Bitcoin Tag

  • All
  • 130th Anniversary
  • Art and Cultural Heritage
  • Articles
  • Aviation
  • Blockchain
  • Brexit
  • Brochures
  • Company Law Insolvency
  • Competition
  • Consumer Protection
  • Corporate and Commercial
  • COVID-19
  • DAC6
  • Data Protection
  • Dispute Resolution and Litigation
  • Employment
  • Employment and COVID-19
  • Employment and Industrial Relations
  • Energy
  • ESG and Sustainability
  • EU and Regulatory
  • Events
  • FAQs
  • Fenlex
  • Financial Services
  • FinTech
  • Firm News
  • Foundations & Associations
  • Gaming
  • GDPR
  • ICT
  • Immigration
  • Intellectual Property
  • Investment Funds
  • Key Authorities Announcements
  • Legal Update
  • Litigation
  • Marine Litigation
  • Maritime Newsletter
  • Media & Telecoms
  • Mergers and Acquisitions
  • News
  • Podcasts
  • Project & Asset Finance
  • Public Procurement
  • Publications
  • Real Estate and Construction
  • Ship Finance
  • Shipping
  • Tax
  • Technology
  • Technology Media & Telecoms
  • Trusts and Foundations
  • Videos
  • Webinars
  • Yachting
Blockchain & the General Data Protection Regulation

Without a doubt, data is the new gold[1]. Blockchain, the most recent technological development taking over the world as we know it, is realizing the potential of data now more than ever. Yet, at the same time, many question whether the principles established in the General Data Protection Regulation 2016/679 (‘GDPR’) are compatible with the foundations of this new technology.

Blockchain first rose to fame in the ashes of the financial crisis of 2008, and was then adopted as the underlying technology of hugely successful platforms such as Bitcoin and Ethereum. Best described as a distributed ledger, blockchain allows the recording of information in blocks at a point in time, with new transactions being added to a block and connected to a previous block of information via nodes. This allows the information to be stored across a network, therefore moving away from the traditional approach of centralized data. This methodology also ensures that information is protected through a multi-level approach via encryption.

Blockchain’s ingenuity might however prove to be challenging in the face of the GDPR. Firstly, its decentralized set-up automatically excludes the notion of a central entity – this is detrimental to the concept of accountability in that identifying a data controller would seem virtually impossible. The GDPR’s applicability has been extended from that adopted within its predecessor, Directive 95/46/EU. Once it comes into force in May 2018, the principles established within the GDPR will be applicable to “the processing of personal data in the context of activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”, as well as to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are  related to the offering of goods and services, irrespective of whether a payment of data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union”[2]. This establishment principle becomes even more complex when one considers the existence of private blockchain and public blockchain. In the former, participants have been vetted, and therefore the data controller in this situation would arguably be the entity in charge of operating the private blockchain. Conversely, in a public blockchain, as the name implies, anyone would be able to access and add to the ledger, and therefore every node would be considered to be a data controller. Reconciling this notion with that of ‘joint controllers’ and the determination of respective responsibilities in a transparent manner as expounded in the GDPR is inconceivable to say the least.

Secondly, the material scope of the GDPR is that of processing of personal data, so for its principles to be applicable to a blockchain, the latter must process such personal data. Personal data is deemed to be any information relating to an identified or identifiable natural person[3], account being had of the cost of and amount of time required for identification to take place. Here it is noteworthy to mention that the GDPR does not apply to anonymous data, but pseudonymised data which could be attributed to a natural person with the use of additional information still constitutes personal data[4]. With this in mind, the likelihood is that the data constituting the basis of the transactions carried out through blockchain is information relating to specific individuals, and despite the encryption tools employed allowing access to authorised individuals only, typically such data would merely be pseudonymised and would therefore still fall within the understanding of personal data under the GDPR.

The GDPR also attracted a lot of attention due to its inclusion of the much debated ‘right to be forgotten’, which was first recognised in C-131/12 Google Spain SL & Google Inc. v. AEPD & Mario Costeja Gonzàlez. Officially referred to as the right to erasure, this allows the data subject to obtain from the controller the erasure of personal data where he has withdrawn consent, the data has been unlawfully processed and where the data is no longer necessary for the purposes for which it is collected or processed, amongst other grounds[5]. As highlighted above, identifying the data controller on whom these responsibilities would lie is no easy task. Furthermore, especially in public blockchains, actually carrying out this erasure of data as requested by the data subject is virtually impossible due to the innate blockchain architecture. Erasing data stored on a blockchain would mean that the process must occur at every node, wherein the blockchain would have to be unmade one block at a time up until the point where the data was first entered, and then rebuilt again, across the whole network. One of the arguments put forward in this regard has been that the data is necessary for the processing purpose since the blockchain architecture demands a perpetual written chain.

