Turkish Law Blog
Contemporary Issues in Blockchain Applications and Data Protection Laws
Although the advent of blockchain applications date back to earlier times, the article published by the author / s named Satoshi Nakamoto - whose real identity is still unknown - and his introduction of the Bitcoin electronic payment system, became a milestone in terms of the awareness and proliferation of the blockchain. While most people only envisage cryptocurrencies when discussing blockchain, its area of utilization is much more than financial systems. There is an expectation that many sectors, including but not limited to public services (such as voting and notaryship) as well as supply chain, energy management, insurance, healthcare and cyber security, will be re-shaped by the blockchain in the near future. It is seen that the market value of the blockchain, which was calculated as 1.57 billion USD in 2018, has doubled in the last two years, reaching the level of 3 billion USD; It is estimated that it might reach up to 39.7 billion USD at the end of the next five years. This suggests that blockchain technology has as much disruptive potential as the invention of the internet in an innovative sense and it should be seriously taken into consideration by lawmakers as well. In this paper, the blockchain will be evaluated within the scope of the basic principles of the Data Protection Laws of Turkey & EU, which constitutes one of the most stressed areas with current legal systems.
2. Evaluation of Blockchain in the Context of Its Underlying Philosophy and Existing Data Protection Legislations
The American National Institute of Standards and Technology defines the blockchain as follows:
“(…) tamper evident and tamper resistant digital ledgers implemented in a distributed fashion (i.e., without a central repository) and usually without a central authority. At their most basic level, they enable a community of users to record transactions in a shared ledger within that community, such that under normal operation of the blockchain network no transaction can be changed once published.”
This definition, which the French data protection authority called CNIL (Commission nationale de l'informatique et des libertés) also draws attention to, highlights four important characteristics of the blockchain: transparency, decentralization, immutability and disintermediation.
The main philosophy behind the blockchain concept is to enable peer-to-peer value transfer in a decentralized system by eliminating any intermediaries. What should be understood from the intermediary may be financial institutions as well as third parties benefitting from public power, such as notaries. Therefore, entrepreneur Reid Hoffman described the mechanism of the blockchain as based on "trustless trust", in order to emphasize that the parties would not need third parties to establish trust relationship between them.
On the other hand, in parallel with technology, significant developments occurred in terms of the “personal data” notion and the mentality of protecting personal data in the context of fundamental human rights, especially since the 1970s. Within the framework of core values such as the right of privacy and human dignity, it has been accepted that individuals should be given sovereignty over their data by giving right to control data as much as possible, and data controllers & processors should be held accountable.
At the present time, almost all kinds of human behaviour in daily life could be turned into data, and financial benefits are obtained by commodifying data through processes called data monetization. For instance, recently, many scandals such as the 2018 Cambridge-Analytica scandal, where personal data are obtained unethically and used for malicious purposes, have been revealed. In the same year, the General Data Protection Regulation 2016/679 (“GDR”) was adopted throughout the EU and entered into force to repeal the Directive 95/46 / EC ("Directive"). It is noteworthy to see that more than 65,000 violation cases were reported within the first year of the GDPR. Based on the Directive, Turkey prepared a draft law and consequently the Turkish Data Protection Law no. 6698 (“KVKK”) entered into force, in 2016.
Although some proponents of the idea of "the code is the law" asserts that the code can determine its own legal regime itself, and concurrently with the development of the blockchain, a separate legal field called Lex Cryptographia will be emerged; this opinion is not accepted on the basis of the internet example. As a matter of fact, most of the transactions to be carried out via blockchain will have a physical world dimension as well. For example, property title on a virtual land registry can be transferred to someone else through the blockchain, but for this transfer to make a real sense, it depends on the ability to transfer possession in the physical world by relying on this virtual record.
