Blockchain has become a revolutionary force in the rapidly changing digital technology ecosystem, with the ability to completely change how we save, share, and handle data. Concurrently, the General Data Protection Regulation (GDPR), which places strict guidelines on the processing of personal data, serves as a pillar in the defence of peoples' right to privacy. The convergence of these two powerful forces presents a critical study of how blockchain technology and GDPR may coexist peacefully, as well as a number of difficult obstacles and opportunities.

Rise in the blockchain technology and Imperative of General Data protection Regulation:
Blockchain is a distributed and decentralised ledger technology that is frequently credited as being the foundation of cryptocurrencies like Bitcoin. Blockchain was first used as the foundational design for cryptocurrencies, but it has since expanded its use to encompass a number of sectors. A blockchain is essentially a series of blocks, each of which has a record of transactions. Its decentralised structure, made possible by a network of nodes that stores and verifies information collectively without the aid of a central authority, is what makes it unique.

The General Data Protection Regulation (GDPR), on the other hand, was implemented by the European Union (EU) in 2018 as a legal reaction to the growing concerns about data privacy in the digital age. By offering people control over their personal data and imposing stringent rules on organisations that handle it, the GDPR aims to empower individuals. It highlights the significance of openness and accountability in data processing by introducing concepts like data minimization, purpose limitation, and the right to erasure. A wide range of rights for data subjects are also introduced by the GDPR, including the ability to view, update, and transfer personal data.

It also requires data controllers and processors to put strong security measures in place, evaluate the impact of those measures, and notify data breaches as soon as they occur. The GDPR's reach extends outside the EU due to its extraterritorial nature, which requires organisations operating globally to comply with its principles when managing the data of EU residents.

The Confluence: The Significance of Blockchain-GDPR Intersection
The General Data Protection Regulation (GDPR) and blockchain technology create a crucial convergence in the age of digitization that requires close scrutiny. Blockchain, well-known for its transparent and decentralised ledger, brings about a revolution in data management. Simultaneously, the GDPR, a formidable legal framework, imposes strict guidelines to safeguard the privacy rights of individuals. Their intersection has substantial implications for the privacy and data protection landscape that go beyond academic discourse.

The GDPR's dedication to giving people control over their data is one of the key elements emphasising the relevance of this intersection. GDPR promotes the idea of data minimization, calling for the gathering of only the information required for certain, legal reasons. This focus is in line with the overarching objectives of increasing openness, giving people control over their personal data, and cutting down on pointless data processing.

The immutable nature of blockchain stands out as a crucial feature with broad consequences. Data becomes impervious to manipulation once it is stored on a blockchain, guaranteeing a high degree of data security and integrity. However, this immutability makes it difficult to reconcile with the GDPR's erasing right. The junction becomes important because it calls for creative ways to balance the rights of individuals to have their data destroyed when it is no longer needed for its intended purpose with the security provided by blockchain.

The decentralised design of blockchain networks challenges the traditional understanding of data controllership that is outlined in the GDPR. In contrast to conventional centralised systems, blockchain allocates accountability among network users. This decentralised approach makes it difficult to identify a single organisation in charge of data processing, which raises important questions about GDPR compliance. This difficulty is significant because it calls for reviewing and modifying regulatory frameworks to take into account the special characteristics of blockchain networks while maintaining the fundamental principles of the GDPR.

From a practical standpoint, the intersection is extremely important for sectors that handle sensitive data. Supply chain management, healthcare, and finance are just a few of the industries that stand to gain a great deal from the integration of blockchain applications with GDPR regulations. Blockchain technology's security and transparency have the potential to completely transform these sectors by enabling the development of systems that not only abide with GDPR laws but also foster stakeholder trust.

Blockchain Technology: Fundamentals and Characteristics:
Originally envisioned as the foundational structure of cryptocurrencies, blockchain technology has evolved to become a game-changing force across multiple industries. Fundamentally, a blockchain is a distributed, decentralised ledger that makes record-keeping safe, open, and impervious to tampering. Examining the definition and constituents of blockchain reveals that its distinct attributes have consequences for legal frameworks that oversee data, transactions, and contracts, in addition to technology.

• Blocks: A blockchain's blocks are collections of transactions. A block is appended to the chain in a sequential, linear order after it exceeds a predetermined size or time threshold. The integrity of the complete transaction history is guaranteed by this block chaining.
• Decentralised Network: A peer-to-peer network of nodes underpins the blockchain. Every node keeps a copy of the complete blockchain and conducts its own independent transaction validation. Because it is decentralised, security and transparency are improved because no one entity is in charge.
• Consensus Mechanism: To come to a consensus among nodes on the legitimacy of transactions, consensus mechanisms�such as proof-of-work or proof-of-stake�are essential. These procedures help the ledger become more reliable, which is crucial in legal situations where verifiability is crucial.
• Cryptography: To protect transactions and manage network access, blockchain uses cryptographic methods. In order to verify participant identity and guarantee data integrity and secrecy, public and private keys are utilised.

