Legal Status of the Data Stored in Blockchains

The phenomenon of ā€œtrustā€, which is traditionally established by competent authorities, mediators, and similar third parties, is now being replaced by blockchain technology, which is a decentralized structure with developing technologies. Blockchain, which is a record list that is secured using cryptography methods and continuously grows by connecting the structures called blocks to each other, has developed and continues to develop rapidly since 2008. Blockchain technology, which can perform information and data transfers quickly and securely, aims to solve important problems encountered in daily life and optimize current processes; the technology in question is used in many different sectors today. In this respect, blockchain technology falls within the scope of many legislations.

The blockchain is a secure and transparent system that is designed to securely store valuable data, and allow data exchange and management between two parties without the need for a middleman. Ultimately, it is a technology that can be verified.

Data plays a vital role in blockchain technology. Over the past decade, legislative structures have seen a major focus on data protection and privacy. Although the right to privacy has existed far longer than data protection laws, with the emergence of technological advancements, the importance of data has become inescapable. In its essence, however, data privacy stems from the basic human right to privacy. Some will refer to data as ā€œthe new oilā€ of our age, due to how important it is both politically and economically.

The Basics of Blockchain Technology Elements

Block Structure

A blockchain is a list of records that is continuously expanding, known as a ā€œblockā€, and is linked and protected through cryptography. The initial block formation is referred to as the ā€œgenesis blockā€. Each block holds a specific number of transactions, and they are appended to the blockchain by connecting to the preceding block.

A block is composed of a block header, which provides a description and summary of the block, as well as transaction records. Each block in the chain is partially derived from the previous block. This is because every block includes the condensed information from the preceding block.

Distributed Network

Distributed networking refers to the practice of distributing the records of blockchain transactions to participants in a network structure, rather than storing them in a single centralized location. Each participant writes the records in a shared system of records called the ledger, and each participant possesses a copy of this ledger. Essentially, the ledger is both shared and distributed. Whenever the ledger is updated, all participants receive a copy of the updated version.

It is widely accepted that a distributed network structure is more secure than a centralized structure. To provide an analogy, the storage location of data can be likened to a house. It is challenging, though not impossible, for someone to enter a house without permission, as long as appropriate security measures are in place. Thanks to the distributed network structure of blockchain technology, the database where data is stored is fragmented into numerous parts and these parts are dispersed across numerous computers. Consequently, it is insufficient for an unauthorized individual to gain access to the data by entering just one house; instead, they would need to access the majority of houses in the database.

Consensus Structure

Consensus is necessary across the blockchain network for all machines to have an identical copy of the data. This means that participants must agree on the validity of transactions in order for them to be considered valid. Different consensus mechanisms are used within the network to achieve this consensus. Various blockchain platforms, such as Bitcoin and Ethereum, offer different solutions for the consensus process. For instance, they employ the proof of work (PoW) consensus approach, where nodes must prove their labor to add a new block to the blockchain. Another common consensus structure is called proof of stake (PoS), where participants who own a certain amount of shares or assets are given the authority to create or verify blocks.

In order for the blockchain to maintain its security, it is necessary to have a system in place that prevents a malicious individual or group from gaining control over the majority of the validation process. In Proof of Stake (PoS), validators possess some tokens from the blockchain, and potential attackers can only execute an attack if they manage to acquire a significant portion of these tokens. Unlike Proof of Work (PoW), PoS primarily relies on the validation mechanism rather than mining. In PoS, blocks are created by a specific individual determined by the PoS algorithm, which introduces an element of randomness. The initial PoS cryptocurrency was Peercoin, and it was followed by others like Cardano, Blackcoin, Nxt, and Algorand. Furthermore, Ethereum is also planning to incorporate a PoS mechanism alongside PoW in the development of new technology by 2021.

Types of Blockchains

Blockchain networks are categorized into two types based on the accessibility of the network: (i) publicly accessible networks, also known as open or public blockchain networks, and (ii) networks that are closed to public access, referred to as closed or private blockchain networks. Typically, organizations opt for closed blockchain networks due to security concerns or other reasons.

Blockchain networks can be divided as in the following.

Permissionless Blockchain Networks

Blockchains, which are referred to as completely permissionless, do not require permission for individuals to access the blockchain network and view stored data. They also allow participation in the consensus process to add new blocks, as long as individuals adhere to the consensus structure of the network. These networks are commonly known as permissionless blockchain networks. Involving as many people as possible in the system by ensuring that the network is more secure. An example of this type of network is the Bitcoin platform.

Partially Permissionless Blockchain Networks

Partially permissionless blockchain networks are networks that allow anyone to access and read stored data on a blockchain network without needing permission. However, permission is required to add new blocks and participate in the consensus process. This entails adhering to the consensus structure of the network. An illustration of such networks is a blockchain platform where all users can listen to music tracks, but only independent musicians have the authority to add new tracks based on the consensus structure.

Blockchain Networks That Require Full Consent

Blockchain networks that require permission to enter a blockchain network to read stored data and then to add new blocks and participate in the consensus process by complying with the consensus structure of that network are called fully permissioned blockchain networks (ā€œFully Permissioned Blockchain Networksā€). Such networks, whose purpose is to make the recorded data accessible only to the relevant parties and to include only selected parties in the reconciliation process among those who are allowed to access the data, include a network established to perform Electronic Funds Transfer (EFT) transactions between banks.

Blockchain networks that require full consent, also known as private blockchains are generally preferred by companies and similar entities to restrict access to third parties to ensure privacy.

Personal Data Protection Law No 6698 (ā€œKVKKā€)

The Basis of the Right

The protection of personal data begins with the right to privacy, which is one of the most essential rights for individuals. As technology advances, the recognition of privacy and confidentiality as crucial elements of social values in both individualization and the functioning of democratic societies has necessitated the redefinition of ā€œprivacyā€ as a fundamental human right.

