Sunteți pe pagina 1din 12

Pels Rijcken

& Droogleever
Fortuijn attorneys
and civil law notaries

White paper
Legal aspects of blockchains
1. Blockchains are seen as the greatest
technological innovation since the rise
of the internet.
Experts believe that the use of blockchains will change our society forever, not least
because they have the potential to cut out so-called ‘trusted third parties’ such as go-
vernment agencies, banks or notaries from transactions.

Due to this promise, the Dutch business commu- In this white paper, we share the most impor-
nity and government are investigating the extent tant legal findings from these building proces-
to which blockchain technology can be applied ses. We have tried to address these findings as
to various fields in a series of pilot projects. straightforwardly as possible. Should you have
Some of these pilot projects were assisted from any questions on this white paper or if you need
a legal perspective by the innovation team from further clarification on anything else, we would
Pels Rijcken & Droogleever Fortuijn lawyers and be happy to help.
notaries.
Pels Rijcken innovation team
Being an innovation team, we provided advice Sandra van Heukelom
on the various legal aspects that are able to play Jeroen Naves
a role in a blockchain. What struck us during this Marte van Graafeiland
process was that legal issues often had an im-  
pact on fundamental aspects of the blockchain,
depending on the context in which a blockchain
application is used. For that reason among
others, we worked closely – from the start – with
the programmers who built the blockchains.
2. What is a blockchain?
2.1 Distributed ledger
A blockchain is often described as a digital ledger with lines of information. In principle, only lines of
information can be added to the ledger (as with a paper ledger). Once added, the information cannot,
in principle, be altered.

Date Identity Log


01/09/2017 JNAV Xoupafdfadpsjfasdfgd
02/09/2017 SHEU Adj;fkas;dafjds;fasdfg
03/09/2017 MGRA Ahjqlkeqjwrqwpmjvpf

This digital ledger is spread over various computers that are connected to each other and thus form
a network. The computers within the network are often referred to as ‘nodes’. Each node within the
network contains a copy of the digital ledger.

There is no single, pre-eminent version of the digital ledger. Each copy of the digital ledger regularly
synchronises with the others. This ensures that if a line of information is added to the blockchain via
one of the nodes, the information is also added to the copies of the ledger.

The strength of blockchain technology (or distributed ledger technology) is that if information that
has already been added via one of the nodes is altered, the other copies of the ledger will recognise
these alterations and return an error message. This ensures that if there are at least enough nodes in
a given blockchain network, it is not possible to alter information in a blockchain.
As it is not possible to alter information in a blockchain, the information in question is highly reliable.
Whereas the reliability of information is often based on the credentials of the party providing the
information (such as a bank or the land registry), it is the technology behind blockchains that is the
guarantor of reliability. Therefore it is often said that the technology behind blockchains will, one day,
replace such trusted third parties.

2.2 The technology behind blockchains


The technology outlined above, in which a ledger is stored across the network rather than being held
centrally on a single node, is not unique to blockchain technology. Blockchains are just one form of
such distributed ledger technology.

What does make blockchain technology unique, however, is that a set of transactions is compiled in
a block in each case. Each block is given a unique code (a header). This header refers to the header of
the previous block. As a result, all blocks are linked to each other, creating a chain: the blockchain.
The headers of a block depend on the content of on is contingent on the execution of one or more
the transactions that are contained within the events. A smart contract is always essentially
block. At the moment that the slightest altera- based on an if/then construct.
tion is made to just one of the transactions, the
header of that block changes. As a consequence, A good example of a smart contract is a soft-
all subsequent block headers become out of sync drinks machine that automatically orders new
as they no longer refer, directly or indirectly, to drinks when the machine is almost empty. In a
the header of the changed block. fictional programming code, the smart contract
would look like the example shown below:

