"… To determine whether a natural person is
identifiable [and therefore whether data is personal
data that is the subject of the GDPR], account should
be taken of all the means reasonably likely to be
used, such as singling out, either by the controller
or by another person to identify the natural person
directly or indirectly. To ascertain whether means are
reasonably likely to be used to identify the natural
person, account should be taken of all objective
factors, such as the costs of and the amount of time
required for identification, taking into consideration
the available technology at the time of the
processing and technological developments …"
Given the above background, we would suggest that
whether a hash is personal data and so within the scope
of the GDPR will depend on the circumstances of the
particular case. If the personal data being hashed is
something simple like a name, a phone number or an IP
address and the hashing function is a simple one
(not a salted/peppered hash function) the hash is unlikely
to be sufficiently anonymous. However, if the hash is such
that there are no means reasonably likely to be used by
anyone to identify the individual, then there are good
arguments that the hash itself should not be regarded
as personal data. This view is supported by a number
of commentators including the German Blockchain
Federation (Blockchain Bundesverband), which argues
that the deletion of all off-chain data linking a hash to a
data subject renders the hash anonymous,15 and the UK
Anonymisation Network, which argues anonymous data is
not personal data if all reference data that would enable
one to identify a data subject using the anonymised data
is destroyed - i.e., irreversible anonymisation.16
5.2
How to meet the GDPR
challenge, part 2: establish a
robust contractual governance
framework
There are several key obbligations under the GDPR which
mean that any deployment of a commercial blockchain
network will require a governance framework that is
contractually binding on all participants. For the purposes
of this paper, we consider those key GDPR obligations
to be:
1 detailed data processing agreements as between
controllers and processors;
2 clear and transparent agreements as between joint
data controllers (where relevant);
3 restrictions on transfers of personal data out of the
EEA; and
4 the provision of fair processing information
(i.e. privacy notices).
However, as a pre-requisite to any governance framework,
it will be necessary to implement GDPR-compliant
blockchain solutions on a private, permissioned network
(as opposed to a public, permissionless network).
GDPR and the Blockchain I 25