Privacy is a term that encompasses various ideas, including autonomy, individuality, personal space, and anonymity. Consequently, it can be described as the capacity of an individual or a group to keep their personal information private and, as a result, to express themselves selectively. Information privacy, on the other hand, refers to the connection between data collection and distribution, technology, the publicā€™s anticipation of privacy, and the legal and policy concerns that arise from these expectations.

The concept of acknowledging a right to privacy as a fundamental principle was presented in an article authored by Samuel Warren and Louis Brandeis. This article was published in the Harvard Law Review in 1890 and is deemed one of the most influential essays in American legal history. It is also recognized as the inaugural publication to define privacy as a ā€œrightā€.

One other major event that shaped the right to privacy was World War II and the doomful instances of grave human rights violations. The fact that governmental authorities collected personal information and used that information to discriminate against innocent civilians naturally caught attention. After that, many legal systems agreed upon creating a legal structure that limits data processing regarding people.

In todayā€™s society, the advancement of new information technologies brings up concerns regarding the safeguarding of privacy rights. Essentially, the gathering and manipulation of information heightens the potential for privacy breaches. Therefore, a lack of trust in these technologies may lead consumers to hesitate before adopting new services, hindering the innovative and effective use of such technologies.

At this stage, the unauthorized acquisition of personal data by unrelated third parties, as well as the processing of this data, whether in compliance with laws or not, constitutes a violation of privacy. The right to protect personal data entails individuals having control over their data, including aspects like its acquisition, collection, processing, or transfer. Consequently, it is crucial to gain a deeper understanding of the issues surrounding personal data protection and to ensure the development of appropriate legal regulations in this domain.

What is Personal Data According to KVKK?

In accordance with paragraph (d) of Article 3 of the Personal Data Protection Law (ā€œKVKKā€), personal data is defined as any information that pertains to a known or identifiable individual. To be considered personal data under the KVKK, the information must be connected to a specific or identifiable natural person. Based on this definition, personal data exclusively pertains to individuals and data directly associated with legal entities are not included in the definition of personal data and are therefore not subject to the provisions of the KVKK.

Personal data can either directly identify a person or not directly identify them, but it includes any information that can help identify a person when associated with any record. This includes not only information like name, date of birth, and place of birth, but also data like phone numbers, license plates, social security numbers, passports, resumes, photos, videos, audio recordings, fingerprints, email addresses, hobbies, preferences, family information, and health information. The scope of what is considered personal data can be expanded since the KVKK does not provide a limited list. The important thing is to be able to define the individual with the help of the specific data in question.

Sensitive Personal Data

The KVKK distinguishes between ā€œsensitive personal dataā€ and personal data. Sensitive personal data refers to data that, if accessed, could lead to discrimination or harm to the individual. Therefore, sensitive data must be protected more carefully and strictly than other personal data. Special categories of personal data can only be processed with the explicit consent of the individual or in limited cases outlined in the KVKK.

Article 6 of the KVKK provides a limited list of special categories of personal data, which includes race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, and dress, membership to associations, foundations, or trade unions, health, sexual life, criminal conviction, and security measures, and biometric and genetic data. The KVKK also distinguishes between different special categories of personal data, and the conditions for processing personal data related to health, sexual life, and other special categories without explicit consent are regulated differently.

Data Controller and Data Processor

As per Article 3/I-ı of KVKK, the term ā€œdata controllerā€ refers to the individual or entity, whether natural or legal, that decides the objectives and methods of processing personal data and is accountable for establishing and supervising the data storage system.

The entity responsible for ensuring compliance and accountability in the processing of personal data, known as the data controller, plays a crucial role in the data processing process. It is required that the data controller can be identified according to the KVKK. However, when it comes to blockchain technology, the identification of the data controller is often not a straightforward task, as will be explained in detail later.

When considering the KVKKā€™s perspective, the definition of a data controller implies that determining the data controller in blockchain technology should depend on the unique circumstances of each situation. In a legal system where all definitions are centered around a central data controller, the fact that data is distributed in a decentralized blockchain system requires the identification of the data controller. Particularly in public blockchains, there is no singular entity or organization that centrally decides the purposes and methods of personal data processing.

For instance, if a company specializing in human resources helps another company in the recruitment of staff, and the agreement states that it will exclusively act on behalf of the company in terms of the candidatesā€™ data, then the hiring company will be regarded as the sole data controller in this scenario.

However, in the same example, if the human resources company assesses resumes in its own database and looks for suitable candidates among the resumes received by the hiring company, and charges fees based on the contracts for each employment agreement signed, the aspect of interest becomes relevant. In this scenario, both the human resources company and the hiring company would be regarded as joint data controllers.

Scope of Application of KVKK

As stated in Article 2 of KVKK, it applies to both natural and legal entities who process the personal data of individuals, regardless of whether it is done fully or partially using automated methods or non-automated methods, as long as they are included in any data recording system.

KVKK applies nationwide and specifically to data controllers and processors who handle personal data within Turkeyā€™s borders. In addition, the Personal Data Protection Board (ā€œBoardā€) introduced a regulation through a decision on 23/07/2019 (2019/225) that applies to foreign data controllers who process personal data either directly in Turkey or through their branches. Although the Turkish Data Protection Law does not include provisions specifically for foreign entities, this regulation now requires foreign data controllers to fulfill certain obligations, such as registering with the Data Controllers Registry (VERBÄ°S) and appointing a representative.

KVKK has caused uncertainties for data controllers located outside of TĆ¼rkiye due to the lack of specific geographical scope delineation in its application.

