Deleting personal data and
upholding data subject rights
While a detailed contractual governance framework will go
some way to addressing GDPR obligations and concerns,
there are certain data protection problems which remain
unsolved. In particular, these problems stem from a data
subject's rights to request that: (1) their personal data be
deleted; and (2) their personal data be corrected wherever
it is inaccurate.
The right to be forgotten and the
obligation to delete data
1 - The challenge
For its part, one of the most valuable properties of
blockchain technology is its immutable nature. This
ensures the permanence (and, therefore, reliability)
of the data on the blockchain. That being said, the
immutability of data on a blockchain is at odds with a
right to erasure (the so-called 'right to be forgotten') or an
obligation to delete data. This particular challenge is thus
understandably one of the most widely discussed in the
context of the GDPR and blockchain.
As discussed above, it will be difficult in most cases to be
certain that no personal data is stored on the blockchain.
Thus, blockchain solutions must confront the need to
manage personal information in compliance with the
GDPR. This includes abiding by the data minimisation
obligation discussed in Section 4.3, and the right to
erasure discussed in Section 4.6 (A).
The data minimisation obligation will be satisfied so
long as the data are limited to what is necessary for
the purpose for which they are processed. Thus, if the
personal data stored on the blockchain remain necessary
for the purpose for which they are processed, retention
of the data on the blockchain does not violate the data
minimisation obligation. Similarly, the qualified right to
erasure does not require blockchain members to delete
personal data if a valid purpose still exists to process
that data. As discussed above, one such valid purpose is
where the processing of said data is required by EU or EU
Member State law.
In almost all cases, however, after a sufficient period of
time, personal data will no longer need to be retained to
fulfil the purposes for which it was collected. At this point,
the exception to the right of erasure will no longer apply
and the personal data must be deleted upon a request
by the relevant individual. Additionally, the obligation in
Article 5 of the GDPR (to retain personal data for only
so long as is necessary for the purpose for which it is
processed), requires data controllers to delete personal
data once they are no longer needed, even absent a
request from the individual. Almost any means used to
store personal data in a business context must, therefore,
enable deletion of that personal data.
2 - Potential solution: Blockchain "pruning"
If the personal data on a particular blockchain network
must be retained for a certain number of years to satisfy
a particular legal or regulatory obligation, one option
may be to "prune" the blockchain. Pruning is the process
of deleting historical blocks on the blockchain that
pre-date a certain point in time. For example, if regulation
requires data to be stored for seven years, the blockchain
governance framework could require that all participants
in the blockchain network delete all blocks of data that are
greater than seven years old.
30 I GDPR and the Blockchain