In the light of these explanations, it is necessary to accept that the current legal framework shall apply when personal data is processed through the blockchain. Actually, both GDPR and KVKK are legal documents which are purportedly drafted to be technology-neutral. In addition, since the speed of the lawmakers cannot keep up with the speed of technology, the texts in question are designed (or at least hoped) to allow interpretation and implementation for many years. However, according to a survey conducted in 2019 by the famous audit firm Deloitte, with the top executives of the companies investing in blockchain technology, the situation is the opposite in practice. According to the research, 50% of the executives declared that privacy is the most important regulatory obstacle in their work. Actually, it is not a big surprise, since there is a stark contrast between the purposes of the data protection legislation and the working principle of the blockchain. In other words, data protection legislation envisages a world where data is processed and stored in central databases by certain or identifiable central authorities, and where modification or destruction operations can be applied in accordance with the rights of the data subject, while the blockchain on the contrary, runs in a world where the authority and responsibility is distributed as much as possible, by placing a copy of database to all nodes in the network. Moreover, it designs a mechanism in which data modification or destruction is technically very difficult, if not impossible due to the nature of the system. The mentioned incompatibility causes serious deterrent problems in practice by slowing down the development of the blockchain investments.
Since it would be beyond the scope of this study to explain the contradiction mentioned above in its all dimensions, four sensitive stress areas will be briefly examined. These are compliance with general principles, transfer of personal data, determination of responsibles and data subjects’ usage of their rights.
3. Main Stress Areas and Possible Solutions
a. Compliance with General Principles and Transfer of Personal Data
Article 4 of the KVKK regulates the general principles on which the Law is based as follows:
“a) Being in conformity with the law and good faith;
- b) Being accurate and if necessary, up to date;
- c) Being processed for specified, explicit, and legitimate purposes;
ç) Being relevant, limited and proportionate to the purposes for which data are processed;
- d) Being stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected.”
The 5th article of GDPR also refers to similar principles, but emphasizes two points that conflict with the technical features of the blockchain, such as “data minimization" and "storage limitation".
At this point, it should be underlined that it is not possible to come up with a one-size-fits-all solution which is suitable for every problem in terms of compliance of the blockchain with the data protection legislation. Due to the fact that the blockchain refers to a multi-layered technology, such as the internet, different analyses at macro or micro level are possible. For example, when it comes to the determination of the concepts of data controller and data processor, besides the approach based on the whole network with a holistic view, there are also application based or even more micro-level transaction-based approaches which exist. In addition, blockchain applications have evolved over time and various types have emerged, including public, private, permissioned and permissionless blockchains. Our explanations will generally be based on classic public blockchain.
Although blockchain applications initially emerged with the promise of privacy and anonymity, it is unanimously accepted that they process personal data. The definition of personal data includes not only all kinds of information belonging to an identified real person, but also information about identifiable real persons. For this reason, both the public keys and transaction information of the users shall be classified as personal data. As a matter of fact, the real identities of the users can be determined by following both the transaction patterns and the reflections of the transactions in the physical world, as well as the rapidly increasing number of financial intermediaries, and crypto-exchanges demand a photocopy of their identity / passport from the users in order to fulfil their legal obligations, such as AML and KYC. Since the blockchain system is based on the principle of interconnecting the blocks by processing them on top of each other, the identification information must be maintained constantly on the chain in order for the system to continue the approval process. The CNIL also acknowledges that the processing time of identification data is equal to the existence time of the entire chain.
On the other hand, the main problem arises from the processing of transaction information. The blockchain is a chain that expands with continuously processed links and since the system does not allow for any disconnection, every data processed on the chain remains in the chain without any time limitation. Furthermore, miners, who ensure the approval process and reliability of the system, have a copy of the ledger on their own devices. This modus operandi causes the database to be scattered around the world in thousands of copies. It is difficult to square this with the storage limitation and data minimization principles. Finally, the data processed on the ledger is in danger of becoming public, as the blockchain, as a general rule, envisions a transparent and checkable structure for all participants. Processing data on the chain in plain text, encrypted form or by "hashing" on the chain will not make any difference in this sense. Because, theoretically, it might be possible to reverse the encryption and make the data public again. Therefore, as you can see, the areas where the blockchain is the strongest are turning into achilles’ heel within the scope of compliance with the data protection legislation.
