Page 0027

"… To determine whether a natural person is

identifiable [and therefore whether data is personal

data that is the subject of the GDPR], account should

be taken of all the means reasonably likely to be

used, such as singling out, either by the controller

or by another person to identify the natural person

directly or indirectly. To ascertain whether means are

reasonably likely to be used to identify the natural

person, account should be taken of all objective

factors, such as the costs of and the amount of time

required for identification, taking into consideration

the available technology at the time of the

processing and technological developments …"

Given the above background, we would suggest that

whether a hash is personal data and so within the scope

of the GDPR will depend on the circumstances of the

particular case. If the personal data being hashed is

something simple like a name, a phone number or an IP

address and the hashing function is a simple one

(not a salted/peppered hash function) the hash is unlikely

to be sufficiently anonymous. However, if the hash is such

that there are no means reasonably likely to be used by

anyone to identify the individual, then there are good

arguments that the hash itself should not be regarded

as personal data. This view is supported by a number

of commentators including the German Blockchain

Federation (Blockchain Bundesverband), which argues

that the deletion of all off-chain data linking a hash to a

data subject renders the hash anonymous,15 and the UK

Anonymisation Network, which argues anonymous data is

not personal data if all reference data that would enable

one to identify a data subject using the anonymised data

is destroyed - i.e., irreversible anonymisation.16


How to meet the GDPR

challenge, part 2: establish a

robust contractual governance


There are several key obbligations under the GDPR which

mean that any deployment of a commercial blockchain

network will require a governance framework that is

contractually binding on all participants. For the purposes

of this paper, we consider those key GDPR obligations

to be:

1 detailed data processing agreements as between

controllers and processors;

2 clear and transparent agreements as between joint

data controllers (where relevant);

3 restrictions on transfers of personal data out of the

EEA; and

4 the provision of fair processing information

(i.e. privacy notices).

However, as a pre-requisite to any governance framework,

it will be necessary to implement GDPR-compliant

blockchain solutions on a private, permissioned network

(as opposed to a public, permissionless network).

GDPR and the Blockchain I 25


  1. Page 0001
  2. Page 0002
  3. Page 0003
  4. Page 0004
  5. Page 0005
  6. Page 0006
  7. Page 0007
  8. Page 0008
  9. Page 0009
  10. Page 0010
  11. Page 0011
  12. Page 0012
  13. Page 0013
  14. Page 0014
  15. Page 0015
  16. Page 0016
  17. Page 0017
  18. Page 0018
  19. Page 0019
  20. Page 0020
  21. Page 0021
  22. Page 0022
  23. Page 0023
  24. Page 0024
  25. Page 0025
  26. Page 0026
  27. Page 0027
  28. Page 0028
  29. Page 0029
  30. Page 0030
  31. Page 0031
  32. Page 0032
  33. Page 0033
  34. Page 0034
  35. Page 0035
  36. Page 0036
  37. Page 0037
  38. Page 0038
  39. Page 0039
  40. Page 0040
  41. Page 0041
  42. Page 0042
  43. Page 0043
  44. Page 0044
  45. Page 0045
  46. Page 0046
  47. Page 0047
  48. Page 0048
  49. Page 0049
  50. Page 0050
  51. Page 0051
  52. Page 0052