December 2017 - Blockchain | Data Protection & Privacy | IT Law | GDPR

Blockchain and Data Protection Law: When Anonymous Data Becomes Personal

Data processing on a blockchain is widely perceived to be completely anonymous and therefore “immune” to data protection laws – which are applicable only for processing of personal data. However, this perceived immunity is not at all absolute – rather, data processing on a blockchain may fall under data protection laws. Lawyers Natalie Eichler and Thorsten Jansen demonstrate some current and future applications of blockchain technology where data protection laws may in fact apply.

BLockchain & data protection

© Rick_Jo |

At first sight, data stored on a blockchain appear to be anonymous, consisting mostly of hashed values and cryptic wallet ID numbers which cannot be directly linked back to the individual to which they relate. As a result, some may assume that, due to the apparent anonymity, there is no room for the application of European data protection laws.

In fact, a closer look at European data protection laws pertaining to the identifiability of an individual person reveals that data stored on a blockchain may not be considered anonymous, but as personal data, because the individual person is identifiable. According to recital 26 of Directive 95/46/EC and recital 26 of the GDPR, when assessing whether an individual person is identifiable, all sources of information and all measures must be considered that are “reasonably likely” to be used to identify a person. This includes measures and information sources available not only to the person currently processing the data, but also to someone else, e.g. a recipient of a transfer of this data, who would be able to use the additional source of information to identify the individual persons engaged in a blockchain transaction.

Some controversy has ensued between legal scholars and data protection authorities on the question of what “reasonably likely” includes, and whether it is sufficient that some theoretical third party would be able to identify individuals.

Without going into the details of that controversy and the various rulings of the European Court of Justice (e.g. on the classification of IP-addresses as personal data, case C-582/14), there are some data processing scenarios in the blockchain ecosystem where European data protection laws may indeed be applicable:

As a first example: Endeavors to use blockchain for identity management purposes, where a digital identity is either stored on the blockchain, or a wallet ID is linked to a (digital) identity outside the blockchain. 

Applying the principles outlined above, data protection laws apply in both cases. 

It would – following the reasoning of the ECJ – be sufficient that an identity matching service outside the blockchain is generally available to the public, or there are legal means (which do in fact exist in many jurisdictions) to obtain the linked digital identity to a wallet ID or transaction on the blockchain from the provider of the identity management service.

As a second example: Developments using blockchain to secure IoT/industrial Internet applications. In some endeavors, blockchain technology is used to securely store a payload, like sensor data from a vast number of sensor nodes. 

While each single piece of data is unrelated to any individual person, the entire array of sensor data may suddenly become personal data, e.g. if sensor data from mobile phone or other sensor nodes that can be related to an individual person is captured (even if unintentionally), or if the amount of data grows large enough for big data analysis tools to single out individuals from the data patterns formed (such as a previously unidentified sensor node in a vehicle logged at the same geographical address each night).

Both examples show that data protection laws do indeed apply to certain data processing on blockchains. In particular, the public availability of all transactions stored on (at least public) blockchains and the availability of big data analysis tools bear the risk of anonymous data being rendered personal data. The widespread view of the data protection authorities in that respect is that any set of data that cannot be cleanly separated from personal data, or for which it is uncertain whether it contains personal data, must be treated entirely as containing personal data. In any given blockchain ecosystem, the repercussions of introducing personal information at one point may therefore quickly expand to the entire blockchain.

Natalie Eichler is an Associate specialising in commercial law matters with special interest in new technology and data privacy law. Before joining DWF in Berlin, Natalie Eichler worked at the legal department of an internet company based in Berlin specialising in contract law, data privacy law and e-commerce.

She has worked as a lawyer in different projects in the field of legal tech, namely in the field of blockchain and was the co-organiser and event director of Berlin Legal Tech 2017. After her legal clerkship, she worked as research associate at a commercial law firm in Berlin with special focus on data privacy law, e-commerce and intellectual and industrial property rights. Natalie studied law in Munich and completed her legal clerkship in Berlin and in Windhoek, Namibia.

Thorsten Jansen is a specialist in information technology law and provides legal advice in areas ranging from digital distribution, digital compliance to social media strategies. His is in copyright law, internet and e-commerce law (including contracts, liability, etc.), compliance regarding data protection (privacy), information security, consumer protection, and encompasses social media strategies and protection of reputation.

Thorsten also consults on new technologies and emerging technological markets and business models, ranging from smart products and wearables, internet of things and smart homes and factories to distribution models such as SaaS. Aside from legal expertise he also has several years of experience in management of corporate IT systems and efficiency and is familiar with many aspects of the workings of corporate IT installations.

Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.