Data Processing Principles and Conditions

According to Article 4 of KVKK, personal data can be processed only in accordance with the procedures and principles prescribed in KVKK and other laws. When handling personal data, itā€™s essential to (i)adhere to legal requirements and maintain integrity, (ii) ensure the data is correct and updated as needed, (iii) process data only for clear, specific, and lawful reasons, (iv) keep the data pertinent, restricted, and in balance with its processing purpose, (v) retain the data only for the duration specified by applicable law or as required for its processing purpose.

The main rule for personal data processing is acquiring the relevant individualā€™s explicit consent prior to data processing. However, in some instances, data controllers/processors may have the right to process personal data without the explicit of the relevant individual and these cases are as follows:

a) Explicitly stipulated by the laws.

b) Being necessary for the protection of life or physical integrity of the person who is physically or legally incapable of giving consent or whose consent is not legally recognized.

c) Being necessary for the processing of personal data belonging to the parties of a contract, provided that it is directly related to the establishment or performance of the contract.

d) Being necessary for the data controller to fulfill its legal obligation.

e) Being made public by the person concerned.

f) Being necessary for the establishment, exercise, or protection of a right.

g) Being necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.

The General Data Protection Regulation (ā€œGDPRā€)

The General Data Protection Regulation (ā€œGDPRā€) is a law passed by the European Parliament and the Council of the European Union that aims to enhance privacy and awareness of the importance of privacy protection by allowing individuals to know and control the data collected about them. The GDPR was adopted on the 14th of April, 2016, and became fully effective on the 25th of May, 2018.

The GDPR requires companies to obtain consent for data collection and provides options for data deletion. The emergence and adoption of the GDPR has been important due to the growing amount of data being collected and the lack of control individuals feel over their digital presence.

The ability to opt out of data collection, delete personal data, and control its use are all desirable but may conflict with certain business models and digital structures. Businesses often change their privacy policies to comply with the law, but it is unclear how conflicts with hardware and software design will be resolved.

What is Personal Data According to GDPR?

The definition of personal data in GDPR is extensive and specifically regulated. It encompasses any information pertaining to an identified or identifiable individual, whose identification can be established either directly or indirectly through factors like their name, identification number, location data, online identifier, or other factors related to their physical, physiological, genetic, mental, economic, cultural, or social identity.

The introductory provision of Article 30 in the GDPR provides clarification on the notion of online identifiers. It specifically mentions elements like internet protocol addresses (IP), as well as identifiers linked to devices, applications, tools, and protocols used by individuals, such as cookies or other radio frequency identification tags. Within this framework, GDPR explicitly states that IP addresses and cookies are considered personal data if they can be connected to individuals, particularly when combined with unique identifiers or information from servers, in order to create profiles and identify those individuals.

In the GDPR, there is a concept called ā€œpseudonymous data.ā€ This refers to the process of processing personal data in a way that it cannot be linked to a specific individual without additional information. This additional information, such as a decryption key, must be kept separately and protected by technical and organizational measures to prevent it from being associated with an identifiable person. Pseudonymous data processing allows for the processing of personal data without the need for additional information and ensures that it cannot be linked back to a specific individual.

According to GDPR, these data do not qualify as direct identifiers of personal data. Consequently, it will not be feasible to link the data to a particular individual without additional separate information. Additionally, in line with Article 28 of GDPR, it is advised to pseudonymize personal data to reduce risks for the data subject and support data controllers and processors in meeting their data protection obligations. This pseudonymization should be carried out in a way that minimizes risks and assists data controllers and processors in fulfilling their responsibilities for data protection.

In relation to special categories of personal data, there exists a parallelism between the special categories of personal data outlined in the GDPR. Therefore, the special categories of personal data encompassed by the GDPR comprise (i) racial or ethnic origin, (ii) political opinions, (iii) religious or philosophical beliefs, (iv) union membership, (v) genetic data, (vi) biometric data, (vii) health data, or (viii) data pertaining to a personā€™s sex life or sexual orientation, limited to a specific enumeration.

Data Controller and Data Processor in Terms of GDPR

The GDPR introduces the term ā€œData Controllerā€ to describe the responsibilities of entities involved in processing personal data. According to Article 4 of the GDPR, a data controller can be an individual, organization, or public authority that decides how and why personal data is processed.

It is important to identify the person or entity responsible for data control as the GDPR assigns them the main responsibility of implementing measures to protect personal data. The data controller must consider the nature, scope, context, and purpose of data processing, as well as the risks to privacy, and adopt appropriate measures to ensure compliance with GDPR standards and principles. Examples of data controllers include medical institutions, law firms, and online shopping platforms.

Scope of Application of GDPR

The scope of the GDPR is not limited to the geographical boundaries of EU member states. Instead, it goes beyond these borders. The article that regulates the regional scope of the GDPR includes provisions that also apply to data controllers and data processors who are not based in the EU.

The territorial scope of the GDPR is set out in Article 3 of the GDPR. According to this article, GDPR applies in the following cases:

  • The processing of personal data takes place within the activities of the data controller or data processor located in the European Union, regardless of whether the processing activity takes place within the European Union or not.

  • The personal data of the data subject are processed within the European Union by a data controller or data processor that is not established in the European Union, but the processing activities are related to (i) the provision of goods or services to the data subject in the European Union or (ii) monitoring the behavior of the data subject within European Union.

  • The personal data is processed by a data controller not established in the European Union, but the processing activity is within the scope of European Union law where international public law applies in the country in which the data controller is established, even if it is not established in the European Union.

The Guidelines on the territorial scope of the GDPR, provided by the European Data Protection Board (EDPB) in Guidance 3/2018, offer additional analysis of the relevant article using the following headings.

As observed, if a data controller or data processor, whether an individual or organization, is not based in the EU but has a presence there through a business or engages in any data processing activities, Article 3 of the GDPR states that these activities are subject to the regulations of the GDPR.