IF
Block 1 Block 2 Block 3 Number of bottles of soft drink = < 10
Header Header Header THEN
Send order to soft-drink supplier
Transaction Transaction Transaction
Smart contracts are often thought to go hand
in hand with blockchains. The reason for this is
that blockchains and smart contracts work well
(This is, of course, a much simplified representa- together. Smart contracts rely on circumstances
tion of the process). with a high degree of accuracy in order to be
triggered. The blockchain can deliver that level of
2.3 Public and private blockchains trust.
The most famous blockchain is the blockchain
that is the basis of bitcoin. Bitcoin is the original The term ‘smart contract’ conveys the idea that a
cryptocurrency. Bitcoin makes it possible to trade legal meaning is attached to the smart contract.
in cryptocurrency without the intervention of a However, section 3.5 of this white paper explains
bank. in greater detail that this is not always the case.
The blockchain that forms the basis of bitcoin is
an example of a public blockchain. Anyone can 3. A few legal pointers when using blockchains in
create an account and then view all transacti- practice
ons within the blockchain. Furthermore, anyone 3.1 Introduction
within a public blockchain has equal rights. There Blockchain technology raises a number of legal
is no central organisation that administers the issues. Some of those issues will be addressed
blockchain or otherwise has more rights than any in this section. In section 4, we will address the
other user. issue of the extent to which it is possible to pro-
cess personal data within a blockchain in greater
A public blockchain, such as the one on which detail.
bitcoin is based, must be distinct from a (more)
private blockchain. A blockchain may tend to- In answering these questions, however, not all
wards being private, for instance because the legal impediments to the application of block-
parties that administer the nodes that hold the chain technology can be removed in practice.
blockchain are known, the parties that have Depending on the sector in which a blockchain
access to a blockchain or the information that is used, there may be specific rules that apply to
parties can view within a blockchain are known. blockchains. For instance, a blockchain for tra-
Private blockchains are often administered by ding electricity must comply with the specific
organisations. That, however, goes against the legislation that applies within the energy sector.
original intention of blockchains, which was to A blockchain that is used in the healthcare sec-
make trusted third parties superfluous, although tor will have to comply with the rules that apply
it does have some practical advantages as discus- within that sector. We will generally indicate
sed below in this paper. such issues as material issues when we apply
legal tests to a blockchain.
2.4 Smart contracts
The term ‘smart contracts’ generally refers to a
block of programming code in which a transacti-
The material legal issues that can differ within For that reason, the transaction involving the
each blockchain must be distinguished from the bitcoin will also be subject to Belgian law.
legal issues that are relevant within almost every
blockchain. We call these more generic legal The question of the country in which the charac-
blockchain issues the formal legal questions. In teristic performance is made is relevant solely
the rest of this section we will address several to define which country’s civil law applies to a
important formal legal questions. transaction within a blockchain. Whether, for
instance, tax law, general administrative law or
3.2 Applicable law the financial law of a specific country applies to
Before the question of whether a blockchain a transaction within a blockchain depends on
complies with Dutch law can be answered, we other circumstances. In section 4 we will address
must first answer the question of whether Dutch the issue of when European privacy legislation
law is applicable to blockchains at all. In this con- applies to the processing of personal data in a
text it is relevant that it is difficult to say, in gene- blockchain in greater detail.
ral, which country’s law applies to a blockchain,
as each jurisdiction sets different standards for Once it has been established that Dutch civil law
applicability. For instance, it is conceivable that applies to a transaction within a blockchain, the
Dutch civil law is applicable to a transaction next step is to answer the question of how such
within a blockchain, but that the German tax au- a transaction is classified under Dutch law. That,
