論區塊鏈技術與歐盟一般資料保護規則之衝突

Legal Study on Conflicts of Blockchain Technology and EU GDPR

歐盟一般資料保護規則（GDPR）的嚴峻要求、域外效力設計及以全球營收計算處罰金額使得各界無不審慎看待GDPR之適用與遵循，但區塊鏈的系統架構及技術特性卻也引發：1.此一新興技術是否適用GDPR；2.如何確定分散式架構下實際擔負法律遵循責任的資料控制者或資料處理者；3.應如何解決資料加密演算（不可變性）導致難以處理資料刪除請求等核心問題。本文研究發現寫入區塊的各該資料只消符合識別性要求，即有視為個人資料並受GDPR拘束之可能，儘管區塊資料均經過雜湊函式加密演算，然此舉僅導致資料的假名化而非匿名化，尚未達到去識別之程度。其次，為確認區塊鏈架構下可得視為資料控制者之參與者，歐盟議會及法國CNIL均嘗試建立判斷標準並針對各該參與者進行討論，其中節點能否視為資料控制者尚無共識。區塊鏈本身的資料不可變特性使得當事人刪除請求成為幾近不可能之事，現階段可見的解決方案倡議，包括暫時閒置、脫鏈儲存、銷毀私密金鑰、採用可編輯區塊鏈或分叉技術等作法，雖各有優點但也存在不一之缺陷，尚難契合區塊資料刪除或改動之需求。本文最後對比國內個人資料保護法，針對相關問題在國內之適用情形進行分析，並就個人資料及非公務機關之界定等法規適用上存有爭議之處提出具體修法建議。

Blockchain technology has the potential to revolutionize many industries, but some features of this hottest technology arise questions under EU General Data Protection Regulation (GDPR). Two most innovative aspects of blockchain, immutability of data and decentralization of control, have caused conflict with provisions of the GDPR. This article found that the complexities of compliance with GDPR will increase significantly when the transaction information contains personal data, but whether encrypted data and public key should be treated as personal data is controversial. Related studies show that encryption and hash functions do not automatically turn personal data into anonymous, encrypted data and public key are regarded as pseudonymized data and may considered as personal data when they combined with other necessary information. Secondly, the decentralized nature of blockchain technology presents challenges in identifying the relevant controllers. The accurate classification of participants as data controllers, joint controllers or data processors under the GDPR, is crucial as different implications arise depending on the said classification. To date, who should assume as the role of a controller or a processor within the blockchain system is still uncertain. Finally, under the GDPR, data subjects are granted a number of rights which appear to be in tension with blockchain’s immutable characteristics. Because blocks are linked through hashes, if someone decided to execute his or her right to erasure, it would be a huge challenge and nearly impossible to execute. The article will also compare those disputes with Personal Data Protection Law and related administrative interpretations in Taiwan, through this concrete examination, this article will clarify merits and demerits of the present domestic regulation and puts forward suggestions toward future legal adjustment. While challenges for blockchain technology compliance with the GDPR are quite clear, solutions are not obvious. Ultimately, the passage of time will reveal how the use of blockchain technology and the application of the GDPR relative to that technology will evolve.