Chronicle of a Clash Foretold: Blockchains and the GDPR's Right to Erasure

  • Polytechnic University of Turin
To read the full-text of this research, you can request a copy directly from the authors.


GDPR abiding blockchain systems are feasible. Jurists, programmers, and other experts are increasingly working on this aim nowadays. Still, manifold blockchain networks functioning out there suggest a new generation of data protection issues brought about by this technology. Some of these issues will likely concern the right to erasure set up by Art. 17 of the EU data protection regulation ('GDPR'). These cases will soon be discussed before national authorities and courts, and will likely test the technical solutions explored in this paper, such as hashing-out methods, keys destruction, chameleon hash functions, and more. By taking into account matters of design and the complex architecture of blockchains, we shall distinguish between blockchains that have been thought about to expressly meet the requirements of the EU regulation, and blockchains that, for one reason or another, e.g. ante GDPR designed blockchains, trigger some sort of clash with the legal order, that is, (i) matters of principle on e.g. political decentralization; (ii) standards on security and data protection; (iii) a mix of them; and, (iv) social clash. It is still unclear how the interplay of legal regulation, technological constraints, social norms, and market interests, will end up in this context. Rulings and court orders will be instructive. It is a clash foretold, after all.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... As the GDPR was drafted with centralized data storage in mind, the evolution of decentralized solutions raises new regulatory challenges [19]. Pagallo et al. [20] state that, when looking at the Right to Erasure and blockchains, a clash can be observed. ...
Full-text available
Privacy regulations such as the General Data Protection Regulation (GDPR) of the European Union promise to empower users of online services and to strengthen competition in online markets. Its Article 17, the Right to Erasure (Right to be Forgotten), is part of a set of user rights that aim to give users more control over their data by allowing them to switch between services more easily and to delete their data from the old service. In our study, we investigated the data deletion practices of a sample of 90 online services. In a twostage process, we first request the erasure of our data and analyze to what extent public data (e.g., posts on a social network) remains accessible in a non-anonymized format. More than six months later, we request information on our data using Right of Access requests under Art. 15 GDPR to find out if and what data remains. Our results show that a majority of services perform data erasures without observable breaches of the provisions of Art. 17 GDPR. At 27%, the share of non-compliant services is not negligible; in particular, we observe differences between requests submitted using a dedicated button and formal requests under Art. 17 GDPR.
... Für das Recht auf Löschung (Artikel 17 Absatz 1 DSGVO) können jedoch technische Lösungen gefunden werden. Da der Begriff "Löschen" in der DSGVO aber nicht definiert ist, ist der Begriff offen für eine rechtliche Auslegung [6,18]. Demnach käme statt der Entfernung eines Datensatzes auch eine Anonymisierung ebenjenes in Betracht. ...
Conference Paper
Digitalization, which proceeds in all branches, as well in agriculture, by using new technology, sensors and networking, requires responsible usage of data. One possibility to manage data and use them to create value is the blockchain-technology. It is primary enforced by the food industries and consumers to ensure traceability and transparency. To put blockchain-technology into beneficial use in agriculture, this domain has to be analyzed regarding social and business aspects. This paper presents the results of a qualitative study where 41 actors from the agricultural domain participated in focus groups and delivered a written statement. It was found that farmers are interested in adapting new markets and technologies early to get an economic advantage. On the other hand, the fear of losing traditional local business partners and the social surroundings of the farmers must be considered.
... Therefore, under the GDPR, a data subject whose personal data have been stored on a blockchain has the right to obtain the erasure of her personal data. Putting aside several issues in determining the controller(s) and the processor(s), it seems that current blockchains appear inherently incompatible with the regulatory framework of the European Union [37]. ...
Conference Paper
Governance issues limit blockchains' ability to evolve and face unforeseen challenges. It seems possible to argue that this impasse is because most blockchains lack meta-rules. This work considers blockchains as a socio-technical system of rules, in order to draw a comparison with legal systems. Following the comparison, one finds that most blockchains lack what, in legal theory, are considered secondary rules. That is, the meta-rule of the system. This works examines the relevant concepts and provides their definitions, then proceeds to outline concrete example of the failure of governance among popular blockchains before drawing the parallelism with legal systems and argue that secondary rules might solve some of the issues of the governance of blockchains. Secondary rules are the necessary infrastructure for building sound governance structures and a necessary condition for blockchains to succeed as a new mode of governance. The conclusion provides future research directions.
Employee data can be used to facilitate work, but their misusage may pose risks for individuals. Inverse transparency therefore aims to track all usages of personal data, allowing individuals to monitor them to ensure accountability for potential misusage. This necessitates a trusted log to establish an agreed-upon and non-repudiable timeline of events. The unique properties of blockchain facilitate this by providing immutability and availability. For power asymmetric environments such as the workplace, permissionless blockchain is especially beneficial as no trusted third party is required. Yet, two issues remain: (1) In a decentralized environment, no arbiter can facilitate and attest to data exchanges. Simple peer-to-peer sharing of data, conversely, lacks the required non-repudiation. (2) With data governed by privacy legislation such as the GDPR, the core advantage of immutability becomes a liability. After a rightful request, an individual’s personal data need to be rectified or deleted, which is impossible in an immutable blockchain. To solve these issues, we present Kovacs , a decentralized data exchange and usage logging system for inverse transparency built on blockchain. Its new-usage protocol ensures non-repudiation, and therefore accountability, for inverse transparency. Its one-time pseudonym generation algorithm guarantees unlinkability and enables proof of ownership, which allows data subjects to exercise their legal rights regarding their personal data. With our implementation, we show the viability of our solution. The decentralized communication impacts performance and scalability, but exchange duration and storage size are still reasonable. More importantly, the provided information security meets high requirements. We conclude that Kovacs realizes decentralized inverse transparency through secure and GDPR-compliant use of permissionless blockchain.