Another issue that should be discussed regarding the blockchain is the data transfer dimension of the data protection legislations. Transferring a data abroad is subject to strict conditions under both KVKK and GDPR. The Lindqvist decision made by the Court of Justice of the European Union (CJEU) pursuant to the Directive, with regards to the internet can also be a guideline for how to interpret the transfer of data abroad on the blockchain. In the said decision, the CJEU ruled that the fact that the data placed on a website is accessible from all over the world does not necessarily mean that the data is transferred to third countries. In terms of blockchain, this inference can be compared in terms of being available to access. However, this comparison does not completely solve the problem; since the blockchain is not only accessible from all over the world, but also nodes maintain a copy of it in their local computers. In addition, the CJEU - in the Lindqvist decision - did not examine the issue of transferring data to a hosting service, which would also have a copy of the website data, too. Therefore, it would be appropriate for data protection authorities to publish guidelines on data transfer via blockchain and specify the procedures and principles regarding explicit consent procedures or agreements to be drawn up between parties.
b. Determination of Responsibles and Data Subjects’ Usage of Their Rights
Data protection law is mainly based on relationship between three parties. These are data subject (defined as “relevant person” in Turkish legislation), data controller and data processor. According to the assumption, the data subject refers to the real person whose information is processed, the data controller determines the purpose and means of processing the data, while the data processor refers to the real or legal person who processes the data within the scope of these predetermined purposes and means. Especially determining the data controller is of critical importance, as the law imposes the data controller important obligations, including lawful processing and transferring data, and reporting to relevant authorities when a breach occurs. If the data controller cannot be identified, the whole of the data protection legislation becomes meaningless. Likewise, data controller inflation will make it extremely difficult to apply the legislation properly. At this point, the following questions will be raised:
“- Is each node (that contains a copy of the distributed ledger) a data controller?
- Will blockchain users be considered data controllers if their personal data is kept on the blockchain?
- In an environment where the parties do not know who the addressees are, how can data controllers give instructions to the data processors?
- If thousands of nodes carry copies of transactions between millions of users, how will each communicate with the other?”
Since the answers given to each of these questions in the doctrine differ, it does not seem possible to reach a definite conclusion for now. Therefore, it is possible to encounter surprises in practice.
Finally, the 4th sensitive stress area concerns compliance with the rights of data subjects. Data subjects have the right to request their data to be processed in an accurate and up-to-date manner within the scope of data protection legislation and to be deleted under certain circumstances within the framework of the right to be forgotten. In public blockchain, it is a mystery how a data subject can exercise his/her rights. First of all, what should be understood from the concept of “deletion” must be determined clearly. Encryption of data, destruction of data whose hash value is in the chain, or destruction of the key that makes it possible to read the encrypted data are some of the methods discussed in the doctrine. For example, the UK data protection authority (Information Commissioner's Office) tends to broadly interpret data deletion as "putting data beyond use". In the narrow sense, deletion or modification seems possible with various methods, especially hard fork, in theory, but it does not appear to be practically applicable. Since the system operates according to the consensus protocol, any change of the record by any of the nodes shall not affect the entire ledger, this shall require more than half of the system's processor power to validate. Again, in the public blockchain, there is no central authority to coordinate these people scattered all over the world.
Considering the challenges mentioned above, various practical and technical solutions are being developed. For example, the data can be changed with a new block that will refer to the change in the old block. For example, if a data saying that a person is 25 years old is in the tenth block, the information that he is now 30 years old to be added to the fiftieth block after five years can be entered together with the information that the tenth block has been repealed. Apart from this, it becomes easier to make changes on the records with a method developed by Accenture. By weakening the hash value function, it is possible to find a way to maintain chain integrity by keeping the hash value the same even if a change is made on the data. It is beneficial to pave the way for similar initiatives by increasing legal predictability.
4. Recommendatitons and Conclusion
Not being indifferent to the significant potential offered by blockchain technology for different sectors and the Union’s economy in general, the European Union (EU) established the "Blockchain Observatory and Forum", in 2018, in order to focus on the compatibility of the blockchain with GDPR. Blockchain was also among the "possible topics" in the European Data Protection Board's 2019-2020 work program.
The Observatory proposes a 4-stage general framework for blockchain implementations as of today. Namely, according to the observatory, an entrepreneur who wants to take advantage of the blockchain should follow the steps as follows:
“1. Determine whether a blockchain is really necessary for the system being deployed.
- If a blockchain is necessary, avoid or minimize the amount of personal data stored on the blockchain.
- If personal data must be stored on the blockchain, a private blockchain is preferable if possible.