The Criteria for the Establishment of the Data Controller or Data Processor in the EU

The General Data Protection Regulation (GDPR) applies to the processing of personal data, regardless of whether it occurs within the EU, as long as it is done by a data controller or data processor established in the EU. The term ā€œestablishmentā€ is important in determining whether GDPR applies. Although GDPR does not provide a specific definition, the introductory provisions of the regulation suggest that a stable and effective activity is required, and the presence of a branch or legal entity is not necessary. This means that GDPR can apply to subsidiaries and branches of companies outside the EU, as well as companies without an establishment in the EU but with subsidiaries, branches, or employees engaged in data processing activities within the EU.

The presence of an establishment determines whether the data processing activities are within the scope of that establishment. The EDPB guidelines state that the assessment of whether the activities are related to a data controller or processor in the EU should consider the specific circumstances. However, it is important to not interpret this too narrowly in order to provide effective protection. Therefore, simply having commercial activities within the EU does not automatically make a data controller or processor subject to EU data protection regulations. For instance, a data processor that is based in the EU is required to comply with the rules and regulations outlined in EU legislation regarding data processing activities.

For example, the ECJ ruled in 2014 that Google Inc., a company based in the United States, was deemed to be ā€œestablishedā€ in the EU due to the interconnection between its search engine activities and the advertising activities of Google Spain.

GDPR provisions will apply to data controllers and data processors who process personal data within the EU, regardless of their establishment in the EU or the presence of a subsidiary or branch in the EU, based on the evaluation of their activities and the use of effective and consistent practices.

When evaluating the regional scope of the GDPR, what is important is whether the data processor or data controller is based in the EU or, as previously mentioned, has a business presence in the EU. In this context, it is enough for the data controller, data processor, or their establishments to be located in the EU, and the data can be linked to their activities within the EU. The GDPR does not require that the data processing activities themselves occur within the EU for the GDPR to be applicable.

If a data controller, who is subject to the GDPR, decides to have a data processor situated outside the EU, which is not bound by the GDPR, handle the personal data of the data subject within the EU, the data controller must guarantee, either through a contract or another legal method, that the data processor adheres to the GDPR regulations while processing the data. Furthermore, the data controller must abide by the EU regulations concerning the transfer of data outside the EU.

Right to be Forgotten

The right to be forgotten originated from a 2014 court ruling against Google in Spain. Article 17 of the GDPR was created to establish the right to have personal data erased, based on the courtā€™s decision that consent should be just as easily withdrawn as it is given.

Personal data must be deleted promptly if the entity in control of the data no longer has a legal reason to keep or use it. This means that individuals have the right to have their personal data deleted if it is being held by someone else without any valid justification.

Article 17 explains the reasons why a person can request to be forgotten. This includes when their personal data is no longer necessary for its original purpose and when they have withdrawn their consent.

If data processing is not done in accordance with the law, it must be erased. An example of this is when an employee leaves a company and requests their personal information to be deleted after the required retention period. In this case, the company is obligated to delete the data because the individual has withdrawn their consent and the company can no longer rely on the law governing data retention. Even if the employee did not withdraw their consent, the company would still be obligated to delete their personal information if it no longer serves its original purpose.

Privacy by Design and Privacy by Default

The GDPR requires that data processing systems be designed with privacy and data protection in mind. This means that companies must take measures to ensure the security and availability of data during the development phase. The idea is that data protection standards are most effective when built into the technology from the start.

The service provider must develop software for processing HR data that meets data protection standards. They need to consider if they are only processing necessary personal data for each specific purpose, and if they have implemented effective safeguards and technical measures like pseudonymisation or data minimization.

Blockchain and GDPR

The GDPR applies to all personal data, including the transactional data and public keys stored in the blockchain. This means that there may be conflicts between the GDPR and the architecture of blockchain technology. These conflicts will involve important values in both the law and the code. Some of these values can be negotiated or managed, while others are rigid and inflexible. The question is, what conflicts will arise and will they be manageable or will they result in legal disputes or the abandonment of firms and technologies?

Irrevocability of Records on Blockchain

The irrevocability of records on the blockchain constitutes a conflict between the right to be forgotten and the permanence of records.

Changing the data inside the blocks without detection is not possible, and to prevent this, cryptographic hashing and timestamps are employed. Cryptographic hashing is a mathematical algorithm that converts input into output, serving as the transformed version of the original information. It plays a crucial role in blockchain technology as it is highly challenging to reconstruct the input data solely from the hash value. Additionally, hashing connects blocks in a chronological manner, linking them together. Consequently, each block is identified by its number, title, timestamp, creation details, and creator, all stored as a digital fingerprint, often represented by a cryptographic hash or hash value. This enables the observation of all past transactions while making it arduous to reverse engineer the process.

As previously mentioned, each block in a blockchain network contains a summary of the information from the previous block due to its structure. Therefore, if one wants to modify the content of a specific block, they must also modify all subsequent blocks. If an error occurs in a block within the blockchain network, a new transaction is necessary to rectify the mistake. For instance, even if a block is tampered with by a hacker, any changes made will be immediately and permanently visible. However, in a scenario where a group of miners controlling more than 50% of the computing power in a blockchain network conducts a 51% attack, they can prevent the confirmation of new transactions and halt transactions between certain or all users.

In the past few years, certain players in the blockchain market, like Accenture, have developed blockchains that are editable, rewritable, or removable by utilizing ā€œchameleon hashā€ functions. While these designs may help the blockchain adhere to the GDPR and KVKK regarding personal data protection, the ability for a blockchain to be edited implies that it could become a disruptive technology, contradicting its original purpose as a decentralized, immutable system and potentially rendering it meaningless.

