Authors: Markus Kaulartz, Jonas Gross, Constantin Lichti, Philipp Sandner
Considering that information is seen as the new gold of the digital age, data protection is a powerful tool that does not spare blockchain-based data. This article outlines the lawful obligation for anonymization of different data that can be stored on a blockchain. These different data comprise 1) personal data which refers to data of natural persons and 2) machine data which refers to machines and objects. We analyze the requirements for such sensitive data to be conformably stored on blockchain in detail. The article analyzed the laws and rules of the General Data Protection Regulation (GDPR).
This article is the eighth publication of the series “legal aspects of blockchain technology” by the Frankfurt School Blockchain Center (FSBC), Datarella, and CMS Hasche Sigle. This research is part of the KOSMoS project, a research project funded by the German Federal Ministry of Education and Research (BMBF) under the funding code 02P17D020. The Frankfurt School Blockchain Center gGmbH and Datarella GmbH are part of the “KOSMoS” consortium. Together with partners from the industry (Schwäbische Werkzeugmaschinen GmbH, Alfred H. Schütte GmbH & Co. KG, ASYS Automatisierungssysteme GmbH), academia (Universität Stuttgart, Hochschule Furtwangen), and software development (inovex GmbH, Ondics GmbH), they create a blockchain-based solution allowing manufacturing companies to establish a DLT-based framework for producing machines in order to (a) execute dynamic leasing contracts, (b) provide transparent maintenance documentation and © ensure high-quality documentation of manufactured products.
The GDPR’s purpose is to ensure the right to informational self-determination and privacy of individuals. It aims at protecting personal data within the European Union (EU) as well as ensuring the free movement of data within the EU and it makes no exceptions for blockchain-stored data. Blockchain-based use cases also have to comply with the GDPR. The GDPR is directly legally binding for the EU member states, however, they have the possibility to change some specific predetermined clauses if they deem it necessary.
In connection with Bitcoin and the use of public and private keys, full anonymity of a natural person is often said to exist. While private keys are only available to the end-users and are not visible to the public, public keys can be analyzed and infer about the persons involved e.g., by the police if they suspect illicit activities. Full anonymity is therefore not completely irrefutable which would make the GDPR obsolete in such an explicit case. Other blockchain or DLT-based databases, especially enterprise blockchains do not necessarily render personally identifiable information anonymous.
Not only natural persons but also machines can participate in blockchain ecosystems, making the matter of data protection even more complex since data protection for machine data differs from that of natural persons. This provokes the question how different types of data have to comply with the GDPR if stored on a blockchain. In the following article, we will analyze this question.
Anonymization of identities
Natural persons are to be distinguished from machines in terms of data protection measures. The reasons for data anonymization is to protect basic human rights (ie., right to informational self-determination) and ensure data privacy of individuals in the digital age. But is there a need for anonymization of such an identity or is the use of privacy-enhancing features, such as private channels on Hyperledger, already a sufficient decoupling of trusted (possibly personal) information? A distinction must be made between keys that refer to machines (machine data) and keys that refer to natural persons (personal data) as is shown in Figure 1:
Figure 1: Legal storage requirement differentiation by data types
Keys with a personal reference
Keys with a personal reference should be pseudonymized using a lookup table: The actual IDs are then assigned to a key in the lookup table and only this key, but not the ID, is stored on the blockchain. In this way, a company can respond to any deletion requests by deleting the data in the lookup table. The data on the blockchain then loses its reference and is thus anonymous. If the actual IDs are not relevant and could also be deleted, they could be stored directly on the blockchain. This could be the case when a company only cares about the amount of keys but not about who they belong to. Recordkeeping of the number of subscribers for the sake of internal marketing statistics is one such example. The eWpG bill for the law on the introduction of electronic securities and crypto securities in Germany seems to follow the same path — it talks about the “data used for pseudonymization”.  Under the GDPR, whether private channels are sufficient to achieve anonymity depends on whether re-identification is possible using proportionate means. Whether a mean is considered proportionate differs from case to case. It can be determined by assessing the level of difficulty and effort needed for re-identification to be successful.
Article 26 of the GDPR states:
In order to determine whether a natural person is identifiable, account should be taken of all means likely to be used by the controller or by any other person in the general interest to identify the natural person directly or indirectly, such as segregation. In determining whether means are, in general, likely to be used to identify the natural person, all objective factors, such as the cost of the identification and the time required, should be taken into account as well as the technology available at the time of processing and technological developments. The principles of data protection should therefore not apply to anonymous information, that is to say, information which does not relate to an identified or identifiable natural person, or personal data which has been rendered anonymous in such a way that the data subject cannot be identified or can no longer be identified. […]
Keys without a personal reference
Keys without a personal reference do not have to be anonymized for reasons laid out in the data protection law because they are not personal data. However, an obligation to make them anonymous may arise (indirectly) from the fact that the data constitute trade secrets. For example, the machine data could be used to read the times and intensities of use which might allow conclusions to be drawn about the order situation of a company.
