News & Insights
NFTs and Personal Data Protection
Melodi Özer | ASSOCIATE25.05.2022
Data protection legislations generally aim to protect the fundamental privacy rights of natural persons, to have more control over their personal data and to grant more rights over this data belonging to them. In blockchain technology, data protection and confidentiality must be taken into account whenever personal data of real persons are processed. In accordance with GDPR and KVKK legislation, a natural or legal person must be responsible for the establishment and management of the data recording system.
The keyword for this article will be “blockchain”. For the reasons that an NFT (non-fungible token) is defined as a set of data stored on a blockchain confirming that a digital asset is unique and therefore non-interchangeable, it is necessary to delve deeper into the blockchain first, in order to understand the relationship between personal data and NFT technology (We recommend you check out our previous articles on the subject).
Data protection legislations generally aim to protect the fundamental privacy rights of natural persons, to have more control over their personal data and to grant more rights over this data belonging to them. In terms of data controllers, these legislations always expect more sensitivity in terms of data protection and are demanding for data controllers to continuously comply with the legislation. Data protection legislation such as the European Data Protection Legislation (“GDPR”) and the Turkish Personal Data Protection Law (“PDP Law”) are neutral to technological developments and there are no exceptions for blockchain technologies so far. In other words, in every case where personal data of real persons are processed in blockchain technology, protection of data and confidentiality must be considered.
Who Will Be the Data Controller?
In accordance with the GDPR and the PDP Law, there must be a determined “data controller”. In other words, a natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system should be determined. In some cases, situations such as joint data controlling may also occur, however the issue in essence is that it is very difficult to identify the main data controller in decentralized systems built on consensus structures such as blockchain. This situation makes it unclear where the persons who share their personal data will apply when they want to make a request in relation to their data. The data controller may be the software developer who develops the protocol or the publisher (project owner) of the smart contract. In this case, it should be taken into account that the potential legal obligations of the project owners may arise when starting NFT projects or establishing an NFT marketplace.
Words Fly, Writings Added to the Blockchain Remain
Another important feature of the blockchain is that the data added to the blocks cannot be deleted or changed. At the same time, the records of all transactions carried out on the blockchain are distributed to each participant on the network structure, instead of being kept in a single center, and thus progressing with a consensus structure. Although this situation shows us at first glance that the blockchain is transparent and secure and is proof against any change, it can directly create a conflict with data protection regulations. The reason is because data protection legislations may require that personal data be processed to the extent necessary, stored for certain periods, and deleted when it is no longer necessary to keep that data. In this case, it should be taken into account that the data, public keys, account names and transaction details stored in the NFT infrastructure cannot be deleted or changed.
GDPR and the PDP law request the deletion, destruction, or anonymization of personal data if the reasons for the processing of this data no longer remain. Considering the infrastructure of blockchain technology, it can be said that the reasons that require data processing for the sustainability of this system due to its nature and logic do not disappear. However, in any case, in the situation where the data owner requests to delete and destroy their personal data, it is obvious that this is not possible in today's blockchain technology and that it creates conflict with the law.
Staying Pseudonymous Not Anonymous
When an NFT transaction takes place in today's blockchain environment, public key infrastructure and transaction details are permanently and publicly recorded. For instance, Ethereum records all transactions on a publicly accessible record and makes the public keys of any transaction associated with the wallet visible. Although the pseudonyms used do not explicitly associate the transactions with the identities of the natural person, sufficient information is also made public that it may reasonably be possible to identify the person behind a series of actions carried out on the network. If a user links an NFT to any part of their online or IRL identity – for example using an NFT as their profile picture on Twitter or using a profile on an NFT marketplace – it becomes very easy to find out what else they are doing with their wallet. In short, the data added to the blockchain is not fully “anonymous”, it is possible to reach real people through their pseudonyms and a single wallet or a network of wallets that are not well-hidden has the potential to become a huge personal data storage that cannot be deleted from the blockchain.
Privacy by Design Could Be the Solution
With respect to the GDPR, a data controller's obligation is to ensure “privacy by design”. Privacy by Design; requires the project owner to consider the privacy issue while it is still in development, not later in the project. At this stage, blockchain R&D studies on the subject continue. For now, NFT project owners and NFT marketplaces have limited room for action. Data controllers should be as transparent and open as possible to real person users about the limitations imposed by the blockchain. For example, it should be mentioned in advance that data published on the blockchain may not be deleted despite the request of a data subject. It is important that they inform the data subjects thoroughly, especially from the data they will collect to their privacy policies, and that they make a point to keep the data collected as much as possible to a minimum.