Article 17 of the GDPR states that organizations must delete personal data once they have fulfilled the original purpose of collecting it. This means they must be able to remove personal data from their own and third-party databases if the individual withdraws their consent and there is no other legal reason to keep the data.

However, this requirement contradicts one of the main principles of blockchain technology, which is that data recorded on the blockchain ledger is permanent and cannot be tampered with. Removing data from the blockchain would go against the principle of irreversibility and immutability.

In a blockchain system, each block is connected to the previous block through cryptographic hash functions. This means that any attempt to alter the data in a block would affect the entire blockchain. Therefore, if a company using blockchain technology complies with requests to delete data, it could compromise the consistency of the blockchain, leading to a loss of reliability and customer trust.

Transparency of Blockchain

Certain elements of blockchain technology donā€™t align with the privacy requirements outlined in Article 25 of the GDPR. The GDPR necessitates that data processing systems be designed and developed with privacy in mind, but the nature of blockchain technology contradicts this requirement.

The characteristic of tamper-proofness or immutability is one of the key features of a blockchain database. It is currently not possible to remove data from the blockchain ledger without disrupting the integrity of the entire chain.

The fundamental nature of blockchain goes against the concept of being able to be forgotten. Integrating a feature that allows for forgetting contradicts the original design of the technology. Blockchain keeps a record of the origin of items it tracks, and removing oneself from this record would disrupt the chain of custody. This contradicts the main value of blockchain technology.

The blockchainā€™s transparent and tamper-proof nature allows for every transaction to be recorded and verified by anyone with access to the system. This raises concerns from a data protection perspective, as personal data must be stored securely and only accessible to authorized individuals. Companies can use techniques like pseudonymization and encryption to comply with these requirements.

The visibility of personal data on the public blockchain ledger contradicts the principle of availability because it can be accessed by unauthorized parties. Additionally, if someone can identify users from the transactional data stored on the blockchain, it goes against the principle of confidentiality. One study shows that it is still possible to trace blockchain users by their pseudonymized addresses and transactional data, linking them to their IP addresses. This contradicts the privacy-by-design requirement as the transparent nature of blockchain ledgers poses privacy concerns.

The Common Ground of GDPR and Blockchain Technology

The conflicts between GDPR and blockchain can be resolved by finding common ground, reinterpreting the regulations, and adjusting the blockchain technology to comply with data protection laws. It is not a situation where one side wins at the expense of the other, but rather a need for compromise and balance between the two.

Both blockchain and the GDPR follow data privacy principles. Instead of focusing on their differences, it is better to focus on what they both aim to achieve. This will help in finding a way to accommodate the technology and the GDPR.

Both blockchain technology and the GDPR aim to enhance data privacy and security, but they have different approaches to achieving this goal. While they share some fundamental principles such as transparency, individual control over data, data minimization, and encryption, they differ in their methods. To reconcile the differences, it is important to focus on their shared objectives rather than debating the specifics of how they are achieved.

Highlighting commonalities between the blockchain database and the right to be forgotten would provide further insight. While the immutability of the blockchain may conflict with the right to be forgotten, it aligns with the ā€œprivacy by designā€ principle of GDPR. The decentralized and immutable nature of the blockchain ensures the integrity and accuracy of stored records, reducing the risk of unauthorized modifications. This aligns with the considerations outlined in Article 25 of GDPR regarding the design and development of technology.

The blockchain technology allows users to have control over their personal data stored on the blockchain database. They are able to decide whether or not to share their data and can limit the amount shared to only what is necessary for a specific transaction. However, once data is entered into the blockchain, it cannot be removed or forgotten due to the architectural rules of the digital environment.

In conclusion, the blockchain database stores information in a way that is anonymous and transparent. Users can only see each otherā€™s personal data if they are given a special private key. However, the transactions without personal data are visible to all users, which removes the need for a trusted intermediary. Both blockchain and the GDPR use anonymization and transparency to ensure data privacy and security.

Types of Data Stored on the Blockchain

Blocks are what contain transaction data. The data here can be the number of blocks, the block header that indicated the digital signatures, and when and by whom the block was created. The blocks will also contain transactional information. This transactional information may be encrypted or written in plain text. The blockchain can also contain a digital wallet and private or public keys.

The main question that arises when evaluating data on the blockchain from a legislative perspective is, if the data stored on the blockchain is, or can be, classified as personal data. For example, Personal Data Protection Law No 6698 states that all information that is on or about an identified or identifiable person is accepted as personal data. Therefore, the content of the block is important in this evaluation, is there an identified or identifiable data subject?

For instance, block headers cannot be considered personal data. However, the content of the block, depending on whether connections or identifications can be made, may be considered personal data processing.

The discussion surrounding whether data stored on the blockchain should be considered personal data is important, especially when it comes to transaction data and public keys. To ensure compliance with the GDPR and the KVKK, the definitions of transaction data and public key concepts are explained below.

Transaction Data

Transaction data is information that is obtained directly from specific transactions and it includes details such as the time, location, price, payment methods, discounts, and quantities involved in the transaction.

Encryption methods allow for data to be accessed with the appropriate keys, making it not truly anonymous. This means that encryption is considered a pseudonym under EU data protection laws. Therefore, data stored on the network using encryption is considered pseudonymous data, as individuals can still be identified, making it personal data.

While the KVKK does not specifically mention pseudonymous data, it is likely that it could be considered personal data based on EU regulations. However, the lack of clear guidance on this concept in KVKK may create uncertainty when applying it to blockchain technology.

The EUā€™s GDPR considers pseudonymous data and data that has been subjected to cryptographic hashing as personal data. However, the process of cryptographic hashing is not seen as anonymization, but rather as pseudonymization, as it still allows for the possibility of linking the data to the individual.

