On September 12, the German Federal Ministry of Economy and Energy, and the German Federal Ministry of Finance published the German Federal Blockchain Strategy (German, PDF).
After analysing the statements relating to Data Protection and GDPR, here is some high level response to the key points.
Blockchain Strategy Implementation Principles [p5]
“IT-Sicherheit und Datenschutz garantieren: Nur wenn Blockchain-Anwendungen den von Expertinnen und Experten empfohlenen Anforderungen an die IT-Sicherheit und den rechtlichen Anforderungen des Datenschutzes genügen, können Risiken minimiert, Missbrauch verhindert und eine hohe Akzeptanz erreicht werden.”
Machine Translated Version
“Guarantee IT security and data protection: Only if blockchain applications meet the IT security and legal requirements for data protection recommended by experts can risks be minimized, misuse prevented and a high level of acceptance achieved.”
In its current implementation this would disregard one of the key differentiator and benefits of blockchain technology: the decentralisation of responsibilities to enable trust. Expecting that blockchain can meet all requirements by itself, is like fitting a square peg in a round hole.
Misuse in blockchain does not always come from the classical and expected angle: centralisation in an environment that is expected to be decentralised can be a large problem for the integrity of the network and the data. To prevent misuse of this kind, the regulatory framework must inherently support new governance structures.
Creating the right framework conditions, 3a [p13]
“Insbesondere die Kompatibilität der Blockchain-Technologie mit der Datenschutz-Grundverordnung (DSGVO) ist immer wieder Thema. Aus Sicht der Bundesregierung ergibt sich aus der Blockchain-Technologie aktuell kein Änderungsbedarf bei der DSGVO. Vielmehr muss die Blockchain-Technologie datenschutzkonform ausgestaltet und angewendet werden.”
Machine Translated Version
“In particular, the compatibility of blockchain technology with the General Data Protection Regulation (GDPR) is a recurring issue. From the point of view of the Federal Government, there is currently no need for changes to the GDPR as a result of blockchain technology. Rather, the blockchain technology must be designed and applied in compliance with data protection regulations.”
This completely disregards that the very clear definitions in the GDPR about Data Controllership and Data processorship are too narrow for any distributed system. There is no sensible way actors in a distributed (or decentralised) environments can fit the definitions. At the very least, there should be clear guidance on how this is to be interpreted and how the controller and processor roles under the GDPR should be fulfilled in an environment where, by design, no one party is fully responsible in all situations, all of the time. On the notion of the right to erasure, it should be understood that a ‘mutable blockchain’ does not aid in decentralising trust as the very concept foresees. Much more important may be defining what precisely constitutes personal data.
I would also plea for the implementation of guidance that takes specific situations into account: Are there data that will not have to be deleted if they are collected under specific circumstances? At current, the guidance can not be applied directly, and no guidance is available, which makes different groups of experts speculate about different possible solutions. This is not helpful for the ecosystem.
Creating the right framework conditions, 3a [p13] (continued)
“Etwaige Unsicherheiten bei Entwicklern und Anwendern von Blockchain-Lösungen sollten adressiert werden, um die Entwicklung verbraucher- und datenschutzkonformer Lösungen zu befördern. Dabei sollten bestehende technische Lösungen (u. a. Verwendung von Hashwerten, Pseudonymisierung, Zero-Knowledge-Proof) und die Grundsätze privacy-by-design und privacy-by-default Anwendung finden.”
Machine Translated Version
“Any uncertainties among developers and users of blockchain solutions should be addressed in order to promote the development of consumer- and data protection-compliant solutions. Existing technical solutions (e.g. use of hash values, pseudonymisation, zero knowledge proof) and the principles of privacy-by-design and privacy-by-default should be applied.”
While the usage of existing technical measures as well as data protection by design is already mandatory under the GDPR, addressing the uncertainties in this regard is elemental to ensure. These uncertainties may be addressed through clear guidance by the data protection regulators. The finding of data protection-compliant solutions however, may very likely require a combination of technical solutions and legal leeway. Claims by software developers having found so called ‘GDPR compliant’ blockchain solutions should be assessed in detail. More often than not it will only solve a subset of compliance problems, and will usually come at cost to decentralisation or governance.
The mentioned initiative of organising a round table on data protection and blockchain in the first half of 2020 is a great way to exchange further ideas and implementable solutions. I would be happy to contribute.