thorities are allowed to impose tax on the same too, is heavily reliant on the specific circumstan-
transaction under German law. If you consider ces surrounding the matter. In that context it is
that this could be the case for every transaction relevant that the Overijssel District Court ruled
within a blockchain, this could mean that rules (on 14 May 2015) on the classification of a pay-
from many different legal systems apply depen- ment with bitcoin.2 The court came to the con-
ding on the context of a blockchain. clusion that bitcoin is not ‘money’ in the sense of
Section 6.1.11 of the Dutch Civil Code, but should
If a transaction within a blockchain is made be seen as a means of exchange. If the Overijssel
between two Dutch parties, Dutch civil law will, District Court is, indeed, right, any agreement
generally, apply.1 The Regulation of the Euro- involving payment in bitcoin cannot be seen as
pean Parliament and of the Council on the law a contract of sale, but as a barter agreement.3
applicable to contractual obligations (Rome I) Incidentally, the implications of this are marginal.
determines which country’s law applies where a Article 50 of Book 7 of the Dutch Civil Code states
transaction is made between two parties from that all definitions used in the first title of Book
different countries in the European Union. The 7 (Specific Contracts, including contracts of sale)
guiding rule in that respect is that parties are apply to the barter agreement. This also means
free to choose which country’s law applies to the that all consumer-protection terms contained in
transaction that they are concluding within the that Title apply to a consumer contract in which
blockchain. If they fail to do so, the general rule is the payment is made in bitcoin. Furthermore, the
that the law of the country in which the charac- European Court of Justice adjudged (on 22 Octo-
teristic performance takes place will apply. ber 2015) that bitcoin transactions were not sub-
ject to VAT.4 This judgment could be construed as
For example, let us assume that a Dutch person meaning that bitcoin constitutes ‘money’. Under
buys a bicycle online from a Belgian as a result Dutch law, however, bitcoin transactions are sub-
of which a transaction is made on a blockchain, ject to wealth tax.5
because the Dutch person pays for the bicycle in
bitcoin. In this instance, delivery of the bicycle is 2
Ruling of the Overijssel District Court, 14 May 2014,
the characteristic performance. After all, pay- ECLI:NL:RBOVE:2014:2667.
ment is not what distinguishes this transaction 3
Although it is assumed that barter agreements are a type
from other transactions: the substance of the of contract of sale.
transaction is delivery of the bicycle.
4
ECJ 22 October 2015, ECLI:EU:C:2015:718.
5
According to the Dutch tax authorities, https://www.
belastingdienst.nl/wps/wcm/connect/bldcontentnl/belas-
1
It is not possible to depart from this except where the tingdienst/prive/vermogen_en_aanmerkelijk_belang/ver-
parties have contractually agreed that a different law is mogen/wat_zijn_uw_bezittingen_en_schulden/uw_bezit-
applicable. tingen/overige_bezittingen/overige_bezittingen.
3.3 Ownership of a blockchain 3.4 Identity within a blockchain
Merely asking who is the owner of a blockchain All transactions within a public blockchain are
will be met with resistance in the community public. That does not mean that it is necessarily
that is responsible for creating bitcoin. The origi- clear who conducts the transactions within the
nal idea of building the bitcoin blockchain was, public blockchain in each case. Within the bitcoin
after all, that the blockchain was the property of blockchain, all users, for instance, have an anony-
no-one, hence owned by everyone. But is that the mous account.7 As there is no central organisati-
case? on that regulates the bitcoin blockchain, it is not
possible to find out which people are behind a
Under Dutch law you may solely be the owner particular account through a central administra-
of property that is tangible (article 1 of Book 5 in tion.
conjunction with article 2 of Book 3 of the Dutch
Civil Code). A server running software fits that This can lead to problems in practice. If you do
definition. Software itself, however, is intangible. not know the identity of the person with whom
The software which constitutes a blockchain you are conducting a transaction by blockchain,
cannot thus be owned under the terms of Dutch it is practically impossible to hold that party to
property law. However, software is covered by co- account if something goes wrong in the transac-
