Spanish AEPD: Harmonising blockchain with the GDPR's right to be forgotten

The Spanish Data Protection Agency (AEPD) has released a comprehensive technical note addressing the integration of blockchain technology with the General Data Protection Regulation (GDPR). With a focus on the right to be forgotten – a requirement for the erasure of personal data – this note tackles the unique challenges posed by blockchain’s inherent immutability.

The challenge of immutability

Blockchain’s core design prioritises permanent and unalterable data records, which may conflict with the GDPR’s mandate that personal data must be erasable upon request. The AEPD's note addresses these hurdles by proposing a blend of governance frameworks and specific technical solutions aimed at achieving GDPR compliance.

The AEPD's proposed solution

In response to these challenges, the AEPD presents a proof of concept (PoC) that showcases practical methods for securely erasing data on a blockchain while maintaining adherence to legal standards. This PoC has been tested in real-world scenarios, offering insights into how blockchain’s data management techniques can be adjusted to meet GDPR requirements.

• Case study application: The PoC delves into user data deletion, addressing both transactional data and smart contracts. Smart contracts, which automate and execute agreements, often contain personal data. The AEPD's strategy involves developing frameworks to effectively manage these complexities.

Technical implementation

For testing compliance strategies, the AEPD established a private blockchain network using Ethereum. This secure environment enables safe experimentation with data deletion techniques without impacting real-world data. Tools such as Visual Studio Code and Node.js facilitate developers in managing deletions efficiently while preserving network stability.

• Automation: Automation is central, utilising scripts to streamline the data removal process and minimise disruption. This ensures blockchain's core reliability while allowing for necessary legal data handling adjustments.
• Database management: The PoC emphasises the critical need to adapt blockchain’s data storage mechanisms, ensuring that both transactional and contractual data align with GDPR demands. This involves revisiting how data is catalogued and manipulated to assure compliance.

Implementing hard forks

By leveraging a "hard fork," the PoC integrates GDPR compliance directly into the blockchain protocol. These efforts necessitate updating the operational framework to incorporate new data management strategies. 

The AEPD delivers an extensive scheme for how blockchain systems can respond to evolving legal landscapes, providing developers with the tools needed to implement necessary compliance changes while ensuring seamless network performance.

Looking ahead

The AEPD's initiative offers a practical roadmap for integrating blockchain technology with GDPR compliance, tackling the complex issue of balancing blockchain's immutable nature with the GDPR's requirement for data erasure. 

By combining governance adjustments with technical modifications, the AEPD shows how blockchain systems can retain their innovative capabilities while adhering to stringent data protection laws.

Further reading

For those interested in delving deeper into the relationship between blockchain and data privacy, including topics such as the right to be forgotten, I encourage you to read my article, "Blockchain and Data Protection: A Compatible Couple?" in the Global Privacy Law Review. 

This piece explores the potential for blockchain and data protection to coexist, providing a comprehensive examination of the regulatory challenges and solutions in this evolving landscape.