Blockchain and law:
Legal frameworks are significantly impacted by blockchain features, especially in the following areas:

• Legal Agreements and Smart Contracts: Blockchain-enabled smart contracts offer the ability to automate and simplify contractual arrangements. This has implications for contract law because smart contracts' self-executing nature calls into question established methods of contract enforcement and the function of middlemen.
• Data Security and Privacy: The blockchain's cryptographic methods improve data security and privacy. Blockchain technology's data protection features are in line with legal frameworks, especially those governed by rules such as the General Data Protection Regulation (GDPR), which prioritise the reduction of data, accuracy, and security of personal information.
• Regulatory Compliance: Regulatory control is challenged by the decentralised and global nature of blockchain technology. According to Jones (2020), legal frameworks need to change to handle jurisdictional concerns and guarantee adherence to current laws, particularly when it comes to securities and financial activities.
• Immutable record keeping and evidence: The blockchain ledger's immutability produces a trustworthy, time-stamped record of transactions. This feature has the potential to be a valuable source of evidence in court, influencing the resolution of disputes and the verification of transactions.

General Data Protection Regulation (GDPR)- Fundamentals:

Enacted by the European Union (EU) to improve the protection of peoples' rights to privacy and the responsible treatment of personal data, the General Data Protection Regulation (GDPR) is a comprehensive legislative framework. With its implementation on May 25, 2018, the GDPR seeks to solve the issues brought about by the rapidly changing digital ecosystem and the growing ubiquity of data-driven technology. The rule provides a strong framework for the processing of personal data by defining its application and establishing precise goals. The GDPR's main goals and its reach are as follows:

1. Empowerment of Data subjects:
   Objective: By granting people more control over their personal data, the GDPR aims to empower people. It highlights the idea that people have the right to know how their data is processed and to exercise their rights in relation to it.
    
2. Bringing Data Protection Laws into Unison:
   Objective: All member states of the European Union will have uniform data protection legislation thanks to the GDPR. It simplifies the legal environment and guarantees a uniform standard of data protection across the EU by offering a single set of legislation.
    
3. Enhancement of Data Security Protocols:
   Objective: The GDPR requires organisations to put in place the necessary organisational and technical safeguards in order to improve the protection of personal data. This entails encryption, routine risk analyses, and safeguards for data availability, confidentiality, and integrity.
    
4. Enabling the Transfer of Data:
   Objective: By creating a uniform framework for cross-border data transfers, the GDPR seeks to enable the unrestricted flow of personal data across countries. It offers safeguards to guarantee data protection during transfers outside the European Union, including Standard Contractual Clauses and Binding Corporate Rules.
    
5. Governance and Accountability:
   Objective: By compelling organisations to prove that they are in line with its principles, the GDPR highlights the idea of accountability. Adopting privacy-by-design and privacy-by-default guidelines is encouraged, encouraging a proactive approach to data security.
    
6. Higher Penalties for Failure to Comply:
   Objective: Organisations that violate the GDPR's rules will now be subject to much higher fines. As a result, companies are encouraged to take data protection seriously and invest in strong data security solutions.

Scope of GDPR:
Geographic Applicability:
Scope: The GDPR covers processing of personal data of people residing in the European Union, irrespective of the location of the processor or data controller. This also holds true for non-EU organisations who provide goods or services to EU citizens or keep an eye on their behaviour.

Relevance to Processors and Controllers of Data:
The GDPR covers data processors (businesses that handle data on behalf of controllers) as well as data controllers (organisations that choose how and why to process personal data. According to the rule, controllers and processors have different duties and responsibilities.Definition of Personal Data:
Scope: Any information pertaining to an identified or identifiable natural person falls under the purview of the GDPR and is subject to processing. This broad term covers a lot of territory, from simple identification information to more sophisticated data like genetic and biometric information.

Cross-Border Operation:
Scope: Personal data processing that includes cross-border data transfers inside the European Union or the European Economic Area (EEA) is subject to the General Data Protection Regulation (GDPR). It guarantees an equivalent degree of protection and offers a framework for the legitimate transfer of data outside the EU.

Bodies and Public Authorities:
Scope: The GDPR ensures that governmental organisations follow strict data protection guidelines while processing personal data. It applies to public authorities and bodies as well.

