You will be redirected to the website of our parent company, Schönherr Rechtsanwälte GmbH : www.schoenherr.eu
If you are unfamiliar with the world of NFTs, please see our self-experiment. If you want to quickly recap what NFTs have to do with smart contracts, please see here.
In short, an NFT (non-fungible token) is a set of data stored on a blockchain (a digital ledger), that certifies a digital asset as unique and thus non-fungible. Assets can be tangible (real estate) or intangible (IP rights).
The General Data Protection Regulation (GDPR) aims to protect fundamental privacy rights. It strives to achieve this goal by giving individuals more rights and more control over their personal data. Additionally, it puts more obligations on the data controllers' shoulders and demands that controllers can always demonstrate compliance.
The GDPR is technologically neutral, which means GDPR compliance must be ensured whenever personal data of natural persons are processed in a structured manner. Consequently, the material scope of the GDPR is also applicable to the blockchain whenever personal data of a natural person are processed.
Over the last couple of years, certain tensions between blockchain technologies and the GDPR have been discussed:
Having outlined some of the areas of tension between the GDPR and blockchain technology, compliance might be achieved through a combination of
One option to achieve a higher level of GDPR compliance with blockchain technologies appears to be offered by the "Zero-Knowledge Proof" method (ZKP), an encryption scheme where one party can prove the truth of specific information to another party without disclosing any additional information. In contrast to the Proof-of-Work method (typically used to date), the ZKP method captures transaction data in such an encrypted form that it is (or at least currently seems to be) impossible to identify any actors involved. Applying ZKP would give transactions on the blockchain an assurance of privacy, but still be able to prove that the private data is present and correct. The downside of ZKP is that it requires a large amount of computing power, meaning it is not quite resource-saving.
As the privacy by design obligation shows, technical measures must be considered from the very beginning, but also have to be frequently reassessed. In addition, information obligations must be adhered to both from a contract law and a data protection perspective. As our "NFT self-experiment" showed, it is possible to influence the design of the NFT at the beginning. Therefore, NFTs should be created carefully, as there are many legal questions still to be clarified around this new invention.
authors: Veronika Wolfbauer, Peter Ocko
Veronika
Wolfbauer
Counsel
austria vienna