The right to erasure, also described as the ‘right to be forgotten’, is a right which enables data subjects, under certain circumstances, to have their personal data removed from the data con-troller. It is influenced by the principles of data minimisation,192 accuracy,193 and storage limi-tation.194Article 17 of the GDPR states that a data subject has “the right to obtain from the controller the erasure of personal data concerning him or her without undue delay”.195 Moreo-ver, a controller should act on a request of erasure if the grounds for erasure are satisfied.196 These grounds include, inter alia, where personal data has been processed unlawfully,197 with-drawal of consent,198 erasure due to another legal obligation under EU or Member State law,199 and where it is no longer necessary for the personal data to be held.200
At face value, the right to erasure appears somewhat incongruous with the typical design of blockchains, particularly permissionless blockchains, where the security of the blockchain is partially reliant on the inability (or immense difficulty) to erase the content stored on the dis-tributed ledger – the ‘immutability’ of the chain. This immutability may also create issues re-garding the principle of data minimisation under Article 5(1)(c) GDPR.201 However, the right
189 Opinion of Advocate General Kokott in Case C-434/16 Peter Nowak [2017] 35.
190 European Parliamentary Research Service, ‘Blockchain and the General Data Protection Regulation – Can distributed ledgers be squared with European data protection law?’ (July 2019) 73
191 ibid 74
192 GDPR, Article 5(c).
193 GDPR, Article 5(d).
194 GDPR, Article 5(e).
195 GDPR, Article 17(1).
196 GDPR, Article 17.
197 GDPR, Article 17(d).
198 GDPR, Article 17(b).
199 GDPR, Article 17(e).
200 GDPR, Article 17(a).
201 Article 5(1)(c) GDPR states that personal data must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’.
33
to erasure should not be considered an absolute right. Article 17 GDPR provides a number of grounds on which the right to erasure does not apply including: freedom of expression;202 com-pliance with certain legal obligations;203 various reasons of public interest;204 and grounds re-lating to legal claims.205
4.2.1 ‘Erasure’
There is some debate on the exact definition of ‘erasure’, with the term currently requiring further clarification.206 However, it appears that ‘erasure’ does not necessarily equate to the deletion of data.
4.2.1.1 Deletion vs. removed access
In Google Spain it was sufficient that the personal data was removed from the search engine webpages – this subsequently resulted in Article 17 also being described as “the Right to request delisting”.207 However, the EDPB also clarified that there would be situations where search engines would need to provide complete deletion of personal data under certain circum-stances.208
In the case of Manni the CJEU briefly touched upon the issue of whether data needs to be erased completely or whether removing public access is satisfactory.209 The case concerned the public display of personal information related to the formation of companies in Italy under Directive 68/151.210 The Court reasoned that the necessity to maintain a record of company information, owing to the frequent legal matters that arise from company dissolution, allowed for the data to be stored on the register (and shared with 3rd parties where necessary) if removed from public view.211This reasoning by the Court is particularly pertinent as the Directive being relied on by the Italian government to hold the data made no explicit mention of how the data should be handled after the dissolution of the company.212 Therefore, there was no legal obligation for the
202 GDPR, Article 17(3)(a)
203 GDPR, Article 17(3)(b)
204 GDPR, Article 17(3)(c) and (d)
205 GDPR, Article 17(3)(e)
206 European Parliamentary Research Service, ‘Blockchain and the General Data Protection Regulation – Can distributed ledgers be squared with European data protection law?’ (July 2019) 75
207 European Data Protection Board, Guidelines 05/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR [4]
208 ibid [10]
209 Case C-398/15 Manni
210 Directive 68/151 on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community.
211 (n 209)
212 Case C-398/15, Manni [52]
34
data to remain in the register. This highlights that erasure of data is not strictly necessary under all circumstances. However, further guidance from the CJEU would be a welcome clarification to this area of data protection law.
4.2.1.2 Deletion of an encryption key
The legal reasoning in Manni could potentially be applied to data obfuscated or rendered inac-cessible on a blockchain. For example, if a blockchain was designed in such a way that personal data stored on the blockchain was fully encrypted (to the latest encryption standards) before being appended to the distributed ledger.213 There is a strong argument that the personal data could be considered ‘forgotten’ should the encryption keys be permanently deleted (rendering the content inaccessible).214
There is, however, an issue of whether data that remains ‘on chain’ whilst being anony-mised/obfuscated through advanced cryptography is sufficient to be considered ‘erased’ in per-petuity. With data rendered anonymised there remains the possibility of a retroactive attack that removes the anonymity and allows for the dissemination of personal and/or sensitive data. If this type of erasure is acceptable, then the possibility of retroactive attacks should still be kept in mind in terms of data management best practice.
4.2.2 Off-chain storage
The issue of the right to erasure is further complicated by whether the information is stored on or away from the distributed ledger. If personal data is stored off the blockchain, in a separate storage facility, with a refence to the data location stored on a blockchain – then there is unlikely to be an obstruction to the right of erasure.215 The controller can simply delete the personal data from its storage facility and update the ledger to reflect this.
4.2.3 A blockchain that forgets?
To combat the problem of permanently stored information, there have been attempts to create blockchains which have the ability to ‘forget’. For example, researchers at the Frankfurt School of Finance and Management, developed a decentralised blockchain which could operate and execute smart contracts despite the information being stripped away and deleted in prior trans-actions.216 This type of technological innovation would be a welcome addition in terms of
213 N B Truong, K Sun, G Myoung & Y Guo, ‘GDPR-Compliant Personal Data Management: A Blockchain-based Solution’ IEEE Transaction on Information Forensics and Security 15 (2020) 1746, 1757
214 Commission nationale de l'informatique et des libertés, ‘Blockchain: Solutions for a responsible use of the blockchain in the context of personal data’ (September 2018) 8
215 (n 213)
216 S Farshid, A Reitz & P Rossbach, ‘Design of a forgetting blockchain: A possible way to accomplish GDPR compatibility’ Available at: <https://hdl.handle.net/10125/60145> Accessed on 9th September 2021.
35
blockchains potentially offering better protection of data subjects rights whilst also benefitting from the immutability and verifiability that blockchains offer.