To navigate the complicated world of data protection and privacy within the European Union and beyond, organisations and people must have a thorough understanding of the goals and scope of the GDPR. Respecting the General Data Protection Regulation (GDPR) protects people's right to privacy while also promoting confidence in the ethical management of personal information in the digital era.

Data Subject rights:
Data subjects are granted a number of special rights under GDPR Articles 15 to 22. It is the duty of data controllers to enable the exercise of these rights; they are not permitted to assign this responsibility to processors.[1] The different data subject rights under the GDPR are looked at one by one below. It will be seen that although some present no unique issues within the framework of blockchain technology, others give rise to technical and legal issues, the resolution of which may be influenced by the identity of the data controller and its authority over blockchain data. Of course, as is always the case, a case-by-case examination that takes into consideration the unique technological and contextual circumstances of each personal data processing operation is necessary in order to fully evaluate the application of these diverse data subject rights to distributed ledgers.

The right to access:
As stated in GDPR Article 15

1. The data subject has the right to receive confirmation from the controller on whether or not personal data pertaining to them is being processed. If so, they also have the right to view their personal data along with the following details:
   1. the purposes of the processing;
   2. the categories of personal data concerned;
   3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
   4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
   5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
   6. the right to lodge a complaint with a supervisory authority;
   7. where the personal data are not collected from the data subject, any available information as to their source;
   8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. In cases where personal data is transmitted to an international organisation or a third country, the data subject is entitled to know about the relevant measures in accordance with Article 46.
3. A copy of the personal data being processed must be given by the controller. The controller may impose a reasonable fee based on administrative costs for any additional copies that the data subject requests. If the request is made electronically, the information will be sent in a frequently used electronic format unless the data subject requests something else.
4. The right to get a copy mentioned in paragraph 3 will not negatively impact other people's freedoms and rights.

The prioritisation of the right to access at the beginning of the list of data subject rights is not a mere coincidence. The recognition of the right to access should be seen as a fundamental right within the framework of European data protection legislation, since it facilitates and frequently serves as a prerequisite for the exercise of all other rights granted to individuals regarding their personal data. Accessing personal data allows individuals to gain insight into the specific information that is being handled by the entity responsible for data processing. This initial step is often essential in order to exercise any subsequent rights effectively.

For example, the right to access empowers the individual to verify the potential inaccuracy of personal data, so potentially motivating them to exercise their right to rectification as outlined in Article 16 of the General Data Protection Regulation (GDPR). Article 15 of the General Data Protection Regulation (GDPR) holds substantial importance in shaping the framework of data protection legislation in Europe. When a data subject submits a request for access, it is incumbent upon the controller to do a comprehensive search of all its records, both electronic and paper-based, in order to furnish the relevant information to the data subject.

Therefore, in cases where a data controller utilises Distributed Ledger Technology (DLT) to handle personal data either independently or in conjunction with other methods, it is necessary for them to investigate if this database includes any information pertaining to the data subject. In general, there are no inherent obstacles that would prevent the implementation of Article 15 of the General Data Protection Regulation (GDPR) in relation to blockchains. However, it is assumed in this context that there are sufficient governance systems in place that facilitate efficient exchange and administration of data.

The right to rectification:
According to Article 16 of GDPR
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement[2]

Blockchains are a type of ledger that is intentionally built to make it extremely difficult to delete or modify data. This design feature is implemented to ensure the integrity of data and establish confidence within the network.[3]

This concept inherently creates a conflict with the GDPR's mandate for data to be modifiable in order to facilitate its deletion, or, as stipulated by Article 16 of the GDPR, its correction. Blockchains frequently lack the capability to facilitate reversibility, as exemplified by scenarios when a client requests a service provider, who operates on a blockchain, to amend the information contained within their record.

Private and/or permission less blockchains have the capability to accommodate these requests by modifying the corresponding transaction record through the re-hashing of following blocks, which can be facilitated by the specific technical and governance framework in place.

However, rectifying data on public and/or permission less blockchains poses significant challenges, as individual players lack the ability to comply with such demands. This is not due to technical limitations, as each node has the ability to modify its own local version of the ledger. However, identifying the specific data to be corrected is challenging, particularly when the relevant data is encrypted.

Nevertheless, it should be noted that designating all nodes, miners, and users as data controllers responsible for enforcing data subject rights may not guarantee adequate safeguards for the protection of data subjects. This is because, despite the possibility of nodes reaching a consensus to transition to a new version of the blockchain periodically in response to requests for data removal, the coordination required for such an action has been deemed challenging to accomplish among a potentially vast number of nodes.

