A systematic literature review of the tension between the GDPR and public blockchain systems

Abstract

Blockchain technology has been rapidly growing since Bitcoin was invented in 2008. The most common type of blockchain system, public (permissionless) blockchain system, has some unique features that lead to a tension with the European Union’s General Data Protection Regulation (GDPR) and other similar data protection laws. In this paper, we report the results of a systematic literature review (SLR) on 114 research papers discussing and/or addressing such a tension. To the best of our knowledge, our SLR is the most comprehensive review of this tension, leading to a more in-depth and broader analysis of related research work on this important topic. Our results revealed three main types of issues: (i) difficulties in exercising data subjects’ rights such as the ‘right to be forgotten’ (RTBF) due to the immutable nature of public blockchains; (ii) difficulties in identifying roles and responsibilities in the public blockchain data processing ecosystem (particularly on the identification of data controllers and data processors); and (iii) ambiguities regarding the application of the relevant law(s) due to the distributed nature of blockchains. Our work also led to a better understanding of solutions for improving the GDPR compliance of public blockchain systems. It can help inform not only blockchain researchers and developers but also policymakers and law markers to consider how to reconcile the tension between public blockchain systems and data protection laws (the GDPR and beyond).