EU report on blockchain and the GDPR
The European Union Blockchain Observatory & Forum published a report about blockchain and the data privacy legislation GDPR. The assertion is that GDPR compliance is not about technology. Instead it’s about how the technology is implemented.
The Dutch Blockchain Coalition was actively involved in the realization of this report with notable efforts from Sandra van Heukelom (PelsRijcken) and Katja van Kranenburg-Haspians (CMS Law.Tech). As a contributor, the Dutch Blockchain Coalition welcomes the insights of this report on blockchain in relation to the General Data Protection Regulation (GDPR).
We recognize the value of a European report which gives an outline and guidance on GDPR elements those who work and experiment with blockchain face. As a side note to the report we do like to point out that:
- although not fully addressed in the report, it should be recognized that the GDPR's concept of "data processor" (in addition to data controllership) remains relevant in a blockchain context: nodes may for example sometimes qualify as data processors and thus be subject of independent obligations; and
- hashing and encryption, although essential for blockchain solutions, must not be confused with full (i.e. irreversible) "anonymization" within the meaning of the GDPR. In practice, hashing and encryption data most likely result in pseudonymized personal data, implying that the GDPR still applies to the processing of such data.