Article 29, Working Party considers in part 4 of the Opinion 05/2014 regarding ÂAnonymisation TechniquesÂ, that hashing is a technique of pseudonymisation which would effectively mean that the coding within a blockchain cannot be characterised as personal data to be given protection under data protection. With that said, they considered that if a hash has the ÂlinkabilityÂ, for example to someoneÂs medical records, or personal I.D, then it can be capable of being personal data. However, they then contrasted by saying that a hash that represents a bill of lading for example, would not be considered personal data. This is because it would only link to the bill of lading as a title so does not contain personal data. It was concluded that the various techniques of pseudonymisation, which blockchain relies on, fails to meet completely with the criteria of effective anonymisation no singling out of an individual, no linkability between records relating to an individual, and no interference concerning an individual. It is this common misconception that will need to be addressed and explained to the data subject and data controllers in question.
Article 24 states that Âthe controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.Â This statement ensures that the controller of the blockchain must still conform to the data protection rules no matter what use of technology is used for the storing of information. It specifically provides that the controller is to implement appropriate technical and organisational measures. A blockchain does have natural measures which makes it appealing. The fact that it is decentralised and has a locked code between each block the point that it cannot be tampered with or altered and that it is controlled by the data subject, processor, and controller covers the requirements needed to conform to the regulation. The only issue that could be considered as a fault is that the personal key, or code that completes the encryption to access information within, is something than can pass ownership. This means that if a key was stolen, or sold and falls into the wrong hands, the stored data is accessible. That is down to the data subject though, and not something that a data controller has any control over.
Article 26(3) may cause an issue within the parameters of a blockchain database. It states that the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers. The rights or ability to exercise rights on a decentralised system which arguably has a large number of controllers and processors is not practical. Also, a difficulty is that the data is available on a public ledger so could be accessed by anyone. Surely the rights under this regulation are lost the minute a data subject agrees to the use of blockchain technology to store their data or submit their information to another source through the ledger.
More food for thought!!