The provision outlined in Article 16 of the General Data Protection Regulation (GDPR) specifically allows for the completion of incomplete data through the provision of a supplementary statement. Implementing changes in distributed ledgers is far more feasible due to the ability of any authorised entity to append new data to the ledger, hence rectifying previously recorded information.

For instance, in cases where a user's existing records identify their marital status as single, further information can be appended to a separate data block to signify a change in status following a recent marriage. However, it is worth considering whether the inclusion of fresh data on the blockchain will always be an effective method of fulfilling the underlying purpose of Article 16 of the General Data Protection Regulation (GDPR).

It is noteworthy to mention that Advocate General Kokott contended in the Nowak case that the evaluation of the right to correction should be conducted by considering the purpose for which the data was gathered and processed.[4] In this particular instance, it was contended that the utilisation of Article 16 of the General Data Protection Regulation (GDPR) was not applicable for the purpose of seeking the correction of responses in an examination.

By employing a purposive approach, it becomes apparent that the inclusion of an additional statement may not always be a sufficient method for ensuring adherence to the right to rectification. This is particularly true in situations where there is a compelling argument that the data in question should not merely be supplemented, but rather completely removed and replaced.

This circumstance arises, for instance, when a data subject is unable to invoke the right to erasure due to the absence of any of the grounds outlined in Article 17(1) of the General Data Protection Regulation (GDPR). On the other hand, one could posit that in cases where Article 17(1) of the General Data Protection Regulation (GDPR) does not apply, the data subject's interest in data erasure may not be deemed significant, and instead, the mere providing of supplementary information should be deemed satisfactory.

The right to be forgotten(the right to erasure):
In accordance with Article 17 of the General Data Protection Regulation (GDPR), individuals possess the entitlement to request the deletion of their personal data from the data controller promptly and without unnecessary delay. The data controller, in turn, bears the responsibility to promptly erase personal data when any of the following circumstances are present:

There are several circumstances under which personal data may no longer be necessary for the purposes for which they were collected or processed. These include situations where the data subject withdraws their consent, and there is no other legal basis for the processing. Additionally, if the data subject objects to the processing and there are no overriding legitimate grounds for it, or if the data subject objects under specific circumstances, the personal data may need to be erased.

Furthermore, if the personal data has been processed unlawfully or if its erasure is required to comply with a legal obligation, it should be erased. Lastly, if the personal data has been collected in relation to the provision of information society services, it may also need to be erased.

The controller of personal data is responsible for ensuring that controllers processing the data are informed of the data subject's request for erasure. This includes taking reasonable steps, such as implementing technical measures, to notify these controllers and ensure the removal of any links to, copies of, or replications of the personal data in question. The controller should consider the available technology and the associated costs when determining the appropriate measures to be taken. Paragraphs 1 and 2 of the aforementioned provision shall not be applicable in cases where processing of personal data is deemed necessary for the following reasons:

1. to exercise the right of freedom of expression and information;
2. to comply with a legal obligation that requires processing under Union or Member State law, which the controller is subject to, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

The right to erasure, as outlined in the Regulation, plays a significant role in promoting informational self-determination by granting individuals the ability to exercise control over personal data that pertains to them, whether directly or indirectly. According to Article 17 of the General Data Protection Regulation (GDPR), individuals have the right to request the deletion of their personal data from the entity responsible for its processing, known as the data controller, under certain specified circumstances. The right to erase is a right that is both qualified and limited.

The invocation of this provision is limited to the conditions specified in Article 17(1) of the General Data Protection Regulation (GDPR) and must also be weighed against the reasons outlined in Article 17(2) of the GDPR. Furthermore, the European Court of Justice (ECJ) has emphasised that the invocation of the right to erasure must not be employed in a manner that contradicts the underlying intention of this regulation.[5]

The right to erasure, as stipulated in the Regulation, plays a crucial role in advancing the concept of informational self-determination by granting individuals the authority to exercise control over personal data that pertains to them, either directly or indirectly.

According to Article 17 of the General Data Protection Regulation (GDPR), individuals have the right to request the deletion of their personal data from the entity responsible for its processing, known as the data controller, if certain specified conditions are met. The right to erase is a right that is both qualified and limited. [6]

The invocation of this provision is contingent upon the requirements outlined in Article 17(1) of the General Data Protection Regulation (GDPR) and must also be weighed against the reasons specified in Article 17(2) of the GDPR. Furthermore, the European Court of Justice (ECJ) has emphasised that the invocation of the right to erasure must not be used in a way that contradicts the underlying intention of this Article.

