The GDPR contains strict requirements to data controllers and processors, and while its objectives of protecting data can have meeting points with the purposes of blockchain technologies, there is at the same time a significant contrast between the two in terms of approach.
The discussion has multiple layers, starting from who would be the responsible parties. A data subject who might have requests concerning his/her personal data included in a hashed form on the blockchain (e.g. with regard to erasure of data, often pointed out as problematic in connection with blockchain technology), would typically first address the provider of the application (dApp) or smart contract by which the personal data was written to the blockchain. Such provider would in many cases be considered the data controller for such data, and may or may not have a direct contractual relationship with the data subject.
The question then arises whether “joint controllers” can be identified among the other actors in a blockchain context. The answer may depend on the type of blockchain structure, one important distinction point being between public and private blockchains, and between permissioned and permission-less blockchains, the latter distinction referring to how open the blockchain platform is, allowing anyone to carry out certain activities, such as for example validate transactions. Only private blockchains and public permissioned blockchains will typically have some form of governing / controlling entity that could at least theoretically be interpreted as a “data controller”. However, even such an entity would in practice not necessarily be able to fully control how the blockchain is used, and whether or not personal data will be included in any transaction data or in a deployed smart contract.
The risk of non-compliant situations for users of blockchain in their new technology projects is at best fully mitigated, and in most cases at least significantly reduced, by the hashing technologies that are typically used for any data that goes onto a blockchain. In fact, fully anonymous data would not be considered “personal data” under the GDPR. However, it is often argued that hashing of data will not necessarily be considered sufficient to render personal data anonymous, as this will depend on an analysis on a case-by-case basis, taking into consideration the hashing methods used and as a result, whether the data can be linked to natural persons through “reasonable efforts”. The answer will thus not necessarily be the same for all blockchain platforms.
Then, from an entirely different angle, it can be argued that technologies such as blockchain will actually do a lot for us as individuals to give us back the control of what happens to our personal data. In fact, the hazards frequently experienced when granting various third parties access to our personal data – in many cases resulting in unintended disclosures and use – can be avoided in the case of blockchain platforms where the individuals can more efficiently exercise their rights of ownership to their data, and where they place their trust in the technology itself rather than in a third party who might have a hidden agenda.