pyright under the terms of the Dutch Copyright tion. It is, for instance, conceivable that you make
Act (Auteurswet). So it is possible to own copy- a payment by bitcoin in which, by accident, you
right to a blockchain. type one too many zeroes and end up paying ten
times as much in bitcoin to the receiving party as
The blockchain that forms the basis of bitcoin you intended. Were such a transaction to be con-
is programmed with open-source software that ducted via a bank, it would be relatively simple
was built by a group of programmers. Each buil- to identify the receiving party through the bank,
der has copyright to the part of the blockchain and then to demand restitution by legal means.
he or she built. To that extent, then, it is indeed With a bitcoin transaction, however, it is impossi-
possible to be the owner of a public blockchain. ble to ascertain the identity of the receiving party
in that manner.
The blockchain that forms the basis of bitcoin is
built with software that each of the builders has At this point in time there are a number of ini-
made available with open-source software under tiatives aimed at trying to pin down the biolo-
the MIT licence.6 This licence allows anyone to gical identity of a person and link it to a digital
use the software. The MIT licence does, however, identity.8 This could, for example, be achieved
stipulate that if anyone wants to distribute the by marking such a link in a blockchain. Various
software (or an amended version of the soft- regulations and legislation apply to the issue
ware), it must include details of who the copy- of establishing digital identity, depending on
right owner is. the context. A significant example of that is the
eIDAS regulation.9 This regulation covers rules
Although for most public blockchains the source for the use of electronic identification by official
code is open source and may be used and agencies.
amended by anyone, that is often not the case
for a private blockchain. A private blockchain is
generally built by a single party who also owns
copyright of that private blockchain. So it will
often be relatively simple to demonstrate who is
the owner of a private blockchain.
7
However, as we understand it, it is nowadays relatively
simple to find out (directly or indirectly) who is behind a
6
The MIT licence is a software licence for open-source bitcoin profile.
software. It was devised at the Massachusetts Institute 8
https://kennisopenbaarbestuur.nl/thema/digitale-identi-
of Technology. In a similar way to the BSD licence, the MIT teit/.
licence imposes minimal restrictions. The sole condition 9
Regulation (EU) No. 910/2014 of the European Parliament
is that the copyright statement must appear in all copies. and of the Council of 23 July 2014 on electronic identifi-
Other than that the software may even be used in proprie- cation and trust services for electronic transactions in the
tary software. internal market and repealing Directive 1999/93/EC.
3.5 The legal definition of smart contracts Under those circumstances is it possible to get
As explained above in section 2.4, smart con- a court to reverse the consequences? And is it
tracts are often mentioned in the same breath really possible to lay down terms to make that
as block chains. The reason for this is that smart impossible (is code legally enforceable)?
contracts need objective circumstances that can
trigger the performance of a smart contract. Ob- The answer to these questions in terms of Dutch
jective circumstances of this kind can be deliver- law will very much depend on the status and
ed by a blockchain. expertise of the parties and the agreements
the parties have made. On the face of it, Dutch
Imagine that the ownership of a house is es- contract law allows professional parties with
tablished in a blockchain rather than with the specialist assistance to specifically agree that the
land registry. A smart contract can stipulate text of a contract must be explained objectively,
that as soon as the blockchain confirms that i.e. with less weight given to the intentions of
the ownership of a house has been conveyed, the parties.11 In such an instance we could ima-
the purchase price is paid automatically. Fu- gine that the parties could also agree that code
rthermore, the price to be paid can be fixed in is legally enforceable, in which case, in principle,
advance in the smart contract. That removes it would not be possible to successfully seek
the risk of payment not being made on convey- recourse on the basis of the intentions of the
ance or vice versa. In this way it is conceivable parties if the code fails to accord with what the