Numerous scholars and experts have underscored the challenges associated with implementing the right to erasure within the context of blockchain technology. The act of removing data from distributed ledger technology (DLT) systems can be arduous due to intentional design features that make it difficult to unilaterally modify data. This design aims to foster trust within the network by ensuring the integrity of the data.

For instance, in the case where the prevailing consensus mechanism employed is proof-of-work, it would be necessary for the majority of all peer-to-peer connected nodes to revalidate the authenticity of each affected transaction in a reverse manner. This would involve dismantling the entire blockchain, block by block, and subsequently reconstructing it. Each transaction step would need to be disseminated to all currently active nodes in a block-wise manner.

The challenge of adhering to Article 17 of the General Data Protection Regulation (GDPR) is compounded by both technological considerations and governance design. In the context of public and permission less blockchains, it might be challenging to achieve universal implementation of database modifications across all nodes, even if technical mechanisms for assuring compliance exist.

This section undertakes an evaluation of the relationship between distributed ledgers and the right to erasure as outlined in the General Data Protection Regulation (GDPR), with the aim of offering additional insights on this matter.

First and foremost, it is imperative to highlight the lack of clarity surrounding the precise definition of the term 'erasure' as used in Article 17 of the General Data Protection Regulation (GDPR). The feasibility of eradicating personal data from blockchains remains uncertain due to the lack of specific guidelines on the interpretation of this term.

What does the right to erasure mean?
Prior to any analysis on the compatibility of blockchain technology with Article 17 of the General Data Protection Regulation (GDPR), it is important to emphasise that there is a lack of clarity regarding the exact definition of the term 'erasure'. [7] The definition of erasure is not provided in Article 17 of the General Data Protection Regulation (GDPR), and the explanatory statements within the Regulation also do not elaborate on the interpretation of this term.

It could be posited that an acceptance of a vernacular comprehension of this language is advisable. As to the definition provided by the Oxford English Dictionary, erasure refers to the act of eliminating or inscribing over recorded content or data. It can also denote the complete elimination of any remnants of a certain entity, resulting in its obliteration. From this particular standpoint, the concept of erasure can be interpreted as synonymous with the act of annihilation. However, it has been previously emphasised that the eradication of data on blockchains, specifically those that are public and permissionless, is not a simple task.

Nevertheless, there are signs suggesting that the obligation stipulated in Article 17 of the General Data Protection Regulation (GDPR) does not necessarily need the complete eradication of data. The act of removing material from search results in Google Spain was regarded as a form of erasing. It is noteworthy to acknowledge that the claimant specifically sought only this information from Google, without having any authority over the original data source, which happened to be an online newspaper publication.

If the claimant desired complete eradication of the pertinent data, they would have needed to approach the newspaper rather than Google. This statement suggests that the General Data Protection Regulation (GDPR) mandates data controllers to make every effort within their factual capabilities to achieve an outcome that closely resembles the destruction of their data.

Furthermore, national and international regulatory bodies have also suggested that there might exist other approaches to the complete eradication of data, which could effectively ensure adherence to the erasure requirement outlined in the General Data Protection Regulation (GDPR). The Article 29 Working Party, in its assessment of cloud computing, posited that the potential destruction of hardware might potentially be deemed as erasure within the context of Article 17 of the General Data Protection Regulation (GDPR).

In addition, it has been acknowledged by national data protection authorities that the act of erasure does not necessarily equate to complete destruction. An instance of the Austrian Data Protection Authority has recently acknowledged that the data controller possesses a certain degree of flexibility in terms of the technical methods employed to achieve erasure.

Furthermore, it has been suggested that anonymization can be seen as a viable approach to achieve the desired outcome of erasure.The number provided by the user is in addition, the UK Information Commissioner's Office has consistently contended that rendering data 'put beyond use' could potentially be deemed acceptable.

Right to restriction of processing:
In accordance with Article 18 GDPR:

1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
   
   1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
   2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
   3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
   4. the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

End-Notes:

1. Article 12 (2) GDPR.
2. Article 16 GDPR.
3. Bacon J et al (2018), 'Blockchain Demystified: A Technical and Legal Introduction to Distributed and Centralised Ledgers' Richmond Journal of Law and Technology 1, 76.
4. Opinion of AG Kokott in Case C-434/16 Peter Nowak [2017] EU:C:2017:582, para 35.
5. Case C-434/16 Peter Nowak [2017] EU:C:2017:994, para 52.
6. Case C-398/15 Salvatore Manni [2017] EU:C:2017:197.
7. https://en.oxforddictionaries.com/definition/erasure

Written By: Madiya Mushtaq Advocate, Supreme Court of India