According to Article 29 of the Directive, the Article 29 Working Party clarifies that the cryptographic hashing method is not true anonymization but rather a technique known as pseudonymization, as it still allows for the identification of the data subject.

Anonymous data, where the connection between the information and a particular person is removed, is not considered personal data according to Directive 95/46/EC of the European Union. Anonymization makes it impossible to identify a person, which goes against the transparency and immutability principles of blockchain technology, causing a conflict with privacy.

Transactional data is recognized as personal data when it is connected, either directly or indirectly, to an identifiable person. Since distributed ledgers frequently track assets like an accounting tool, itā€™s important to note the stance of the United Kingdomā€™s Data Protection Authority. They suggest that financial data is especially attractive to attackers, implying a higher level of motivation for potential intruders, as seen in their ā€˜motivated intruder test.ā€™ Therefore, itā€™s clear that transactional data can indeed be classified as personal data.

Public Key

Public keys are alphanumeric sequences that can be used to identify an individual or organization for transaction or communication purposes. These keys are considered pseudonymous, not anonymous, because they contain address and name information. Research suggests that public keys can be traced back to IP addresses, potentially revealing the identity of the person associated with the key. Under the GDPR, pseudonymous data that can be linked to a real person when combined with other data is considered personal data. Similarly, dynamically assigned and changeable IP addresses are also considered personal data. However, there is no definitive stance on this issue due to the absence of explicit definitions and a lack of consensus from relevant authorities.

In summary, public keys are considered personnel data and cannot be stored outside of the blockchain. They are essential for verifying transactions and finding legal solutions for public keys is more difficult than for transactional data.

The French Data Protection Authority has emphasized that public keys are likely to be considered personal data according to GDPR. This view is also supported by a report from the European Unionā€™s Blockchain Observatory and Forum, highlighting the risk of linking data. While each situation requires a detailed individual assessment, itā€™s clear from these observations that public keys connected, directly or indirectly, to an identifiable individual are recognized as personal data within the EU framework.

Reversibly Encrypted Data

Reversible encryption is a method of scrambling data so that it can be understood, but only the person with the encryption key can decrypt it. There are different types of reversible encryption, such as symmetric and asymmetric encryption.

Although strong encryption methods can be used to protect personal data, it cannot be said that these methods completely make the data anonymous. Instead, they only transform the personal data into pseudonymous data, which can still be reversed using the key. Therefore, general keys, transaction data, and reversibly encrypted data are often classified as personal data and should be handled in accordance with the regulations outlined in the KVKK and GDPR if utilized in a blockchain network.

The CCPA

The California Consumer Privacy Act of 2018 (CCPA) went into effect on January 1st, 2020, was a push in the United States for privacy protection laws to be strengthened and broadened. Although there hasnā€™t been a federal law passed for statewide privacy legislation, many expect the United States Congress to enact a comprehensive privacy and data security regulation.

The CCPA defines personal information in a broad sense as to include any information that directly or indirectly identifies, describes, or can reasonably link to a particular California resident consumer, or household. The CCPA mainly applies to businesses that collect or control consumer personal information. For a business to be responsible in this aspect, they must either; have an annual gross revenue exceeding 25 million dollars, or annually buy, receive, share, or sell alone or in combination the personal information of more than 50.000 consumers/households for commercial purposes; or derive 50% or more of annual revenue from selling consumer personal information.

According to the CCPA, entities that qualify as ā€œbusinessesā€ must provide or report certain data. These entities must perform abbreviated disclosure on the personal information collected from or about covered consumers as well as other disclosures. They are expected to also disclose the sale or disclosure of personal information for a business purpose.

These entities are also expected to provide the ability to opt-out from the sale of personal information as well as opt-in requirements before selling minorsā€™ personal information. Lastly, there is also the requirement to provide the ability for such covered consumers to access and/or delete personal information that has been collected on them. These business entities must also provide measures that prevent discrimination against consumers exercising CCPA rights.

Complying with the CCPA can be challenging for many blockchains. The CCPAā€™s regulation of personal information is distinct in that it creates a category that not only identifies users, but, broadly, also includes information that relates to, describes, can be associated with, or reasonably linked, directly or indirectly with a particular consumer or household. Therefore, personal information can also be unique personal or online identifiers.

The CCPA identifies a consumer as a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier. This definition, with the use of ā€œany unique identifierā€ results in most businesses likely storing consumer personal information.

The business purpose is important in the context of the CCPA. Business purpose is the use of personal information for the businesses or a service providerā€™s operational purpose, or notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed. The use of personal information can be a business purpose also if it is used for other operational purposes that are compatible with the context in which the personal information was collected.

Section 1798.140(d) of the CCPA is important in evaluating business purposes. This Section pertains to the examination of interactions with consumers and transactions, encompassing activities such as tallying ad impressions for unique visitors, confirming the positioning and quality of ad impressions, and auditing adherence to specified standards and other criteria. The CCPA addresses the identification of security incidents, safeguarding against malicious, deceptive, fraudulent, or illegal activities, and pursuing legal action against those responsible.

The carrying out of services on behalf of the business or service provider, including acts such as account maintenance, customer service provision, order and transaction processing, customer information verification, financing provision, payment processing, advertising and marketing services, analytic servicesā€¦ etc. that is carried on behalf of a business or service provider. There is also a focus on activities aimed to verify or ensure the quality or safety of a service or device, owned, manufactured, or controlled by the business or service provider can also be seen in the scope of business purpose.

Consumers Right to Opt-Out and The Businessā€™ Right of Non-Compliance

The CCPA regulates a consumerā€™s right to opt out as well as the consumerā€™s right to request that a business delete any personal information about the consumer that the business has collected. The consumer has the right to, at any time, direct a business that sells personal information about the consumer to third parties not to sell the consumerā€™s personal information.

