By Marisa Agius and Mona Holocher, students at the Internet Law Clinic
Forget Me Nodes instead of Forget-Me-Nots: Blockchain, GDPR, and the Battle Over the Right to Be Forgotten
Part 1: When Blockchain Remembers What Law Wants to Forget
Within the last few years, blockchain technology has rapidly shifted from being a newcomer to a mainstream player in the global tech industry. Imagine accidentally uploading a sensitive document onto a blockchain: unlike Instagram or Facebook, you can’t just hit delete. As technology spreads into everyday life, from decentralised finance (DeFi) to healthcare administration to trade management — one reality remains constant: our data powers these systems. This raises the overarching question: can blockchain innovation and data privacy truly coexist, or must one compromise?
This is a two-part piece. The first part explains what blockchain technology is, explores the data privacy issues it creates, and analyses the applicability of the “right to be forgotten” under the EU General Data Protection Regulation (GDPR), a leading data privacy framework with global reach, since it applies to any service provider targeting end-users in the EU. The second part will identify practical solutions for both industry and end-users to prevent issues such as accidentally uploading personal information onto a blockchain.
What Is a Blockchain?
A blockchain is a decentralised ledger where information is stored in time-stamped “blocks” and linked using cryptographic hashes. Each block depends mathematically on its predecessor, meaning if one block is altered, the entire chain becomes invalid. Unlike traditional databases stored on a single server, blockchain data is distributed across participating servers, known as nodes, often across borders rather than confined to one jurisdiction.
For every interaction with a blockchain, participants need a public and a corresponding private key, following the key-lock principle (‘transaction’). While the public key is visible to all participants in the network, the private key verifies the transactions that correspond to the public key.
Due to its decentralised character, it is often claimed that there is no need for a central authority to verify transactions. This is because blockchain transactions are verified by multiple participants and recorded tamper-proof: i.e., once data is recorded on the chain, it cannot be altered or deleted. This is what makes transactions on the blockchain secure, trustworthy, and efficient – which makes it attractive for industries that deal with high quantities of data.
Critically, there are a multitude of forms of blockchain technology. The blockchain can be limited to designated participants (permissioned) or open for anyone to participate (permissionless). The most well-known blockchains, such as Bitcoin, are permissionless.
Why Does It Matter for Data Privacy?
In the EU context, the problem is that the unchangeable nature of blockchain directly collides with its data privacy protections. For example, Article 17 of the GDPR which enshrines the right to erasure (commonly referred to as the “right to be forgotten”).
The GDPR contains some of the most comprehensive data privacy protections in the world. Its provisions apply globally to any service provider targeting data subjects in the EU. Among its rights, the GDPR gives individuals control over their personal data, including the ability to request erasure when data is no longer needed, consent is withdrawn, or processing is unlawful.
According to Article 4(1) of the GDPR, personal data is data that refers to an identified or an identifiable person. A person is considered identifiable if additional knowledge could reasonably be used to link the data back to them. Therefore, even pseudonymised data (e.g., wallet addresses or transaction metadata) can fall within the GDPR’s scope if it can be connected to an individual.
The blockchain stores both transactional metadata and content data. While content data might contain personal or identifiable information, the transactional metadata stored on the blockchain also reveals identifiers because it includes public keys. Where the participants are natural persons (rather than legal entities), GDPR applies.
The right to be forgotten does not necessarily require the deletion of data. Rather, the person who is in charge of processing the data, the so-called data controller (Article 4(7) GDPR), must ensure that the data cannot be accessed anymore. For instance, the right can be complied with by making the data anonymous.
Why Would Someone Want Their Blockchain Data Erased?
There are several reasons why a person may wish to have their blockchain data erased or made inaccessible. This most commonly arises from an accidental upload or the presence of sensitive or harmful information. Imagine, for example, that a user mistakenly uploads a document containing sensitive personal information onto OneDrive. In such a case, the document could be deleted or redacted so as to remove the sensitive information. Blockchain, however, does not function in this way - once information is recorded, it is not erasable.
A practical example might be a user uploading their government-issued identification to a blockchain-based DeFi platform. Months later, they seek to exercise their rights under the GDPR and request its deletion. Unlike traditional databases, where an administrator can simply remove data, blockchain systems cannot “forget” in the same sense.
Evaluation of GDPR Compliance
As noted earlier, blockchain can be permissioned or permissionless. The following evaluation focuses on compliance issues relating to permissionless blockchains.
Pursuant to the right to be forgotten, participants of a blockchain have the right to request the data controller to delete the data. In practice, complying with this requirement is a dilemma because of the decentralised nature of the blockchain.
Whilst in centralised storage units, such as local servers, the person who oversees the data processing can be identified easily, data on the blockchain is stored across the participating servers in the network, so that no central responsible person can be held accountable. This means it is difficult to determine who is the data controller. It could be argued whether nodes (aka participants) or miners (who create new blocks) take on the role of data controller or whether they operate jointly (Article 26 GDPR). Neither option is satisfactory because in practice, requesting the deletion of data from each participant/miner is close to impossible and therefore ineffective. This is especially true for the permissionless blockchain, which is open for anyone to join. For instance, the approximate number of nodes in Bitcoin blockchain is 18,500.
Moreover, if the data controller has enabled data access to persons unknown to the controller — which will be the case in a publicly accessible blockchain such as Bitcoin — Article 17(2) GDPR obliges them to inform these recipients about the erasure. This is technically not possible on the blockchain since, by its nature, each node on the blockchain has its own autonomous version of the chain.
Additionally, data is processed by multiple nodes that spread all over the globe. It is processed across borders with no way to localise or limit processing. This contradicts the purpose of Chapter 5 of the GDPR, which aims to ensure that data is only transferred to countries that provide a minimum standard of data privacy.
Blockchain provides promising technology that could facilitate and enhance processes in various areas of our everyday lives. However, it is essential for technology to comply with data privacy laws all over the globe due to the borderless nature. Aiming for compliance with the requirements under the GDPR, such as the right to be forgotten, is advisable as the European framework for data privacy protections is one of the strictest.
To persist and establish itself as a means of the everyday person, developers and providers need to be aware of all existing data privacy protection frameworks in other jurisdictions that might apply.
We will provide useful solutions and recommendations in the second part of this series.
In the meantime, remember to be forgotten.