- Innovate new solutions for compliance and be as transparent as possible with users of the system”
As a result, it appears that there is a purposeful contradiction between the data protection law and especially public blockchain applications, which causes tension. The blockchain promises significant potential for secure data storage and transaction validation. However, in order to fully realize this potential, legislators need to make a multi-dimensional evaluation, by taking into account of the opinions of IT experts who are sensitive to human rights. Otherwise, there may be a danger that the blockchain model will be confined to a limited area of use or lose its unprecedented features. On the other hand, there may be some drawbacks to urgently drafting new casuistic law rules for an unpredictable technology that is still under development. Therefore, the preparation of guiding rules by means of soft law instruments and even testing some flexible rules by creating regulatory sandboxes for entrepreneurs, if necessary, may contribute to legal compliance of the blockchain.
 19 Industries The Blockchain Will Disrupt, https://futurethinkers.org/industries-blockchain-disrupt/ (Last Access: 17.12.2020).
 Elif Küzeci, Blokzinciri, Hukuk ve Kişisel Verilerin Korunması: Yeni Bir Güven Mekanizması Kurmak Olanaklı Mıdır? Eylem Aksoy Retornaz & Osman Gazi Güçlütürk (Ed.), Gelişen Teknolojiler ve Hukuk I: Blokzincir, 2020,
- 155-177, p. 157.
 Blockchain Market by Component (Platform and Services), Provider (Application, Middleware, and Infrastructure), Type (Private, Public, and Hyrid), Organization Size, Application Area (BFSI, Government, IT & Telecom), and Region- Global Forecast to 2025, https://www.kisa.link/Ofmn (Last access: 17.12.2020).
 Raffi Teperdjian, The Puzzle of Squaring Blockchain with the General Data Protection Regulation, Forthcoming
in Jurimetrics Vol 60 Issue No. 3, 2020, p. 8, https://www.kisa.link/Ofqf (Last access: 17.12.2020). Similarly, the Scientific and Technological Research Council of Turkey (TÜBİTAK) describes the “blockchain model” as: "Distribution of centralized trust on the internet by enabling the elemination of a central server or a trusted authority" Küzeci, p. 158.
 CNIL, Blockchain: Solutions for a Responsible Use of the Blockchain in the Context of Personal Data, 2018,
https://www.cnil.fr/sites/default/files/atoms/files/blockchain_en.pdf (Last access: 17.12.2020).
 Reid Hoffman, Why the Blockchain Matters? https://www.wired.co.uk/article/bitcoin-reid-hoffman (Last access: 17.12.2020).
For full text currently in force, see: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504 (Last access: 17.12.2020).
 Karin Melin, The GDPR Compliance of Blockchain, A Qualitative Study on Regulating Innovative Technology,
2019, s. 1, http://uu.diva-portal.org/smash/get/diva2:1370599/FULLTEXT01.pdf (Last access: 18.12.2020).
 About discussions regarding this topic see: Emir Bayramoğlu, Online Dispute Resolution and Direct Enforcement in the Age of Smart Contracts, 2018, s. 20-24, http://arno.uvt.nl/show.cgi?fid=146835 (Last Access: 18.12.2020).
 Deloitte, Deloitte’s 2019 Global Blockchain Survey: Blockchain Gets Down to Business, https://www2.deloitte.com/content/dam/Deloitte/se/Documents/risk/DI_2019-global-blockchain-survey.pdf (Last access: 18.12.2020).
 For differences between these types, see (in Turkish): BlockchainTurk.net, https://medium.com/blockchainturk/private-public-permissioned-permissionless-blockchain-22142e8af5cf (Last access: 21.12.2020).
 Supra note 6.
 Küzeci, p. 172.
 Court of Justice of the European Union, Case Number: C-101/01, 2003.
 Küzeci, p. 174.
 Melin, p. 29
 Yusuf Mansur Özer, Kişisel Verilerin Korunmasında Blokzinciri Modeli: Vaatler ve Hukuki Engeller, https://tez.yok.gov.tr/UlusalTezMerkezi/tezDetay.jsp?id=fEKJB3YCls9UV1zqeViMbg&no=fGL7lnIpGffb1ywLJ_6Kw (Last Access: 21.12.2020), p. 253.
 European Data Protection Board, Work Program 2019/2020, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-02-12plen-2.1edpb_work_program_en.pdf (Last access: 21.12.2020).
 Teperdjan, p. 49