Blockchain and the General Data Protection Regulation: an irreconcilable regulatory approach?

A blockchain is a class of technology that allows the creation and management of different forms of decentralised and distributed digital ledgers where data are stored, chronologically recorded, transferred and finally shared between the ‘nodes’ participating in a peer-to-peer network. These features prima facie clash with the GDPR that informs the EU data protection legislation and is based on a centralised representation of the reality in which data are processed, collected, and recorded in a database controlled by identified subjects. The underpinning idea of this article is diametrically opposed to the one which considers the technology not GDPR-compliant by default. First, the author argues that the points of tension can be mitigated by technical and/or governance methods, thus acting at both application and infrastructure level. In essence, a case-by-case analysis is the only feasible option to assess the compliance between the regulation and the technology. Second, a further and closer look at blockchain’s underlying concepts reveals how both the GDPR and the blockchain have the same purposes but different approaches. More interestingly, the article suggests that the blockchain could be seen as a Privacy Enhancing Technology (PET), which might help data subjects gain more control over their personal data and hence support one of the GDPR’s purposes (recital 7).