The tension between the GDPR & NFTs

In short, an NFT (non-fungible token) is a set of data stored on a blockchain (a digital ledger), that certifies a digital asset as unique and thus non-fungible. Assets can be tangible (real estate) or intangible (IP rights).

The General Data Protection Regulation (GDPR) aims to protect fundamental privacy rights. It strives to achieve this goal by giving individuals more rights and more control over their personal data. Additionally, it puts more obligations on the data controllers' shoulders and demands that controllers can always demonstrate compliance.

The GDPR is technologically neutral, which means GDPR compliance must be ensured whenever personal data of natural persons are processed in a structured manner. Consequently, the material scope of the GDPR is also applicable to the blockchain whenever personal data of a natural person are processed.

The fields of tension

Over the last couple of years, certain tensions between blockchain technologies and the GDPR have been discussed:

• To begin with, the GDPR "assumes" that there is at least one data controller (an entity that sets the purpose and the means of the data processing) which can be addressed by a data subject (an individual). In contrast to this "one-on-one" fiction of the GDPR, the blockchain works with multiple players and decentralisation. This makes the allocation of responsibilities on the blockchain under the GDPR more burdensome.
• Furthermore, the GDPR grants certain rights (e.g. the right to data rectification, the right to data erasure) to the data subjects, which again contradict the "blockchain values", since the blockchain is a shared, immutable ledger for recording transactions, tracking assets and building trust.
• A further obligation of a data controller is to ensure "privacy by design": simply put, this obligation demands that the GDPR principles are taken into consideration in the developing phase of a product rather than later on. Thus, Art 25(1) GDPR requires controllers to implement appropriate safeguards "both at the time of the determination of the means for processing and at the time of the processing itself". This means that the blockchain itself should respect GDPR principles, such as data minimisation and purpose limitation, but also storage limitations.
• The "classic" debate is about the nature of the data which are typically stored on a blockchain. The question is whether personal data that has been encrypted or hashed (like public keys) still qualify as personal data. While it is often argued that they do not, such data likely does qualify as "personal data" within the meaning of the GDPR, because "personal data" is defined as "any information relating to an identified or identifiable natural person". Since there are frequently means to (at least) identify the natural person based on the hashed values, the GDPR is applicable. On most blockchains, however, participants are only pseudonymised, and not "completely" anonymised, which means that the GDPR will likely apply.

Blockchain & GDPR-compliance?

Having outlined some of the areas of tension between the GDPR and blockchain technology, compliance might be achieved through a combination of

1. technical measures,
2. transparency, and
3. contractual provisions.

One option to achieve a higher level of GDPR compliance with blockchain technologies appears to be offered by the "Zero-Knowledge Proof" method (ZKP), an encryption scheme where one party can prove the truth of specific information to another party without disclosing any additional information. In contrast to the Proof-of-Work method (typically used to date), the ZKP method captures transaction data in such an encrypted form that it is (or at least currently seems to be) impossible to identify any actors involved. Applying ZKP would give transactions on the blockchain an assurance of privacy, but still be able to prove that the private data is present and correct. The downside of ZKP is that it requires a large amount of computing power, meaning it is not quite resource-saving.

Be careful when creating an NFT

As the privacy by design obligation shows, technical measures must be considered from the very beginning, but also have to be frequently reassessed. In addition, information obligations must be adhered to both from a contract law and a data protection perspective. As our "NFT self-experiment" showed, it is possible to influence the design of the NFT at the beginning. Therefore, NFTs should be created carefully, as there are many legal questions still to be clarified around this new invention.

authors: Veronika Wolfbauer, Peter Ocko