20 Aug Blockchain and privacy
With the General Data Protection Regulation (“GDPR”) having come into force back in May, the regulation of data protection and privacy is becoming increasingly stringent on businesses and particularly so for technology companies collecting mass amounts of information from it users. The requirements on technology companies have existed for a number of years already and international media has already shone a light on the potential consequences for a failure to meet those already high requirements.
For businesses using blockchain for the purposes of providing a service to consumers (most commonly through an app), the ledgers on which information is held will record immutable information.
Blockchain service providers/operators would almost certainly be considered a data controller under the GDPR. In Gibraltar, this is particularly fortified by the anti-money laundering obligations imposed on such businesses following the amendments to the Proceeds of Crime Act where the company will invariably retain information on customers as part of its due diligence process.
Where data is being held and transferred by all of the other participants on the blockchain network (i.e. the business’ customers), the businesses may also be considered data processors or data controllers, depending on the precise set-up of the relevant blockchain. Blockchain businesses should allow for any contracts between it and its user-base to include appropriate provisions relating to privacy and security.
The GDPR precludes the transfer of data outside the EU without adequate protection. Unless the non-EU country has been deemed to have an ‘adequate’ data protection regime in place, an arrangement (such as the EU-US Privacy Shield) or more bespoke contractual protections based on the EU’s Model Clauses will need to be put in place.
So how does blockchain fit in with one of the data protection principles giving businesses the most food for thought?
It may prove difficult to justify or reconcile with the requirement to (i) not have more information than is necessary and (ii) not to keep it longer than it is required, with a system that is designed to maintain the perpetual storage of data. The perpetual entries on the blockchain is one of its key features and one of the facets which has proved most attractive to consumers – it is one of the pillars on which the trust that blockchain prides itself on being based…is based.
Right to be forgotten
Linked to the previous point, another challenging scenario could be where a data subject requests that their data be removed — the aptly named “right to be forgotten”. Since one of the fundamental aspects of blockchain is the immutability of the entries on its ledger (that is to say, once the entry is locked in on the blockchain it is permanently recorded and cannot be deleted or altered), this might prove a technical and regulatory challenge.
Another pillar, one which has proved attractive for very different reasons in the past is the anonymity which such entries provide. The entry of the transaction will simply be the public key that represents a particular user. That key is encrypted so that no one who views the blockchain would be able to directly identify the individual or corporate entity who was a party to the transaction. So, the transaction is permanently timestamped and stored, preventing anyone from altering the ledger. This information cannot be deleted.
However, there are two important points to consider in this respect. The first is that the right to be forgotten is not an absolute right and the second is that the smart contracts used will often contain mechanisms which can be used to revoke all access rights, thereby making the content invisible to others, albeit not erased. Some data protection authorities have found that irreversible encryption constitutes erasure and in the context of the technology’s make-up this would prove a sensible way forward (at least in the context of blockchain).
Text by: Chris Davis