Blockchain and Privacy: the policy options proposed by the European Parliament

| Insights

In recent years the European debate has largely focused on the problems that blockchain technologies raise in terms of data protection. One of the most controversial issues concerns the identification of the Data Controller (Data Controller), that is the (natural or legal) person which, alone or jointly with others, determines the purposes and means of the processing of personal data. The blockchain technologies make it very difficult to identify this figure since they are characterized by the decentralization of users and by a large number of players. Another controversial issue concerns the right to obtain the deletion of personal data if, for example, they are no longer necessary in relation to the purposes for which they were collected (art. 17 GDPR). Technically, this right hardly seems protectable by the technologies in question. In fact, contrary to the traditional centralized data storage systems in which a central authority manages information, the blockchain is based on the concept of a distributed database where an indeterminate number of users can hold a single piece of data.

The study published by the European Parliament last July proposes policy options to make the blockchain technologies in line with the objectives of the GDPR Regulation.

First, the “technologically neutral” approach of the European legislator in the field of privacy, that is the adoption of a general Regulation, not oriented to a specific technology, requires the regulatory guidance of the European Institutions aimed at interpreting the fundamental GDPR principles (also) in agreement with blockchain technologies.

It would also be desirable that all stakeholders drew up codes of conduct and certification systems (as envisaged by articles 40 and 42 of the GDPR). The study finds that a recent (and positive) example is offered by the code of conduct for cloud providers that has favored the observance of the principles regarding the protection of personal data in the field of cloud technology.

The third policy option proposed by the European Parliament is to establish research centres which, by operating through an interdisciplinary method, could address the most controversial aspects of blockchain technologies. This policy option could lead to a system of governance that allows to overcome the current lack of communication and coordination among the many subjects involved: the new governance system should include, for instance, mechanisms that require not only a data controller to remove such data from their servers, but also to all other controllers and processors that are processing them.

The study published by the European Parliament, therefore, offers possible avenues that European institutions, with the help of all stakeholders, could undertake to face the challenges that the new blockchain technologies are launching. Some of the proposed policy options are already offered by the current European legislation on privacy, while others will require intervention on the same legislation.