Blog

Blockchain and Data Protection Laws: Can they Co-Exist?

Blockchain is a buzzword in the technology community, promising to combine unforseen computing power with the corresponding ability to confirm accuracy and legitimacy of transactions. The most common example of blockchain to the common user is cryptocurrency, the most popular of which is Bitcoin (or, at least, one of the most well-known). But, the use of blockchain goes beyond currency, and companies are exploring the use of blockchain in healthcare, finance, manufacturing, and many others.  

However, a looming question remains unanswered: how does blockchain comply with data protection laws? With the increasing emphasis on data privacy, and the adoption of data protection regulations, blockchain faces hurdles in complying with these regulatory obligations while allowing for the continued evolution of technology. These challenges can be summarized succinctly as follows: blockchain data is public and unchanging, making core concepts of data confidentiality, limitation, and control inherently in conflict with this technology.  

A Very, Very Basic Overview of Blockchain

For the purposes of this blog post, there are some key components of blockchain to explain. (We intentionally are focusing on high-level, simplified ideas of blockchain.) Blockchain is a distributed ledger technology (“DLT”).  There are essentially four core aspects of DLT to understand in relation to our discussion in this blog post:

  1. Distributed: blockchain depends on many different nodes (i.e., computers) that store, share, and synchronize the blockchain information, distributing the computing and database beyond just a central processing point. Basically, the technology is spread out among many computing sources (potential in multiple geographic regions) instead of remaining within one central database.
  2. Independent: blockchain relies on all of its users, and not just one, sole administrator, to support the database. Each user acts independently to “transact” within the blockchain environment; and then, all of the users, by virtue of their participation in the blockchain, confirm the validity of that transaction.
  3. Immutable: once information is placed on the blockchain, it can never be removed.  This is a core characteristic: a user can be confident that information it receives, or transactions it conducts, within the blockchain environment, are valid because they cannot be changed or removed.
  4. Secure: because the blockchain is distributed across a wide variety of users and computers, and it is immutable, there is an inherent security in the use and transaction of information within the blockchain environment. While not a function of blockchain, it is an added benefit that directly relates to data protection requirements of reasonable security. 

While there are many benefits to blockchain, and those benefits keep evolving as the technology itself evolves, these four aspects are key considerations when looking at the interplay of blockchain and existing data protection laws. 

Finally, when considering blockchain, it is important to recognize the distinction between: (1) public blockchains; (2) permissioned blockchains; and (3) private blockchains. Public blockchains, like Bitcoin, allow any user who has an account to participate in the blockchain environment. Contrast this with permissioned and private blockchains where there is some level of administrative control, and users are selected to participate in the blockchain.

Data Protection Considerations

What Role Are YOU Playing?

Under current data protection trends, there exist four main roles: (1) data controller; (2) data processor; (3) data subject; and (4) regulator. A data controller is often the entity directing the collection and use of personal data; whereas a data processor is processing at the direction of and on behalf of the data controller. The data subject is the end-user and/or individual whose date is being collected/processed.  Finally, regulators are overseeing the entire data transaction process (and themselves, likely engaging in collection/processing as well). 

So, how does this work in the blockchain context? 

First, who is the data controller? For permissioned and/or private blockchains, that is not a difficult question to answer. Likely, it is the entity permissioning and/or controlling the blockchain environment. For example, if a hospital sets up a private blockchain in order to store, process, and share health information, they are likely limiting access to that blockchain environment, directing information that can/should be placed on it, and generally operating as a data controller

In the public blockchain context, this question is much trickier to answer. Is the data controller the individual who is placing the information on the blockchain? Perhaps, the controllers are all of the users who are, in essence, “processing” and validating that transaction? If no one person is “controlling” the users and transactions, how is the controller held accountable for the blockchain data? 

Second, are we all, as users, data processors? Does that mean that each of us need to agree to data processing terms, notification obligations, privacy impact assessments, and a number of other obligations? If every user is part of the distributed processing of the blockchain, then all users must agree to take on the roles and responsibilities of a data processor. But, individuals may not understand those obligations, or even understand that they are taking those obligations on, by participating in the blockchain.

How do user’s assert their data rights?

Under many (if not most) data protection regulations, users are provided with varying rights regarding their personal data.  While these rights vary, they typically include the right to know what personal data an entity collected and processed, a right to delete certain of that personal data, the right to know who has access to that data, and the right to port that personal data to another company. 