The blockchain technology has been rapidly growing since Bitcoin was invented in 2008. The most common type of blockchain systems, public (permissionless) blockchain systems have some unique features that lead to a tension with European Union's General Data Protection Regulation (GDPR) and other similar data protection laws. In this paper, we report the results of a systematic literature review (SLR) on 114 research papers discussing and/or addressing such a tension. To the best of our knowledge, our SLR is the most comprehensive review of this topic, leading a more in-depth and broader analysis of related research work on this important topic. Our results revealed three main types of issues: (i) difficulties in exercising data subjects' rights such as the ‘right to be forgotten’ (RTBF) due to the immutable nature of public blockchains; (ii) difficulties in identifying roles and responsibilities in the public blockchain data processing ecosystem (particularly on the identification of data controllers and data processors); (iii) ambiguities regarding the application of the relevant law(s) due to the distributed nature of blockchains. Our work also led to a better understanding of solutions for improving the GDPR compliance of public blockchain systems. Our work can help inform not only blockchain researchers and developers, but also policy makers and law markers to consider how to reconcile the tension between public blockchain systems and data protection laws (the GDPR and beyond).
Full-text available
Bilgi ve İletişim Teknolojilerinin (BİT) hızla gelişmesiyle birlikte, çok miktarda kişisel veri oluşmakta, kullanılmakta ve depolanmaktadır. Depolanmakta olan kişisel veriler, son kullanıcıların teknik ve hukuki yönlerden korunmalarını gerektirmektedir. Blokzincir teknolojisi kişisel verilerin gizliliğini korumak ve kontrolünü sağlamak için son yıllarda önemli gelişmeler kaydeden yenilikçi teknoloji olarak görülmektedir. Merkezi olmayan ve Eşler Arası (Peer-to-Peer-P2P) bir dağıtık dijital defter olan blokzincir teknolojisi, dijital varlıkların tüm işlemlerini depolayabilen, merkezi olmayan, doğrulanabilir ve değiştirilemez bir defter hizmeti sunar. Bir ağdaki katılımcılarla onlara tam olarak güvenmeye gerek kalmadan veri paylaşma konusunda yeni bir yaklaşım sunmaktadır. Yakın zamanda tanıtılan Genel Veri Koruma Yönetmeliği (GDPR) ve Kişisel Verilerin Korunması Kanunu (KVKK), kişisel verilerin nasıl ele alınacağı konusunda büyük değişiklikler getirmektedir. GDPR ve KVKK, kişisel verilerin kullanmasıyla veri denetleyicileri ve işlemciler için yeni koruma zorunlulukları getirmiştir. GDPR ve KVKK, veri koruma mevzuatı kapsamında birliğinin sağlanması için kişisel olarak tanımlanan verilere (PII) daha kolay erişim, silme, düzeltme ve taşıma hakkı verilmesi gibi yeni uygulamalar getirmektedir. GDPR ve KVKK kapsamında, merkezi yapıların hâkim olduğu bir toplumda kişisel veri işleme faaliyetlerinin çoğunlukla merkezi yapılar tarafından gerçekleştirilmesi ve uyulması gereken bir takım usul ve esasları vardır. Ancak blokzincir platformunda ortaya koyulan araştırmalarda kişisel olarak tanımlanan verilerin saklanmasında; merkezi tüzel veya gerçek kişilerin veri saklama, işleme ve silme, gibi uygulamaları gerçekleştirmesi yönünde hazırlanan KVKK ve GDPR hükümlerinin uygulanmasında bazı uyumsuzluklar bulunmaktadır. Bu çalışmada, blokzincirin temel özellikleri detaylandırılmış, kişisel verilerinin kullanımı için blokzincir teknolojisi destekli çözümler açıklanmış ve konuya dair sorunlar ile zorlukları tartışılmıştır. Literatür incelendiğinde; kişisel verilerin günümüzde blokzincir ağında saklanmamasına yönelik tavsiyeler verildiği görülmüştür. Kişisel verilerin KVKK ve GDPR kapsamındaki birincil haklarının, blokzincir teknolojisinin karakteristik yapısına uygun olmadığı, akademik ve uygulamalı araştırmalarda gösterilmiştir. Blokzincir teknolojisindeki gelişme ve güncellemelerin, teknolojinin kendisi ile çelişeceği ve blokzincirin karakteristik özelliğini yok edeceği akademik çevrelerce düşünülmekte ve bundan dolayı temel yapıyı etkilemeyecek (özel anahtarın silinmesi, zincir dışı depolama, karma değeri silinmesi vb.) küçük çaplı değişikliklerin yapılması önerilmektedir.
ResearchGate has not been able to resolve any references for this publication.