that a combination of blockchains and smart parties had intended. In all other instances we
contracts can cancel out the risks incumbent on believe this is possible.
transactions without a notary or other trusted
third party being present. In our opinion it is thus possible to set down a
legally-binding contract in the form of a smart
It is also possible for a smart contract to be a contract under certain circumstances. However,
legal contract. Under Dutch civil law a contract is this is a long way from saying that it is always
formed under a process of offer and acceptance advisable to do so. It is difficult for us to imagine
(article 217 of Book 6 of the Dutch Civil Code). In that it would be advisable to set down agree-
principle contracts are format-free. This means ments that do not relate to the essence of a
that a contract may, for example, be formed oral- contract, such as agreements on applicable law
ly. However, the consent of parties to the offer or a competent court, in code. We can therefore
and acceptance is often set down in writing in a imagine that, in general, not all agreements that
formal contract. In some cases the law demands the parties make will be set down in a smart
this too. However, in the instances in which the contract, but that some of the agreements will
formation of a contract is format-free, it is our be written down, while others will be in code.
opinion that another option is to set down a con-
tract in the form of code. We therefore believe that it is also possible for a
smart contract to be a legally-binding contract.
Of course, there may be objections to this. A sig- That does not mean that all smart contracts are
nificant objection in that respect is that there is a also legally-binding contracts.
risk of one or both of the parties not understan-
ding the terms that are set down in code. What The fact that not all smart contracts are legal-
if, as a result, the parties’ wishes do not accord ly-binding contracts does not mean that all other
with the ‘formal’ contract represented in code? smart contracts have no legal meaning. In ad-
Is it possible to invoke error to rescind the trans- dition to agreements, smart contracts may, for
action forming the smart contract? And what if instance, also have the following legal meaning:
the terms of the smart contract imply something
other than what the parties had envisaged?10 • unilateral undertaking of performance of a
contract condition precedent or condition
subsequent in a contract
10
An example of that is the DAO attack. Although the at-
tack might lead one to suspect otherwise, it was not a case
• unilateral legal transaction
of a breach of security, but of exploitation of a vulnerability • statutory decision
in an open-source smart contract, as a result of which USD
55m was siphoned off. 11
See HR 5 April 2013, NJ 2013, 214 (Lundiform/Mexx).
3.6 Monitoring of a blockchain 4.2 Processing personal data within a blockchain
Blockchains could, in principle, make monito- The upcoming General Data Protection Regula-
ring easier and perhaps even superfluous. Public tion (GDPR)12 is often applicable where personal
blockchains are public. Moreover, the informa- data is processed. Under the terms of article 4(1)
tion in a blockchain cannot be altered; in other of the GDPR, personal data includes all informati-
words, there is no reason to doubt their accuracy. on on an identified or identifiable natural person.
In future, innovations like this ought to be suffi- This covers aspects such as name, address and
cient to ensure that the need for auditing by an telephone numbers, but it may also apply to a
accountant decreases substantially. set of other data that together have something
to say about an identified or identifiable natu-
However, as already stated in section 3.4, it is dif- ral person such as, for instance, location data or
ficult to identify the natural persons involved in video footage. If such information is included in a
actions within a blockchain. That makes it more blockchain, it counts as personal data.
difficult for regulators to monitor a blockchain as
such. Data that has been entirely anonymised, which
cannot therefore be traced to an identified or
Within a private blockchain environment it is identifiable natural person, does not qualify as
even more difficult to monitor what goes on, personal data. If a blockchain comprises solely
unless that private blockchain is regulated by a anonymous data, there is no question of using
central body that gives a regulator access to the personal data, and privacy legislation does not
blockchain. apply.

