TL;DR
- The authors consider how blockchain technology conflicts with some of the provisions of the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
- To mitigate compliance risks enthusiasts should consider using private or consortium blockchains for compliance.
- Users should avoid or limit personal data stored in blockchain.
Core Research Question
What challenges for blockchain technology users are posed by complying with the GDPR and CCPA?
Citation
P. Shah, D. Forester, C. Raspe, and H. Mueller, âBlockchain technology: Data Privacy issues and potential âŚ,â Practical Law. [Online]. Available: https://www.davispolk.com/sites/default/files/blockchain_technology_data_privacy_issues_and_potential_mitigation_strategies_w-021-8235.pdf
Background
- The GDPR and CCPA govern the processing of personal data in the EU and the state of California, United States respectively. These regulations set out certain principles guiding the processing of personal data. Particularly important is the penalty and reputational damage that comes with the breach of the regulations.
- The nature of blockchain technology makes it difficult for users to comply with GDPR in terms of material and territorial scope, meeting requirements of legal bases such as the fulfillment of the contract in Article 6(1b) or balancing the legitimate interest in Article 6(1f), complying with rights of data subjects such as the right to rectification, erasure, access, portability, object to processing, including automated decision making.
- This notion of centralized entities that control both the data they collect, and their service provider relationships contrasts with blockchain technologyâs distributed peer-to-peer network architecture.
Summary
- Blockchains âseeâ the information they process as anonymous because they use public-private key encryption that does not typically tie owner data or other personal information to an on-chain address.
- However, this is regarded as pseudonymization under article 4(5) GDPR because a blockchain method exists for linking individuals back to public keys by analyzing blockchain transactions and other publicly available data. Thus, pseudonymized data is still regarded as personal data that falls within the scope of the regulations.
- GDPR and CPPA foresee a centralized system that entrusts data controllers and processors with obligations and responsibilities with regards to personal data. However, the distributed nature of blockchain makes it difficult to determine who a controller or processor is.
- The territorial application of data is important for determining jurisdiction. However, a blockchain is decentralized and distributed, making it difficult to determine jurisdiction for the application of regulations.
- It is the position of GDPR that where personal data is to be transferred to another country, adequate protection must be ensured or the controller must implement additional safeguards. However, this safeguard will be difficult to implement in a public blockchain.
- Blockchain technology does not support consent as a legal basis for processing personal data since the withdrawal of consent will make later processing unlawful.
- The immutable nature of blockchain does not support the right to deletion and achieving strict technical deletion in blockchain will amount to a hard fork.
- The potential mitigation is to evaluate whether blockchain technology is a good fit for current business and processing objectives, prefer private or permissioned blockchains to enforce stricter usage rules, and to adopt alternative data encryption and destruction approaches.
Method
Qualitative research methods were used, drawing sources from regulations, guidelines, and other researched works to arrive at the conclusion.
Results
The research found that blockchain technology, especially public blockchains, does not comply with data protection regulations. However, as an alternative the research recommended that users should:
- evaluate whether blockchain technology is a good fit for current business and processing objectives,
- evaluate whether they prefer private or permissioned blockchains to enforce stricter usage rules,
- adopt alternative data encryption and destruction approaches.
Discussion and Key Takeaways
Characteristics of Blockchain
- Blockchain technology gained prominence during 2017âs cryptocurrency boom, and has been used in many sectors such as smart contract development, supply chains, supply chain management, asset registers, fintech, real estate, health care and retail. The elements that distinguish it from other technology are:
- distributed ledger technology
- consensus mechanisms
- selection of public versus private participation
- transaction immutability.
Trends in Data Privacy Law
- GDPR and the CCPA pose a challenge to decentralized technologies like blockchain because they envision a data controller (an entity that determines the means and purpose of processing personal data) and a data processor (an entity that processes data on behalf of data controllers).
- The nature of blockchain technology makes it difficult for users to comply with GDPR in terms of material and territorial scope, meeting requirements of legal bases such as the fulfillment of a contract or balancing legitimate interest, complying with rights of data subjects such as the right to rectification, access, portability, object to processing, including automated decision making.
- This notion of centralized entities that control both the data they collect, and their service provider relationships contrasts with blockchain technologyâs distributed peer-to-peer network architecture.
Tension Between Blockchain Technology and Common Data Privacy Requirements
-
Anonymity, Pseudonymity and Privacy Law Applicability
- There is a sort of tension between blockchains and data protection on what amounts to personal data. GDPR and CCPA define personal data widely to include any information that directly or indirectly identifies a natural person.
- Blockchains see information they process as anonymous because they use public-private key encryption that does not typically record public key owner data or other personal information. This contrasts with the definition of personal data which includes pseudonymised information in so far, a method or link exists for re-identification. In blockchain technology, a method exists for linking individuals to public keys by analyzing blockchain transactions and other publicly available data.