Whether private channels are sufficient to achieve anonymity depends on the desired level of protection. For example, it may be sufficient if only “proportionate” measures do not lead to re-identification. That means that an active effort to re-identify keys without a personal reference has to be made to count as sufficient and proportionate in terms of the data protection law. If the machine data is more critical, it could also be contractually agreed that precautions must be taken to ensure that even when using the most advanced procedures, no conclusions can be drawn about the raw machine data during the period of use of the consortium blockchain.
Practical note: An appendix to the contract should specify which categories of data may be stored and how. The requirements for storing very sensitive business secrets may be higher than those for storing personal data, and these in turn may be higher than those for storing non-critical data.
Compliance of machine data
Data protection laws only record personal data (e.g. for the GDPR: Art. 2 GDPR). However, machine-related data may also be personal data under certain circumstances (see the answer to question 3). Machine data may also be subject to database rights (see the answers to questions 3 and 5). They can also constitute trade secrets (see the answers to question 3).
 This is recommended e.g., by the French data protection authority: CNIL, Blockchain and the GDPR: Solutions for a responsible use of the blockchain in the context of personal data, 06.11.2018: “these solutions enable stakeholders to come closer to the GDPR’s compliance requirements”.
 See the reasoning to § 4 (6), page 42, available at https://www.bmjv.de/SharedDocs/Gesetzgebungsverfahren/Dokumente/RefE_Einfuehrung_elektr_Wertpapiere.pdf?__blob=publicationFile&v=1.
KOSMoS is a research project funded by the German Federal Ministry of Education and Research (BMBF) under the funding code 02P17D020. More information about the project can be found on the website.
If you like this article, we would be pleased if you would forward it to your colleagues or share it on social networks. More information about the Frankfurt School Blockchain Center on the Internet, on Twitter or on Facebook.
Dr. Markus Kaulartz used to be a software developer and is now a lawyer at CMS Hasche Sigle. He specializes in crypto laws. Since Markus’ clients are both innovative startups and tier one global players, he has gained much experience in advising on legal issues of future technologies and new business models. Markus has particular tech expertise and insights that contribute to his legal advisory practice. His input is often sought where challenges arise at the interface of technology and law. Markus is co-editor of the legal handbook on smart contracts and the legal handbook on artificial intelligence and machine learning.
Jonas Gross is a project manager and research assistant at the Frankfurt School Blockchain Center (FSBC) and also works for the KOSMoS research project. His fields of interests are primarily crypto currencies. Besides, in the context of his Ph.D., he has been analyzing the impact of blockchain technology on the monetary policy of worldwide central banks. He mainly studies innovations as central bank digital currencies (CBDC) and central bank crypto currencies (CBCC). You can contact him via email (firstname.lastname@example.org), LinkedIn (https://www.linkedin.com/in/jonasgross94/) and via Twitter (@Jonas__Gross).
Constantin Lichti is a research assistant and project manager at the Frankfurt School Blockchain Center (FSBC), and also works for the KOSMoS research project. Furthermore, he is responsible for project proposals and grants as well as studies published at the FSBC. As a doctoral candidate his research interests include public blockchains and their individual adoption, as well as how the discourse on blockchain technology is reflected in (social) media. He graduated from the Technical University of Munich with a master’s degree in industrial engineering and management. You can contact him via email (email@example.com) and LinkedIn.
Prof. Dr. Philipp Sandner is head of the Frankfurt School Blockchain Center (FSBC) at the Frankfurt School of Finance & Management. In 2018, he was ranked as one of the “Top 30” economists by the Frankfurter Allgemeine Zeitung (FAZ), a major newspaper in Germany. Further, he belongs to the “Top 40 under 40” — a ranking by the German business magazine Capital. The expertise of Prof. Sandner, in particular, includes blockchain technology, crypto assets, distributed ledger technology (DLT), Euro-on-Ledger, initial coin offerings (ICOs), security tokens (STOs), digital transformation and entrepreneurship. You can contact him via mail (firstname.lastname@example.org), via LinkedIn (https://www.linkedin.com/in/philippsandner/), or follow him on Twitter (@philippsandner).