There are circumstances where a business is not required to comply with a consumerā€™s request to delete their personal information. This can occur if it is necessary for the business or service provider to maintain the customerā€™s personal information. This necessity can be if the information is needed for the completion of a transaction, to provide a good or service that the consumer requested, or if the need for the personal information is anticipated reasonably within the context of the ongoing relationship between the consumer and the business. This can also be the case if the information is necessary to perform a contract between the consumer and the business.

If the data is required for the detection of security breaches, the protection against malicious, deceptive, fraudulent, or illegal activity, and to prosecute those responsible for such activity, then the business is not required to comply with consumer requests. If the business is using such personal information to identify and repair errors that impair existing functionality, the business isnā€™t required to comply with opt-out requests.

If the consumerā€™s request constitutes free speech and ensures the right of another consumer to exercise free speech of rights provided by the law, then businesses can reject consumer requests to delete information. If the business engages in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and the deletion of information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent, then the business isnā€™t required to comply with consumer requests.

Finally, if the information is used to comply with legal obligations or used internally, in a lawful manner that is compatible with the context in which the consumer provided the information, the business can also deny the consumerā€™s request for deletion.

Responsibility Under The CCPA

The CCPA is clear in that businesses are responsible for the processing of personal information. However, the issue in the context of blockchain is whether the blockchain organization is a business. On the other hand, developers will not have a responsibility to comply with CCPA rules. The right to action is put on the consumerā€™s shoulders, as they have the responsibility to request deletion or the correction of personal information. If they qualify as a business and meet requirements set out by the CCPA, miners, and nodes can be required to comply with CCPA rules.

For permissioned businesses that exercise control or ownership over blockchain networks, they should adopt technology that adheres to the CCPA. They have the option to regulate access to personal information through permission controls. Meeting CCPA requirements for permissionless, decentralized blockchains poses a challenge, as it may not always be evident whether a business exists, let alone anyone with the capacity to modify the immutable data on the ledger.

If a business develops and deploys a permissionless, public, decentralized blockchain that stores and transmits consumersā€™ personal information, it is likely obligated to comply with the CCPA. However, especially in terms of deleting consumer personal information, this isnā€™t attainable.

The Issue of Applicable Law

In the context of the application of the CCPA, it applies to certain entities conducting business in California that collect consumer personal information. However, there are various forms of blockchain organizations that can affect the liabilities of enforcing the CCPA. There is also the fact that some blockchain organizations may qualify as a business but are not permissionless. Ultimately, in the case where certain blockchain organizations are not permissionless, do not make up a legal entity, and donā€™t have a responsible party, enforcing the CCPA would be difficult.

Based on the explanations given above, it is clear that in blockchain technology, personal data is not only recorded by a single center or group of centers, but by all participants in the system. The main objective of this system is to distribute the established rules and the record chain generated by these rules to everyone involved, without the need for the parties to know each other. In open and Permissionless Blockchain Networks, the main function nodes (master nodes) that hold copies of all data can be located anywhere in the world. Therefore, it is challenging to determine the exact location of these fully functional nodes and which countryā€™s laws they fall under. It is important to note that neither the GDPR nor the KVKK can be freely contracted; instead, the provisions of these regulations will be directly applied to any situation falling within their scope.

Furthermore, as explained earlier, a broad understanding of the geographical reach of the GDPR, particularly in the context of open Blockchain Networks, is expected to lead to the enforcement of the regulation across almost the entire network. Consequently, it is anticipated that all parties involved will be required to comply with all the obligations specified in the GDPR.

However, because the relevant regulations are directly applied, particularly in open and Permissionless Blockchain Networks where data controllers and data processors can be situated globally, there might be a requirement to adhere to multiple data protection regulations at the same time.

In fact, due to the cross-border nature of business activities of data controllers like cryptocurrency exchanges, wallet providers, and other blockchain service providers, the broad interpretation of the regional scope of the GDPR suggests that all of them will be impacted by this regulation. As a result, multinational companies from outside the EU might choose to prevent individuals within the EU from accessing their services in order to avoid GDPR compliance, or they might even go as far as completely stopping their operations in the EU.

Complying with the GDPR can present a substantial economic obstacle for smaller data-focused businesses in the EU, potentially jeopardizing their survival. Recent events demonstrate this, as Coinbase, the leading cryptocurrency exchange in the US, has already introduced distinct privacy policies for its users in the US and the EU. Concurrently, CoinTouch, a P2P exchange based in London, declared its closure entirely because it could not afford to meet the expenses associated with GDPR compliance.

In conclusion, when blockchain technology is implemented, there may be concerns about how the KVKK and the GDPR apply in terms of scope and regional coverage. This is especially important for smaller businesses in the EU, as complying with the GDPR can significantly affect their economic stability. Recent instances, like Coinbase and CoinTouch, demonstrate the difficulties businesses encounter when adjusting to data protection regulations in various jurisdictions.

Personal Rights of Data Subjects and General Obstacles

First of all, it is important to note what kinds of rights data subjects (relevant individuals) have with respect to their personal data. According to KVKK and very similarly to GDPR and CCPA, everyone has the right to apply to the data controller and inquire about the following regarding their personal data:

a) to find out whether their personal data is being processed,

b) If their personal data has been processed, to request information regarding this,

c) To learn the purpose of processing their personal data and whether it is used in accordance with its purpose,

d) To know the third parties to whom their personal data has been transferred, either domestically or abroad,

e) To request the correction of their personal data if it is incomplete or processed inaccurately,

f) To request the deletion or destruction of their personal data within the framework of the conditions

g) To request notification of the processes carried out according to clauses (d) and (e) to the third parties to whom personal data has been transferred,

h) To object to any outcome against the individual resulting from the analysis of the processed data exclusively through automated systems,

ğ) To request compensation for damages in case of loss due to the unlawful processing of personal data,

As stated above, data subjects have the right to request deletion of their personal data. This stems from the fundamental right to privacy of individuals. Data subjects may also request the complete eradication of their personal data as well as editing or updating inaccurate information. Such rights of data subjects have been demonstrated above.

