The compatibility of DLT-based applications with the GDPR has been reviewed in the past years, but the conclusions were in general not very sharp. Often, scholars underscored the fact that compatibility or lack thereof can only be assessed on a case-by-case basis. This is at least the conclusion I drew in my article on the matter, available at :
Article Blockchain in international e-government processes: Opportun...
.Yet, I wonder if, with the recent developments in technology and applications, and with the better understanding of how the GDPR is implemented, time has come for a renewed assessment of the relationship between the two. Are there ways to make DLT applications a priori GDPR compatible? if so, how? Or, to the contrary, are DLT a priori not meeting the GDPR requirements? and if so why and what should be fixed when it comes to concrete use cases?Many thanks for a lively discussion.
Christian Pauletto
It's definitely tricky, as you have two opposing principles:
1) What happens on the blockchain, stays on the blockchain
2) The GDPR "right to be forgotten"
This implies that you can certainly never place any form of personal information on a blockchain, but only links to or hashes of such information. However, this in turn breaks another principle, namely that you should never sign something you don't know the content of. What happend if the information that is pointed to changes? Is it possible to perform a birthday attack on the hash by preparing two different messages with the same hash?
I believe that one area where the two might be somewhat reconciled is in relation to large financial holdings in companies and funds. Indeed, based on the new rules regarding the BO register, large investors' names are accessible to "all who can justify and interest" - which notion has been construed very liberally in many EU jurisdictions. This being said, as the BO register obligation tackles only large holdings and only from an AML standpoint, this will not be an uniform solution as the real use for a DLT solution in a fund context is when a fund (not a club-deal with 2-3 partners/investors) is dealing with a very large number of investors. To be seen. Happy to have a call on the matter to exchange views and ideas if need be. Take care, Ezechiel
I agree on your findings. Nice article. Christian Pauletto Christian Pauletto