4. Processing personal data within a blockchain Article 4(2) of the GDPR defines processing to
4.1 Introduction include not least collection, recording, organisati-
As an illustration in section 3 it was often as- on, structuring and storing personal data. If per-
sumed that bitcoin is processed within a block- sonal data is logged in a blockchain, processing
chain. However, blockchain technology can be will generally always involve personal data.
broadly used; in a blockchain it is possible to
process all information, including personal data. One of the blockchain pilot schemes with
which our firm has assisted is the blockchain
In section 4 we have decided to focus on the pilot scheme for MijnZorgLog for Zorginsti-
processing of personal data within a blockchain. tuut Nederland.13 MijnZorgLog is a blockchain
The assumption of the blockchain that informa- application that replaces the care book that is
tion held within the chain is unchangeable is, in currently lying on the kitchen table of a per-
fact, diametrically opposed to the assumptions son receiving health care. MijnZorgLog logs
of privacy legislation, that personal data must information from persons including home care
be destroyed once it has served the purpose for workers, doctors and family members of tho-
which it was collated and that it must be possi- se receiving health care. It is evident that this
ble to amend personal data that is incorrect. information contains personal data.

It is our experience that in a private blockchain An option often used is not logging personal data
in which one party has control over the majori- directly in a blockchain, but instead inserting
ty of the nodes or there is otherwise a form of hyperlinks into a blockchain that can be linked
governance in existence, it is entirely possible to to files containing personal data. Although this
process personal data in accordance with privacy makes it easier to remove or amend personal
legislation. We will outline the experiences that data (see below), we believe that this does not
we have gained in this context in this section. In detract from the fact that personal data is being
addition we will perform research into the appli- processed.
cation of privacy legislation where it touches on
private blockchains. Within a public blockchain it 12
The GDPR becomes enforceable from 25 May 2018
seems that the discrepancies between how the 13
For more information see, for instance: htt-
blockchain functions and the rules dictated by ps://www.computable.nl/artikel/informatie/
privacy legislation are more difficult to bridge. nieuws/6032899/1853296/zorginstituut-neder-
land-logt-zorg-met-blockchain.html.
4.3 Who is the controller and processor within a this data leak to the Data Protection Authori-
blockchain? ty? Within a blockchain (private or otherwise)
Privacy legislation makes a distinction between in which a single party has control of all nodes
the person responsible for processing (the con- or there is some other form of governance, it is
troller) and the processor. The controller is the conceivable that solutions to this will be found,
central figure within privacy legislation who, in for instance by appointing one of the controllers
principle, has responsibility for all legal obligati- to perform all legal duties on behalf of all other
ons. The controller establishes the aim and the controllers.
resources for processing. This means that the
controller determines what happens with the The starting point is thus that all participants in
personal data. a blockchain in which personal data is exchanged
are controllers. We can imagine that the parties
If a company processes personal data for its that run nodes within a blockchain network are
own purposes, for instance, the company is the processors. The primary task of these parties is,
controller. If a local authority processes perso- after all, operating the blockchain for the benefit
nal data in the context of performing any of its of all controller participants. If the parties that
duties at law, the local executive is the control- run nodes are actually processors, the controllers
ler. must enter into a contract with these processors
(article 28 of the GDPR). Here too, this can be
The controller may use a processor to process resolved within a blockchain in which there is a
the personal data on their behalf. The processor form of governance by making joint agreements
is always subordinate to the controller and must between all participants and the parties that run
follow his or her instructions. The processor may the nodes.
not use the personal data for other purposes
than those for which the controller has provided 4.4 Does the GDPR apply?
them to him or her. The issue of who is the controller and who is the
processor within a blockchain in which personal
A cloud provider or a trust office could, for in- data is exchanged has a bearing on the issue of
stance, act as processors. whether a blockchain is covered by the scope
of the GDPR. Under the terms of article 3 of the
If personal data is processed within a blockchain, GDPR, the GDPR applies not least where personal
the personal data will be placed in the blockchain data is processed in the context of the activities
by various blockchain participants. In actual at an establishment of a controller or a processor
fact, this is no more than an innovative way of in the European Union, regardless of whether the
exchanging personal data between the various processing is carried out in the European Union
participants within a blockchain. In the course or not.
of this exchange there is, in principle, no form
of hierarchical relationship; if there are no other Whether or not the GDPR applies to a blockchain
agreements in place in relation to this, each in which personal data is processed is therefore
participant in the blockchain is equal and, in governed not by whether there are nodes situa-
principle, each participant is free to do with the ted within the European Union, but whether pro-
information in the blockchain as he or she sees cessing is carried out in the context of the activi-
fit. We believe that a processor is not, in principle, ties of an establishment of one of the controllers
involved in the sharing of personal data through (or processors) in the European Union.
a blockchain. This means that all parties that
participate in a blockchain are controllers. Whether or not that is the case depends large-
ly on the circumstances of the case. Bearing in
This leads directly to questions. Under the GDPR, mind the fact that it is our opinion that all par-
after all, the controller is subject to all sorts of le- ticipants in a blockchain that contains personal
gal obligations. For instance, how should control- data that is exchanged are controllers, this will
lers jointly ensure that there is proper security for quickly lead to a controller processing personal
the blockchain? And what if there is a data leak? data in the context of the activities of his/her
Should all participants in the blockchain report establishment in the European Union. If that is
the case, the blockchain in its entirety falls under Date Name Log Who sees what?
the terms of the GDPR. And that does not mean Adjust below
straight away that it is the responsibility of all
participants to comply with the GDPR. Partici-
pants who are not covered by the definition in
article 3 of the GDPR do not need to comply with
the GDPR.