Due to the technical structure of blockchain technology, deletion or altering of information is not possible. Data on the blockchain cannot be erased therefore this yields a serious point of contention between data privacy laws and the technology.

The data stored on the blockchain cannot be updated either. Privacy laws underline the importance of data being up-to-date and accurate, therefore this also draws a point of contention.

Reconciling Blockchain Technology and Data Privacy Laws

Data protection laws such as the GDPR, the KVKK, or the CCPA do not outlaw the use of blockchain technology. However, it is also true that these laws are not as compatible with the technology as they could be. Yet, companies utilizing blockchain technology in their business or service providers using this technology may still be required to comply with these laws.

The most sensible approach a blockchain organization can take in order to avoid violating privacy laws is to refrain from processing and storing personal data and information. However, this can be easier said than done. Another approach could be storing data off-chain instead of within the blockchain itself. Ultimately no new mechanisms for providing protected data processing within the blockchain have been created.

Quick Takeaways

In this part, we would like to address some direct questions readers may have. However, before reading this part or acting solely upon the information we provide in this part, we strongly recommend everyone to read the whole paper and consult with local experts in this area.

What types of data are generally stored on blockchain networks, and how are they classified legally?

The data stored on the blockchain can be categorized as transaction data and public keys. Since it is detailedly explained above, personal data can be broadly defined as any information of all and any kind which in fact makes an individual identifiable.

Transaction data mostly consist of sendersā€™ and receiversā€™ addresses, the amount transferred, timestamps, cryptographic hash, and various other data depending on the nature of the transaction and blockchain. As long as the information is eligible to be considered as pertaining to an identified or identifiable individual, then, all this information regardless of what it is, will be considered as personal data and relevant pieces of legislation will be applicable to the case depending on relevant individual and nature of the dispute.

What existing legal frameworks govern the storage of data on blockchains?

It is worthwhile to note that almost every country has its own legislation on data privacy and security. However, it is safe to say that the idea behind all is actually quite similar and the rules that come with them generally tend to align with each other.

However, there are also some legislations such as GDPR that burst into prominence. So, while determining what jurisdiction and regulation you are subject to, you shall consider the nature of your data processing, whom personal data is being collected and processed, where you process this personal data, with whom you share this data, etc.

How do jurisdictional issues affect the legal matter regarding data stored on a decentralized network?

Decentralized networks frequently span several nations, making it difficult to ascertain which legal system is in effect. Due to its worldwide distribution, there may be inconsistencies between national laws, particularly in regard to data protection, cyber security, and financial restrictions.

The data in a classic centralized system is stored in distinct, recognizable locations, which facilitates the identification of the relevant legal jurisdiction. Decentralized networks, on the other hand, disperse data over a large number of nodes, maybe in several jurisdictions, making it more difficult to identify which rules apply to the management and transfer of the data.

Therefore, it is actually not possible to directly answer this question at first sight. It is even possible for a decentralized network to be subject to one jurisdiction on a particular matter and one other jurisdiction for some other issue. For example, if the issue is regarding an individual who resides in TĆ¼rkiye and of Turkish citizenship, then, the KVKK will be most probably applicable. However, in another scenario, if the legal matters are about an EU citizen, then, it is possible for the blockchain to be subject to GDPR regardless of where they process personal data.

Furthermore, it is even possible and probable for a blockchain to be subject to more than one legislation at once, for example, if the blockchain is somewhat located in TĆ¼rkiye, or somehow connected to TĆ¼rkiye via its managers, and the personal data being processed is pertaining to an EU citizen, then, that blockchain will be most probably obligated to comply with both KVKK and GDPR.

The first and main thing to do is to determine what type of personal data is being processed, whom personal data is processed, and how. After that, applicable legislation will be easier to find.

Are there instances where data stored on blockchain networks has been subpoenaed or involved in legal proceedings?

As far as we are aware, there are no cases where a case has gone public and attracted attention. However, we are confident and first-hand witness to cases where courts or prosecution offices request information from blockchain networks or crypto asset service providers regarding legal matters they examine.

One of the main cases where these authorities request information is about fraud, AML, and KYC. Many jurisdictions such as TĆ¼rkiye are concerned with the anonymous nature of transactions conducted on the blockchain. Furthermore, they closely examine suspicious transactions whether they are for financing of terrorism or not. Moreover, unfortunately, blockchain transactions are commonly perceived by many authorities as a means of tax evasion. Therefore, governmental bodies often ask for information from blockchain networks or crypto asset service providers. In TĆ¼rkiye, since crypto asset service providers are included in MASAK (Financial Crimes Investigation Board) obligators, crypto asset service providers have to comply with KYC and AML procedures, which in fact naturally results in the collection of personal data that will be shared with MASAK and other relevant authorities upon request.

LEGAL DISCLAIMER

THE INFORMATION PROVIDED IN THIS PAPER PROVIDES GENERAL INFORMATION AS TO THE POSSIBILITIES IN MULTIPLE JURISDICTIONS. PLEASE KEEP IN MIND THAT LAWS THAT APPLY TO THE SUBJECT HEREIN MAY DIFFER IN EACH JURISDICTION. THUS, NOTHING CONTAINED HEREIN CONSTITUTES ANY LEGAL OPINION OR SUGGESTION OF ANY KIND. PLEASE CONSULT TO LOCAL EXPERTS IN RELEVANT AREAS BEFORE TAKING ANY ACTION BASED ON ANY INFORMATION CONTAINED HEREIN.

Last updated