- Some businesses offer services to identify individuals using their public keys, blockchain transactions and other available data. The public-private key encryption in the blockchain is a pseudonymization technique that lowers risk but does not remove regulatory obligations.
-
Data Controller and Data Processor Identification
- The concept of data controller and processor are key to GDPR and CCPA. However, the distributed nature of blockchain technology makes it hard to determine who the data controller or processor is.
- In a private or consortium blockchain, it may be easier to determine who they are because of their seeming centralized nature. The central operator or consortium may likely qualify as a controller or joint controller if they have control over the blockchain system and determine the purpose and means for any personal data processing. Other actors like nodes or miners can take the processor role.
- This may be difficult in a public blockchain because they lack a central operator, each node operates independently at least during the block verification process, which might prompt a conclusion that each node is a joint controller, although authorities and commentators are reluctant to support this conclusion for all nodes.
- Commission Nationale de lâinformatique et des libertes (CNIL), a French data protection authority, attempted to provide guidelines for determining these concepts. The guidelines classified participants as controllers while accessors and miners are not because they do not determine transactions. The guidelines also noted that participants entering personal data on a blockchain for strictly personal purposes are not controllers under the GDPR household exception.
- Third parties who act on behalf of participants may become processors and should enter into data processing agreements with the participants.
- Miners who are not involved in the object of transactions are not controllers in CNILâs view but may be processors if they follow the controllerâs instructions. This tends to suggest that in certain circumstances miners may not be a data controller or a data processor. The guidance is not clear enough.
-
Territorial Considerations
- An individualâs location and their personal data processing location are important for GDPR and CCPA compliance and enforcement. However, it is difficult to ascertain the jurisdiction of decentralized technology like blockchain and in terms of the applicability of jurisdictionâs laws.
- Private blockchains more often set restrictions in their governance models and agreements to limit the regulatory scope.
-
Cross-border data Transfer
- The nature of blockchain poses a challenge to transborder data flows. GDPR and currently many data protection laws require that where data is to be transferred outside jurisdiction, the recipient country must ensure an adequate level of protection or the controller must implement additional safeguards such as standard contractual clauses, binding corporate rules, codes of conduct or certification mechanisms.
- However, these safeguards will be difficult to implement in a public blockchain with an undefined participant group.
-
Legitimate reasons for processing personal data
- Personal data can only be processed on a specific legal basis. Federal sector-specific laws in the US like the GLBA and HIPAA limit the use of certain personal data without an individualâs consent with few exceptions such as uses for treatment, payment, and health care operations.
- For GDPR the lawful bases for processing must be one or more of these: consent, the performance of a contract, legal obligations, vital interests, public interest or official tasks and legitimate interests.
- While a blockchain may request consent from their users, compliance with requirements of consent may be difficult. This is because a given consent, among others, should be able to be withdrawn at any time but a blockchain ledger records data in such a way that it is hard to remove, thereby making later processing unlawful. Thus, organizations must carefully consider scenarios like consent withdrawal when determining what data they store in blockchain applications and how they record it.
-
Immutability and individualsâ rights
- Data protection endows individuals with many rights, one of which is the right to delete data and effectively be forgotten. These rights conflict with blockchain technologyâs transaction immutability.
- Blockchains can address data updates by recording additional transactions. However, later transactions do not technically delete data previously stored on the blockchain.
- Strict technical erasure of blockchain data may be achieved albeit in an effort comparable to a hard fork. This will be very difficult to implement every time an individual seeks to exercise their rights.
- Erasure may be more feasible in private blockchain governance models with a central operator. But this will greatly impact the celebrated distributed nature of Blockchain.
-
Potential mitigation steps
- Organizations should follow several risk management strategies when considering whether to use blockchain technologies. They should:
- Evaluate whether blockchain technology is a good fit for current business and processing objectives.
- Evaluate whether they prefer private or permissioned blockchains to enforce stricter usage rules.
- Avoid and limit personal data stored on blockchain.
- Adopt alternative data encryption and destruction approaches.
- Blockchain companies may adopt certificate mechanisms and code of conduct.
- Organizations should follow several risk management strategies when considering whether to use blockchain technologies. They should:
Implications and Follow-ups
- The attendant consequence of GDPR is that every person adopting blockchain technologies must comply with its provision to avoid being penalized for a breach of data protection and the reputational damage that may come with it. Therefore, every organization deploying blockchain technology should consider data protection impact assessment to determine the risk of the technology to data subjects, and consider privacy by design as a default if necessary.
Applicability
- Based on the research, blockchain users should consider carrying out data protection impact assessment (DPIA) and privacy by design and privacy by default during the initial period of developing blockchain applications to ensure that the principles of GDPR and CCPA are complied with.