisdictional issues that make it impossible for individuals to enforce their rights. The transparency and immutability of a public blockchain would further not sit well with principles of data confidentiality, dataminimization, data accuracy and the rights of individuals to correction and deletion of their data.I disagree with the analysis of these authors for a host of different reasons, the main one being that the authors focus on the shortcomings of the initial public (Bitcoin) blockchain when already many new types of permissioned private and consortium blockchain have been developed that significantly diverge from the original, permissionless public blockchain. In fact, these types of permissioned blockchain have been developed in response to the shortcomings of public blockchain. The authors further consider the data processing implications of blockchain as if this technologymean that they are probably unsuitablefor personal data.825

AB - Recent publications on the data protection aspects of blockchain technologyfocus on the characteristics of the initial public (Bitcoin) blockchain, and do so in a generalized manner. The authors then conclude that the characteristics of a public blockchain are profoundly incompatible at a conceptual level with the principles of the EU General Data Protection Regulation (GDPR). The GDPR requires identification of acentral ‘controller’ who is responsible for compliance with the GDPR, while a public blockchain decentralizes the storage and processing of personal data, as a result whereof there is no such central point of control. For lack of a better alternative, the authors conclude that all ‘nodes’ involved in operating a blockchain qualify as a controller under the GDPR, raising enforcement and jurisdictional issues that make it impossible for individuals to enforce their rights. The transparency and immutability of a public blockchain would further not sit well with principles of data confidentiality, dataminimization, data accuracy and the rights of individuals to correction and deletion of their data.I disagree with the analysis of these authors for a host of different reasons, the main one being that the authors focus on the shortcomings of the initial public (Bitcoin) blockchain when already many new types of permissioned private and consortium blockchain have been developed that significantly diverge from the original, permissionless public blockchain. In fact, these types of permissioned blockchain have been developed in response to the shortcomings of public blockchain. The authors further consider the data processing implications of blockchain as if this technologymean that they are probably unsuitablefor personal data.825

M3 - Article

VL - 26

SP - 825

EP - 851

JO - European Review of Private Law

JF - European Review of Private Law

SN - 0928-9801

IS - 6

M1 - 6

ER -