Thanks to the invitation of Alastria and APEP (The Spanish Professional Association of Privacy), I had my moment as a speaker at the first World Congress of Blockchain Convergence in Malaga, on 11, 12 and 13 November.

I shared in the Congress my opinion about:

- the undoubted usefulness of Blockchain

- the need to urge data protection authorities to interpret the General Data Protection Regulation (GDPR) in a constructive way, and,

- if necessary, the need to urge an agile modification of the GDPR that, without lowering the level of protection, allows to accompany the development of Blockchain in the future.

The Congress was a success. I liked it very much, I learned a lot and I realized that there is still a lot to clarify and a lot to do. A video summary of what was said in the privacy block is available.

One of the issues that seems to have been looped among the experts is that, in Blockchain, it is not possible to address the rights of rectification and deletion of personal data subjects due to the very immutability of the chain of blocks and, therefore, no Blockchain can ever be compliant with the GDPR.

However, the rights of rectification and suppression are not absolute. In fact, they are subject to such conditions and exceptions that, in practice, there are very few cases in which the right of erasure can be addressed immediately by the data controller when requested. In Spain, it is not even legal to attend it as long as the general obligation of the data controller to block the data during the prescription period of the data protection actions is applicable. An obligation that we have invented in Spain but that does not exist in the GDPR, nor in other European countries.

If this is the case, wouldn't it be easier and more reasonable to allow users who want to make transactions in a Blockchain to assume beforehand its immutable character and "renounce" their right to rectification and deletion forever? If we were to balance the rights and freedoms affected and the utilities offered by Blockchain, would it not be more reasonable to modify the GDPR in this respect? Would legalizing such an exception an unacceptable measure to the fundamental right of personal data protection?

For the time being, in the face of this incompatibility, the recommended solution (1) is not to introduce personal data into the chain. But then, the difficulty that arises is that it does not seem technically feasible to completely anonymize the personal data that are incorporated into the chain in such a way as to guarantee the absolutely impersonal nature of the chain.

It seems that we are facing an insurmountable wall: no Blockchain would conform to the GDPR as it is.

Or could we look for constructive interpretations that would allow the use in the pseudonymized data chain ensuring that no one we don't want has “all the means reasonably likely to be used” to identify a natural person to whom those pseudonymized data refer? If nodes and miners (and the "bad guys") could not have access to these means, could we not defend that the chain is truly impersonal for all of them? Or, on the contrary, would we always be faced with a technology in which transactions could always be traced back to an identifiable physical person and the data would always be pseudonymized and therefore subject to the GDPR?

It is not yet known whether Blockchain can be technically impersonal.

If it were possible, there would be no need to enter into the second of the considerations that I address below: the legality of a truly decentralized technology.

While preparing the paper, I red a very interesting article about privacy being not only personal but "interdependent" or a "multiactor" phenomenon (2). What does this concept consist of? In that, any data subject is sharing his/her own data and the personal data of people other than themselves and accepting that our social environment is passively monitored. This may occur every time we download certain mobile applications or use mobile listening devices such as "always-on" (like Alexa from Amazon). However, apparently, this is only a personal and household activity and, therefore, outside the scope of the GDPR.

But doesn't it squeak a bit? Don't you feel unprotected?

It is clear that full data protection is not just a matter for data controllers, but that is not the approach taken by the GDPR so far.

Shouldn't we have to do something about it so that users take responsibility for that data processing?

I come back to Blockchain as, between this situation and how Blockchain works, there is a certain parallelism.

In a public and non-permissioned Blockchain, the users (nodes or miners) process the transactions (which may contain personal data) according to the consensus that they have freely and voluntarily accepted for purposes and with means that are publicly known and openly used. It is not easy to identify a data controller. We could ask ourselves if this activity of the nodes or miners is a purely personal activity or household use and, therefore, if it is outside the application of the GDPR.

But, here too, something squeaks: What a lack of protection!

It is clear that total data protection cannot depend solely on there being a duly identified controller, but this is not the approach taken by the GDPR.

Shouldn't we have to do something about it so that the nodes or miners take responsibility for that treatment?

The GDPR does not prohibit that there is not an identified data controller, but it does not conceive that there can be a truly decentralized network. The problem is that, as we have seen, there are already decentralised data processings inside and outside Blockchain.

Hence, the recommended solution (3) to reconcile Blockchain and GDPR is to encourage cases of private and permissioned Blockchain use in order to be able to identify a data controller (to blame if needed) and thus not conflict with the GDPR.

Should we therefore renounce a truly decentralized Blockchain for not complying with data protection regulations?

It is not yet even known whether it can be technically guaranteed that a network is truly decentralized.

At the Congress, we learned about research into new tools and solutions that can bring this technology closer to current regulations. For example:

Daniel Benarroch, from the ZKProof.org Association, elaborated on the cryptographic solution in which they work, Zero-Knowledge Proof, which in the near future will possibly allow a secure mode of "anonymization", i.e. not inserting personal data into the chain.

For its part, the Turing awarded, Silvio Micali, presented the revolutionary changes in which he is investigating and with which he intends to restore the decentralized character of the Blockchain that Bitcoin seems to have lost.

We will have to wait and see.

In the meantime, contact me if you want us to comment on info@lawingit.com

(2) Bernadette Kamleitner and Vince Mitchell, "Your Data is My Data: A Framework for Addressing Interdependent Privacy Infringements," American Marketing Association 2019,

(1) and (3) I refer here to the report prepared by the European Observatory and Forum on Blockchain.