Making Blockchain Comply with GDPR: The Challenges and Fixes

by Carlo GutierrezOctober 30, 2018
With the GDPR placing emphasis on data privacy and "the right to be forgotten," how to address blockchain's immutability?

Immutability meets enforceable privacy

Since the General Data Protection Regulation (GDPR) came into effect on May 25, 2018, many in the community wondered how this would affect organizations already using blockchain, as well as the future of the technology itself.

Martin von Haller Grønbæk

At a recent Hyperledger meetup in Copenhagen, Martin von Haller Grønbæk of Bird & Bird brought up the fundamental challenges surrounding the immutability and transparency around the blockchain technology and GDPR. He also suggested potential solutions to these problems.

“Is GDPR from Venus and blockchain from Mars? We’re talking about two legal set of rules that are fundamentally incompatible.”
—Martin von Haller Grønbæk, Bird & Bird


What are the issues?

Simply put, blockchain is a distributed, immutable digital ledger that records information in blocks, which are then added to a chain of other blocks to create a decentralized network. To add new information in a blockchain network, participants have to verify and reach a consensus, before any data can be added to the blockchain.

In the first place, GDPR applies to the aggregation of personal data by controllers—legal bodies determining the purposes and means of personal data processing in the European Union (EU). However, GDPR also applies to the companies outside the EU which are gathering and aggregating data related to data subjects—identifiable natural persons in the EU. This significantly increases the scope of companies that need to comply to the new law in force.

Bird & Bird keeps track of countries that locally supplement the GDPR (Image credit)

In the context of blockchain where data is immutable, the main stress points brought on by the GDPR are the following:

  • Right of access. Data subjects can obtain confirmation from the controller whether or not their personal data is being processed.
  • Right to object. Data subjects can withdraw consent regarding the use of their personal data.
  • Right to be forgotten. Data subjects can have their personal data deleted.
  • Right to rectification. Data subjects can request without undue delay the correction of inaccurate personal data.

According to Martin, the decentralized nature of blockchain also poses a challenge for the reason that such roles as controllers and processors need to be defined.

Fundamental challenges of blockchain and GDPR (Image credit)

“From a GDPR point of view, there are some fundamental challenges. First of all, who’s the data controller when the whole concept is that no one’s in control?”
—Martin von Haller Grønbæk, Bird & Bird


What can be done?

During the presentation, Martin suggested some fixes that could resolve the GDPR compliance issue. Personal data can be made unidentifiable by making participants of blockchain anonymous through digital signatures. Personal information could also be encrypted.

With smart contracts playing a critical role in how transactions in blockchain are processed, the contracts can be used to address such GDPR concerns as:

  • Data time limits. Entries in the blockchain could be set to auto delete after a set period of time.
  • Data rectification. Entries in the blockchain can be altered through consensus.

Potential fixes to the problem (Image credit)

Since one of the problems is that of personal data being stored in the blockchain, this data could instead be stored off-chain.

“You can make sure that what’s on the blockchain is not really personal data, but a reference to the off-chain storage where the data is stored.” —Martin von Haller Grønbæk, Bird & Bird

Martin also brought up the idea of creating a blockchain with “semi- or old-fashioned centralized governance.” In this scenario, nodes that are part of the consortium running the blockchain have to agree on a traditional method of governing the network. This includes the assignment of roles that comply with GDPR, such as controllers and processors. Done this way, consensus mechanisms for the GDPR procedures could also be embedded through smart contracts.

Martin von Haller Grønbæk at the Hyperledger meetup in Copenhagen (Image credit)

“The way to achieve consent of personal information could actually be embedded in smart contracts.” —Martin von Haller Grønbæk, Bird & Bird

Another idea suggested was that of creating an open blockchain where users upload their own personal information, but no one controls or owns their data. In this theoretical scenario, the open blockchain network falls outside the scope of GDPR. The regulation will take effect only if data is extracted for commercial purposes.

With Hyperledger emerging as the standard for enterprise-grade blockchain, it’s not surprising to see developments that already begin to address GDPR concerns. Hyperledger Fabric v1.2, which was released in July 3, 2018, introduces the concept of private data, which enables the creation of GDPR-compliant blockchain solutions. Hyperledger Fabric v1.2 achieves this by limiting access to data through policy logic. Data can also be deleted manually or after a set time period, leaving only a hash of the transaction.

As more and more organizations adopt the blockchain technology, conversations about GDPR will only increase and, at the end of the day, it’s up to blockchain users to comply with the regulation.

The slides by Martin are available here.


Want details? Watch the video!

Table of contents

  1. What are the challenges between the GDPR and blockchain? (4’02”)
  2. What are the fixes? (7’20”)
  3. What about creating a centrally governed blockchain? (10’35”)
  4. What about a purely open blockchain? (16’15”)
  5. Questions and answers (21’25”)



Further reading


Related sessions from the meetup

Below are all the sessions from the Copenhagen meetup, starting with an introduction to Hyperledger and then the talk about the three Special Interest Groups (SIGs) focused on blockchain.


Following the session by Martin, Vitaliy Chernov of Altoros talked about the private collections feature—allowing for hiding sensitive data either partially or fully from certain parties—available through Hyperledger Fabric v1.2. He demonstrated how this feature is successfully implemented in a platform developed by Altoros for automating critical processes of over-the-counter trading.


Here are the slides by Vitaliy.


About the expert

Martin von Haller Grønbæk is a Partner at Bird & Bird. He is recognized for his solid legal skills, as well as for being an innovative thought leader and strategist within the IT industry. Martin is one of Denmark’s leading IT lawyers with almost 20 years of experience in advising Danish and international organizations, including large blue chip companies, on legal and commercial matters in connection with IT in a wide sense. He is considered a pioneer with respect to the legal aspects of online technology solutions (e-commerce, Internet, and web services), cybersecurity, open source, open data, and the use of other open-license forms.

The post was written by Carlo Gutierrez, edited by Sophia Turol and Alex Khizhniak.