Oct 232018

EU Parliament Adopts Blockchain Resolution

Lauren Cuyvers and Wim Nauwelaerts
, , , , ,

On October 3, 2018, the European Parliament passed its long awaited resolution on distributed ledger technologies and blockchains (the “Blockchain Resolution”). The Blockchain Resolution was adopted to protect and empower EU citizens and businesses with respect to the specific issues that arise in relation to the blockchain or “distributed ledger” technology, one of which being the tension with data protection rights and the GDPR in general.

Blockchain technology can best be described as a decentralized database containing transaction logs linked together on a network, with the most widespread example being Bitcoin. A transaction can only proceed if the link is validated in the network. A bitcoin transaction, for instance, involves logging account numbers, the sender and recipient’s (pseudonymized) identity and bitcoin amount in a block. This block is then shared with the network, which validates the block. Only after validation (which in bitcoin’s case requires a specific “signature”) the block is included in the chain and the transaction is executed. Note that each member in a network – which can be public or private – is in principle able to validate the information in the blocks. This is the exact strength and core functioning of blockchain. Interrelated peer-to-peer validation mechanisms make blockchain technology considered to be highly secure and accessible. Blockchain excludes the need for intermediaries (such as banks), and facilitates secure transactions by the public.

The EU Parliament’s Blockchain Resolution recognizes the importance of blockchain technology’s compliance with the GDPR, and emphasizes specific risks related to privacy and data protection. It stresses that the data logged in blocks is pseudonymized, and not anonymized, data.  Although direct identification of individual members in a network is not possible, indirect identification is possible (through identifiers linked to the data). Pseudonymized data is in scope of the GDPR.  Accordingly, blockchain needs to take GDPR principles into account.

Although the GDPR is meant to be “technologically neutral”, and the GDPR’s principles are meant to be applied to data processing independent of the processing techniques used, the application of the GDPR’s principles to blockchain proves highly challenging. The GDPR’s “right to be forgotten”, for instance, appears difficult to reconcile with blockchain objectives.  Specifically, the success of blockchain relies on the logging and storing of data chains. Deletion of data would disrupt the chain and undermine blockchain rationale.

Earlier this year, the European Commission launched the EU Blockchain Observatory and Forum, with the purpose of mapping key initiatives and monitoring developments in the industry. On October 16, 2018, the Forum issued a report on Blockchain and the GDPR (the “Report”) which identifies additional areas of concern. The controller/processor distinction and identification – essential for allocating responsibility under the GDPR – proves difficult to translate into a blockchain context. Actors “submitting” a transaction to a network may be considered data controllers for the personal data they submit through the transaction when they do this in a business context, but will likely benefit from the household exemption when they submit data for their own personal use (for instance, to purchase bitcoins for their private bitcoin wallet). Actors “validating” a transaction in a network, are also unlikely to qualify as controllers, as they only run software and process the transaction to ensure validation. The uncertainty around data controllership in blockchain applications makes it difficult to assess parties’ responsibilities under the GDPR, and further regulatory guidance in this respect is urgently needed. The Report also stresses the importance of the data minimization principle of the GDPR, and recommends analyzing to what extent blockchain effectively requires storage and processing of personal data, and if so, whether private networks could be created for blockchains that contain personal data (for instance, when using blockchain in a highly regulated sector such as the financial sector).

A resolution from the European Parliament does not have legally binding effect. A resolution merely sets out the Parliament’s political position, with a view to prompt other European Union institutions to take legislative action. With this Resolution however, the European Parliament clearly expresses its position to support blockchain. Its call for “open-minded, progressive and innovation-friendly regulation” could pave the way for further EU policy and legislative development in this area of cutting-edge technology.

Lauren Cuyvers

Brussels

lcuyvers@sidley.com

Wim Nauwelaerts

wnauwelaerts@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.