Page 0035

That being said, as a practical matter, forking is a very

costly technique that will also be operationally disruptive.

What is more, the GDPR requires deletion of personal

data within a maximum of three months from a valid

request, meaning that a forking exercise would be required

multiple times each year. Given the costs and time

involved in such an exercise, it is difficult to conclude

that forking is an adequate data deletion solution. These

negative aspects of forking are further evidence of the

need for up-to-date, pragmatic regulatory intervention in

this space to enable reliance on innovative but effective

forms of data deletion.


The right of rectification

1 - The challenge

A second major challenge posed by the GDPR relates to

the right of rectification. This can be thought of as two

distinct rights: (a) the right to rectification of inaccurate

personal data; and (b) the right to complete incomplete

personal data. As explained in Section 4.6(B) this right

is unqualified. Therefore, none of the exceptions that

apply to the right of erasure (such as the right of the data

controller to retain data for the establishment, exercise or

defence of legal claims) apply to the right of rectification.

If a data subject with inaccurate or incomplete personal

data on a blockchain asks the data controllers to rectify

the information, the data controllers must do so.

Similar to the right to erasure, the immutable nature of

blockchain technology is seemingly at odds with the right

to rectification, especially the right to rectify inaccurate

personal data.

2 - Potential solution: Rectification by

a supplementary notice

The GDPR is clear that it is possible to rectify incomplete

personal data about a data subject by supplementing

that data with a clarificatory statement. That being said,

there are obvious difficulties for blockchain solutions in

rectifying incomplete personal data set out in historical

blocks on the chain. This stems from the fact that, as

discussed above, alteration to historical blocks will impact

the entirety of the blockchain as it then exists.

While the rectification of incomplete personal data may

be feasible by way of a clarificatory statement, it is not

clear whether the same is true for the rectification of

inaccurate personal data under the GDPR. The fact that

a supplementary statement is specifically mentioned in

the context of the right to rectify incomplete personal

data, and not in the case of the right to rectify inaccurate

personal data, suggests it is not a sufficient means of

rectifying inaccurate personal data.

This would mean that to comply with the right to

rectification of inaccurate personal data, the earlier

incorrect information would need to be erased and

replaced with the corrected information. This of course

makes sense in many instances - it will usually be more

appropriate to remove a statement about someone that is

plainly incorrect than to simply supplement it with

a correction.

GDPR and the Blockchain I 33


  1. Page 0001
  2. Page 0002
  3. Page 0003
  4. Page 0004
  5. Page 0005
  6. Page 0006
  7. Page 0007
  8. Page 0008
  9. Page 0009
  10. Page 0010
  11. Page 0011
  12. Page 0012
  13. Page 0013
  14. Page 0014
  15. Page 0015
  16. Page 0016
  17. Page 0017
  18. Page 0018
  19. Page 0019
  20. Page 0020
  21. Page 0021
  22. Page 0022
  23. Page 0023
  24. Page 0024
  25. Page 0025
  26. Page 0026
  27. Page 0027
  28. Page 0028
  29. Page 0029
  30. Page 0030
  31. Page 0031
  32. Page 0032
  33. Page 0033
  34. Page 0034
  35. Page 0035
  36. Page 0036
  37. Page 0037
  38. Page 0038
  39. Page 0039
  40. Page 0040
  41. Page 0041
  42. Page 0042
  43. Page 0043
  44. Page 0044
  45. Page 0045
  46. Page 0046
  47. Page 0047
  48. Page 0048
  49. Page 0049
  50. Page 0050
  51. Page 0051
  52. Page 0052