Blockchain is undoubtedly the technology for data storage and traceability. While it is still not widely accepted, most people outside the Blockchain ecosystem have started to understand this.

Blockchain technology acts like a decentralised database shared simultaneously with all its users, without depending on a central authority for access. Any data uploaded and stored on a blockchain (e.g. Arweave) cannot be modified, tampered with or "revoked" without it being visible to all. A true breakthrough technology!

However, when one uses the term "data" within the context of data storage, what quickly comes to mind, particularly among Europeans, is the General Data Protection Regulation (GDPR). And the resulting question is: does GDPR apply to blockchain technology?

The answer given by the French Commission Nationale de l'Informatique et des Libertés (CNIL – French Data Protection Agency) in 2018 on this subject is clear: "when a blockchain contains personal data, GDPR is applicable".

What exactly is meant by personal data in the sense of GDPR? CNIL specifies that it is, "any information concerning an identified or identifiable natural person". The blockchain is therefore not, in itself, a data processor with a purpose in its own right, but a technology that can be used in support of different data processing. And this is where GDPR applies.

But is the very philosophy and operating principles of a blockchain compatible with GDPR? The answer is not so obvious and deserves to be considered for a moment.

Innovation and the protection of fundamental rights of individuals are not, in our opinion, contradictory objectives. Indeed, GDPR does not aim to regulate technologies as such, but rather the way actors use these technologies in a context involving personal data.

So a blockchain storing data can satisfy many of the rules set out in GDPR.

Even though cryptographic processes predate the publication of the data protection rules, major technological developments in protecting privacy are taking place now. Through advanced encryption, web3 developers can implement GDPR compliant solutions. Web3 is still in its nascent phase and will come to understand the spirit and the details of data protection rules over time.

The architecture and technological characteristics of each blockchain are unique. The consequences for the way personal data is stored and processed in light of GDPR may vary from one blockchain to another. It is, therefore, necessary to carry out a case-by-case analysis.

The applications built on the Arweave blockchain show great promise in terms of data protection by their design and the control offered to users. We will further develop how an application such as Akord and the Arweave blockchain can address GDPR compatibility issues (the transfer of data outside the EU are not voluntarily addressed in this article and will be the subject of a separate article).