III. Blockchain as a catalyst for data protection

From a data protection perspective, blockchain databases are particularly interesting because they allow - at least in theory - transactions between parties without having to disclose their identity directly to the contracting party or the public. Anonymity and pseudonymity are also addressed as data protection law instruments. If a transaction cannot be traced back to the involved individuals, their fundamental right to self-determination is not affected. As the scope of European data protection law is not established for such mere (transaction) data (see also recital 26 GDPR), companies are legally permitted to use and process such data without being subject to specific data protection restrictions.

The popular crypto-currency Bitcoin is often referred to as one example of a blockchain database with potential for data protection, since Bitcoins provided for an "anonymous, non-persecutable" means of payment. However, it has more and more become clear that such generalized statements will most likely not hold true. Paradoxically, one reason for this problem lies in the one property of the blockchain that enables the anonymity of its user to the public, this is to document all transactions publicly and in a tamper-proof manner. Whereas it is true that no names, addresses, telephone numbers, or any other comparable information making it possible to readily identify the participants without significant effort are captured in the corresponding transaction data entries of the blockchain, there are various possibilities remaining for the de-anonymization of corresponding entries. For example, one study has shown that the Bitcoin address of a service user documented in the blockchain can be traced back to its IP address, which in turn can be traced back to a specific internet connection or connection owner. Another research paper could prove that a user- and transaction-network may be created on the basis of the publicly accessible blockchain entries to the Bitcoin Ledger, with the help of which the allegedly anonymous transactions may be traced back to certain users.

It remains important to note, however, that the above-mentioned attack areas for de-anonymization are not system-inherent, that is, could be avoided to a certain extent if the technical design was respectively adapted. To this extent, companies considering the utilization of blockchain technology should bear in mind the principle of data protection (privacy by design), which is now standardized in Article 25 GDPR, when it comes to the the conception of blockchain databases and applications in order to ensure their business model’s legal compliance. How far blockchain databases are suitable for the implementation of the seven basic principles of privacy by design remains to be seen in practice: while some of these principles (e.g. transparency, privacy by default, data protection as integral part of application design) may be directly implemented into the technological layer of blockchain applications, the feasibility of other principles, in particular the effectiveness of data protection throughout the entire life cycle of the application, may turn out to be not readily achievable. The extent to which companies need to use technical measures to meet their obligations under Article 25 GDPR is currently largely unresolved. To this extent, the legal text only provides an abstract contextual, risk, cost and individual assessment criterion. To this extent, there seems to be a broad consensus in Germany between industry stakeholders, regulators and civil society to jointly and rapidly drive the development of interoperable standards within the meaning of Article 25 GDPR.

Finally, in order to illustrate the extent to which blockchain databases could be used for the purposes of data protection, a concrete application example may be found in the purpose limitation principle set out in Article 25 GDPR. According to this principle, personal data may only be collected for clear and legitimate purposes and not be further processed in a manner incompatible with these purposes (see Article 5 (1) (b) GDPR). One way of monitoring compliance of electronic data processing with the purpose limitation principle is to provide individual personal data with a meta-tag, that is unique and durable electronic labels that provide information on the nature and extent of the processing allowed for the personal date each concerned. A decentralized register managed as a blockchain could be used here to make the processing of personal data by companies more transparent and to ensure the efficient sanctioning of possible infringements.