I was recently asked by a client to look at the privacy implications of issuing some non-fungible tokens (NFTs) that give access to certain goods and services for whomever purchased them. I can’t talk about the client but, given that the project is functionally equivalent to “The Currency”, Damien Hirst’s recent art “happening”, let’s pretend for the sake of making this blog more entertaining that my client is him.  

For phase 1 of “The Currency” Hirst minted 10,000 NFTs on an NFT minting platform. Each NFT was a record of ownership of one of 10,000 spot paintings that Hirst specially created for the purpose, written into the supposedly immutable ledger of a blockchain. He then, in phase 2 of the project, sold the NFTs for £2,000 each or its cryptocurrency equivalent (he is nothing if not entrepreneurial). In phase 3 all the buyers of the art were given the opportunity to swap their NFTs for the corresponding physical artwork, triggering the expiration of the NFT. In phase 4, Hirst burned all the artworks belonging to those who preferred not to pick up the artwork and instead to keep the NFT, thus valuing the abstract art concept over the physical art artefact.   

What’s this got to do with #dataprivacy? Well, the question I was asked was: If someone buys the NFT using crypto from their digital wallet and doesn’t swap it for one of the paintings before they get committed to the flames, are they exchanging any personally identifiable data with Damien Hirst’s team? After all, the NFT representing the painting and the purchase transaction are recorded on the blockchain along with the address of their digital wallet, but there’s no information explicitly linking that digital wallet to the individual. If they store their wallet on a USB stick and lose it in a council landfill, they’ve no way of proving ownership of the NFTs or cryptocurrency contained within. Does this mean that, for this part of the art process at least,  Mr. Hirst does not need the services of a data protection specialist at all?   

Not so fast, I said, pulling from one side of my data protection utility belt a study into blockchain and the GDPR commissioned by the European Parliament back in 2019 and, from the other, a report from the EU Blockchain Observatory and Forum, done the previous year. “Where certain data that is used serves precisely to identify an individual,” it says, “it cannot be concluded that such data is not personal data […] where the public key serves precisely to identify a natural person, the conclusion that it qualifies personal data appears unavoidable.”   

According to the reports public keys like the address of a digital wallet or the record of a purchase of an NFT are what Recital 30 of the GDPR calls an “identifier”, and therefore a piece of personal data. As a public key can’t be matched with a natural person (i.e., its holder) on its own, but requires other information in order to do that, it is a pseudonymous identifier. But it’s still an identifier.   

This remains true even if the key is encrypted, since “the holder of the key can still re-identify each data subject through decryption given that the personal data is still present in the dataset that has been encrypted.” (Public keys that only identify institutional transactions and the institutions that conduct them do not count as personal data, but those keys are not the ones we’re talking about here).  

So, it does seem that, unless he changes his NFT platform to one that incorporates Zero Knowledge Proofs (which do cross the EU’s threshold for anonymity) and forbids all the purchasers to choose between their painting over the NFT in case they identify themselves by turning up at the gallery to save their art piece from the flames, that Mr. Hirst will have to do a privacy assessment for “The Currency” after all.   

Which also means he’ll have to worry about international transfers (due to the global nature of the blockchain network), and indefinite retention (because of the blockchain’s immutable nature). Not very art, neither is enforcement action from the ICO. Perhaps it’s time our artist had his people speak to my people here at Securys, became our client for real, and got himself someone to help him put out all those fires.