This architectural issue also ties to the notion of Privacy by Design as included within Article 25 of the GDPR. Developed by Dr Ann Cavoukian in the late nineties, this approach “does not wait for privacy risks to materialise, nor does it offer remedies for resolving privacy infractions once they have occurred – it aims to prevent them from occurring”[6]. In the advent of technological development and increased data processing, the EU legislators sought to include this notion within the GDPR, and in fact this imposes an obligation on the data controller to implement technical and organisational measures in line with data protection principles, both at the time of the determination of the means for processing as well as during the processing itself. At present, although data is often anonymised and encrypted, blockchain architecture seems to be incompatible with the notions of data minimisation, for example. Nevertheless, it must be noted that the obligation set out in the GDPR is not inflexible, in that in fact it takes into account the “state of the art, the cost of implementation and the nature, scope, context and purposes of the processing as well as the likelihood of risks to the rights of data subjects.

Created as part of the Data Protection Reform Package, the GDPR is meant to revitalize innovation and facilitate business development, but it is still unclear if the concepts underlying blockchain can be reconciled with the data protection principles and privacy concerns that have led to the promulgation of the GDPR – we will yet have to see.

[1] Neelie Kroes, Press Conference on Open Data Strategy, Brussels, 12th December 2011, as accessed on

[2] Article 3, GDPR.

[3] “An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that natural person”, Article 4(1), GDPR.

  • Here it is also noteworthy to mention the case C-582/14 Patrick Breyer v. Bundesrepublik Deutschland, which established that dynamic IP addresses, under certain circumstances, constitute personal data where a third party has the additional data necessary to identify the individual.

[4] Recital 26, GDPR.

[5] Article 17, GDPR.

[6] Ann Cavoukian, Privacy by Design: The 7 Foundational Principles – Implementation and Mapping of Fair Information Practices, as accessed on

Blockchain Gambling: Stepping up the Game

The technology underpinning Bitcoin – the blockchain – has already been described as the technology which could be even more disruptive than Amazon was two decades ago.[1] Simply put, blockchain is a decentralised ledger which records transactions. These transactions are then shared amongst the network of users of the same database, who verify the accuracy of such transactions. New transactions are added in new blocks and connected to the previous blocks on the chain, meaning that a blockchain grows over time and contains a detailed history of all the transactions that have taken place. When new blocks are created, they are “timestamped” which allows the viewers of the ledger to ascertain the order in which the transactions have occurred. This, amongst other features, ensures the security of the data contained in that block and makes it unchangeable.

Cryptocurrencies, like Bitcoin, are just one use of blockchain. The technology is being considered across various sectors, including gambling. The Malta Gaming Authority’s (MGA) executive chairman Joseph Cuschieri, has reportedly stated that “cryptocurrencies and blockchain technologies are emerging innovations which need analysis and an assessment of the risks and opportunities for potential adoption in the gaming sector”.[2] The MGA, in its ‘White Paper to Future Proof Malta’s Gaming Legal Framework’ states that the “Authority is cognizant that the rise of cryptocurrencies is inevitable. Conscious of the need to remain at the forefront of innovation and to keep up with new developments in technology and the industry […] the Authority is committed to allow the use of cryptocurrencies by its licensees in the immediate future”.

A wider spectrum exists for the use of blockchain technology within the gambling industry, in particular, relating to the operation and recording of gambling transactions. Smart contracts could be a potential way in which to increase transparency in relation to player winnings and the randomness or fairness of a result. As it stands, players have little or no means of verifying that winnings in a lottery are adequately distributed. This can also be said of the randomness or fairness of a result. Both these elements bring to the fore the importance of trust in the relationship between a player and the gambling service provider. This is where blockchain technology may alleviate some concerns and provide a possible solution to the situation.

Seeing as blockchain technology is based on a decentralised model, the alteration of the results is nearly impossible, with some proposing the term “immutable”. The verification of transactions throughout the network will result in a situation where no one player would possess any sort of advantage throughout the whole process involved in gambling. This situation, in turn, will avoid having instances of manipulation of records contained in the chain. Effectively, gambling transactions on the blockchain are transparent to the other parties forming part of the same network, meaning that such transactions may be verified. This principle of transparency may be extended to the distribution of winnings  within a betting exchange, for example. Through the use of smart contracts, the rules of the game, the recording of bets in addition to the payout of winnings may be catered for, potentially also meaning that players may then receive their winnings within a very short period of time.

Without any doubt, the use of blockchain technology within the realm of gambling will give rise to various regulatory challenges, such as the issue pertaining to the location of the remote gambling equipment. If blockchain technology is used, certain essential elements such as the random number generator and recording of transactions will be taking place in a decentralised fashion – this implies that various hardware will be held in different jurisdictions, which could potentially lead to a situation where more than one regulatory authority might attempt to impose its regulatory regime. Another element which might give rise to regulatory challenges is access to regulatory authorities. The situation today is one where regulatory authorities reserve the right to request access to a licensee’s remote gambling equipment. If one were to consider the numerous hardware elements present within a blockchain network as remote gambling equipment, having a decentralised model will certainly be a challenge for any regulatory authority requesting access.

Even though blockchain technology might seem to be challenging, certain regulatory authorities such as the Malta Gaming Authority are still keen on embracing it. Certainly, blockchain technology has generated a large amount of interest across various communities. What seems to be clear is the fact that blockchain technology will revolutionise all industries, including gambling.

[1] Frank Holmes, ‘Blockchain technology could be even more disruptive than Amazon was 2 decades ago’, Business Insider, 19 September 2017;