4.5 What is the legal basis for processing perso-


nal data within a blockchain? It is also conceivable that personal data within
The processing of personal data is permitted a blockchain can be processed under a different
solely where there is a legal basis to do so. The legal basis than permission. Whether or not this
requirements for lawfulness of processing are is the case will depend to a great extent on the
summed up in article 6 of the GDPR. An impor- situation in which the blockchain is used.
tant example of a legal basis for the processing
of personal data is the permission that is given 4.6 Data minimisation and blockchains
by the person to whom the personal data per- The GDPR demands that data be minimised,
tains (the person in question). which implies that no more personal data is pro-
cessed than is strictly necessary for the purposes
Each time personal data is processed, there must of the blockchain. A solution that does justice to
be an individual legal basis. This means that each this principle is that the log files primarily inclu-
time a participant in a blockchain inserts perso- de meta data (information about one or more
nal data in the blockchain, there must be a basis aspects of the data), while the content data (in-
for the acquisition of said data. terrogative data) can solely be added using a link
that can only be opened by authorised persons.
In the blockchain of Zorginstituut Nederland as
described above, the blockchain revolves around 4.7 Removing personal data from a blockchain
a single person receiving health care. All personal The power of the blockchain is that the infor-
data that is placed in this blockchain relates to mation it contains can be trusted because this
the same person. For that reason it was relatively information is unchangeable. This clashes with
simple to arrange for the person in question to the fact that the GDPR states that as soon as
grant permission to all participants forming part personal data is no longer required it must be
of the blockchain for the fact that they were sha- deleted, and that the GDPR gives the people in
ring personal data via the blockchain with other question the right to demand removal of their
participants and that they could view the perso- personal data.
nal data that other participants were sharing.
Removal of information from a blockchain requi-
Article 7 of the GDPR states that the person in res a majority of the total nodes. If, in a private
question has the right to withdraw any permis- blockchain, a single party has control of all or (at
sion granted. This, too, is presumably something any rate) the majority of the nodes, it is therefo-
that is feasible to organise in a private blockchain re possible for this party to remove information
in which a single party has control of a majority from the blockchain. In that case, sceptics will
of the nodes. After all, this is a question of the wonder straight away what the point of block-
person in question withdrawing the access rights chains is. Although they do have a point, if there
accorded to the controller. Or consider a system are robust agreements in place on the governan-
in which there is the possibility at log level for ce of the private blockchain, it is possible that a
the person in question to withdraw permission construction can be created to back up the accu-
from a specific participant. racy of the blockchain.
There may also be technical issues connected permission. Although this white paper has been
with the removal of data. For instance, it is written with the greatest care and attention,
conceivable that a blockchain is programmed neither the authors nor Pels Rijcken & Droog-
in such a way as to enable removal solely by leever Fortuijn can vouch for the accuracy of its
encrypting the personal data in question, and content. When reading this report you must, mo-
then ‘throwing away the key’. In such cases, reover, assume that the subject addressed here is
encrypted data will remain visible. Moreover, still relatively uncharted territory, and that time
an extra log file could be added containing the will tell what the actual legal implications of it
information that the data is encrypted. In such will be. The legal solution that is most suitable in
a case, the data is actually removed, but the a specific case is, furthermore, very much depen-
fact that there was once something logged in dant on the actual situation.
the blockchain remains visible.
Pels Rijcken innovation team
4.8 Amending personal data within a blockchain
Under the terms of the GDPR, individuals not
only have the right to demand removal of perso-
nal data, but also to amend incorrect personal
data. This process could be subject to similar
objections as those in relation to the removal of
personal data.
Sandra van Heukelom
However, it is probably relatively simple to remo- Partner
ve these objections. For instance, we can imagine 070 515 39 61
that personal data in the blockchain is not so sandra.vanheukelom@pelsrijcken.nl
much amended by changing an old log file; ra-
ther by adding a new log file to the blockchain, in
which the earlier data can be corrected. In such
a case the constant and unchanging character of
the blockchain would not be affected.

4.9 Conclusion
Processing personal data within a blockchain re- Jeroen Naves
mains a challenge. Within a private blockchain in Senior associate
which one of the participants controls a majority 070 515 36 75
of the nodes or there is a form of governance, it is jeroen.naves@pelsrijcken.nl
possible to process personal data. However, such
a construction goes against the principle that
the decentralisation of the blockchain makes the
information contained in that blockchain un-
changeable. Processing personal data in a public
blockchain seems to be a greater challenge.
Marte van Graafeiland
5. Conclusion Associate
Although blockchain technology is a legal mi- 070 515 38 30
nefield, many legal obstacles appear to be sur- marte.vangraafeiland@pelsrijcken.nl
mountable in practice. The Pels Rijcken & Droog-
leever Fortuijn innovation team would be glad to
be of assistance in that respect.

6. Disclaimer
The copyright on this white paper is owned by
Pels Rijcken & Droogleever Fortuijn. No part of
this white paper may be re-used without written
Pels Rijcken & Droogleever Fortuijn
New Babylon
Bezuidenhoutseweg 57
2594 AC Den Haag
070 515 30 00
The Netherlands
www.pelsrijcken.info

S-ar putea să vă placă și