That being said, as a practical matter, forking is a very
costly technique that will also be operationally disruptive.
What is more, the GDPR requires deletion of personal
data within a maximum of three months from a valid
request, meaning that a forking exercise would be required
multiple times each year. Given the costs and time
involved in such an exercise, it is difficult to conclude
that forking is an adequate data deletion solution. These
negative aspects of forking are further evidence of the
need for up-to-date, pragmatic regulatory intervention in
this space to enable reliance on innovative but effective
forms of data deletion.
B
The right of rectification
1 - The challenge
A second major challenge posed by the GDPR relates to
the right of rectification. This can be thought of as two
distinct rights: (a) the right to rectification of inaccurate
personal data; and (b) the right to complete incomplete
personal data. As explained in Section 4.6(B) this right
is unqualified. Therefore, none of the exceptions that
apply to the right of erasure (such as the right of the data
controller to retain data for the establishment, exercise or
defence of legal claims) apply to the right of rectification.
If a data subject with inaccurate or incomplete personal
data on a blockchain asks the data controllers to rectify
the information, the data controllers must do so.
Similar to the right to erasure, the immutable nature of
blockchain technology is seemingly at odds with the right
to rectification, especially the right to rectify inaccurate
personal data.
2 - Potential solution: Rectification by
a supplementary notice
The GDPR is clear that it is possible to rectify incomplete
personal data about a data subject by supplementing
that data with a clarificatory statement. That being said,
there are obvious difficulties for blockchain solutions in
rectifying incomplete personal data set out in historical
blocks on the chain. This stems from the fact that, as
discussed above, alteration to historical blocks will impact
the entirety of the blockchain as it then exists.
While the rectification of incomplete personal data may
be feasible by way of a clarificatory statement, it is not
clear whether the same is true for the rectification of
inaccurate personal data under the GDPR. The fact that
a supplementary statement is specifically mentioned in
the context of the right to rectify incomplete personal
data, and not in the case of the right to rectify inaccurate
personal data, suggests it is not a sufficient means of
rectifying inaccurate personal data.
This would mean that to comply with the right to
rectification of inaccurate personal data, the earlier
incorrect information would need to be erased and
replaced with the corrected information. This of course
makes sense in many instances - it will usually be more
appropriate to remove a statement about someone that is
plainly incorrect than to simply supplement it with
a correction.
GDPR and the Blockchain I 33