Further, these rights are also tied to the concepts of user consent. While there are reasons beyond consent that an entity can use to process data (e.g., Article 6 of the GDPR), it is one that is highly relevant for many public blockchain environments. Basically, an entity must show that a user has provided informed, affirmative consent to the collection and processing of her data in certain circumstances.    

So, how do data rights and consent work in the blockchain context?  

This is a huge unknown. Let’s take, for example, the right to delete data.  A core aspect of blockchain is that it is immutable.  And, what does immutable mean? That is right, you CANNOT DELETE IT. Alright, is there a way around this? Some would argue, well, we can just get the user to consent, ahead of time, and she will give up this right. And while, from a technological standpoint, this may make sense because individuals will have private keys, showing an affirmative act of using that key to put data on the ledger. But, do you think that it is possible, at this juncture, to demonstrate that a common user of blockchain can truly understand the nuances of what she is consenting to at the level to demonstrate “informed consent”? This remains unknown, but seems very unlikely.

This is just the tip of the iceberg when it comes to the interplay between data protection and blockchain. And, while there are still many unanswered questions, the regulators are starting to weigh-in. 

Regulatory Perspective

Regulators in Europe, Asia, and the US are committed to finding workable solutions to allow for the evolution of blockchain within those markets, creating sandbox regulations to allow for innovation without the fear of regulatory action. The European Union is actively researching this topic, and seeking solutions to create GDPR compliant blockchain environments. The European Blockchain Partnership, created in April 2018, is an agreement by all EU Member States and members of the European Economic Area to work together towards realising the potential of blockchain-based services for the benefit of citizens, society and the economy. 

Further, the European Parliament released a study, entitled “Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?” (available in English here). This study concluded that there are two “overarching factors” for the tensions between GDPR and blockchain:

  1. “First, the GDPR is based on the underlying assumption that in relation to each personal data point there is at least one natural or legal person – the data controller – whom data subjects can address to enforce their rights under EU data protection law. Blockchains, however, often seek to achieve decentralisation in replacing a unitary actor with many different players.”
  2. “Second, the GDPR is based on the assumption that data can be modified or erased where necessary to comply with legal requirements such as Articles 16 and 17 GDPR. Blockchains, however, render such modifications of data purposefully onerous in order to ensure data integrity and to increase trust in the network.”

Last year, the French Data Protection Authority, i.e., the Commission nationale de l’informatique et des libertés (“CNIL”), provided its report “Blockchain: Solutions for a responsible use of the blockchain in the context of personal data” (available in English here). The CNIL focused much of its analysis on the viability of permissioned and private blockchains, as they pose less of an issue than public blockchains. The CNIL seemed optimistic that the GDPR would not hinder the use of permissioned/private blockchains, stating: 

innovation and the protection of individuals’ fundamental rights are not two conflicting goals. In fact, the GDPR does not aim at regulating technologies per se, but regulates how actors use these technologies in a context involving personal data.

While the CNIL poses some aspects of the interplay between the GDPR and blockchain, it falls short of providing actionable solutions. Further, the CNIL left open the question of how GDPR and public blockchains can co-exist. 

In Japan, regulators are providing “sandbox” opportunities to businesses to innovate without fear of violating data protection obligations. The Japanese Ministry of Economy, Trade, and Industry (“METI”) passed the Act on Special Measures for Productivity Improvement Enforced (available here in English) in 2018, which expressly designated this “regulatory sandbox” for information technologies, such as IoT, big data, and artificial intelligence. A regulatory sandbox is, broadly speaking, a framework within which innovators can test business ideas and products on a “live” market, under the relevant regulator’s supervision, without fear of enforcement actions in case it is determined that their business model does not comply with existing regulations.

This approach can allow blockchain innovations to move forward, and experiment within the context of data protection regulations, to find that balance between protecting personal data and harnessing the value of blockchain technology.

Finally, the United States remains relatively silent on the interplay between blockchain and data protection. One major reason for this silence is that, as it currently stands, the US does not have a national data protection framework/regulation. Instead, data protection is generally siloed at the federal level into specific areas (i.e., healthcare data, financial data, children’s data), and each state is approaching data protection from different perspectives.

However, the National Institute of Standards and Technology (“NIST”) did provide a Blockchain Overview in 2018 (NISTIR 8202), which states:

The use of blockchain technology does not exclude a system from following any applicable laws and regulations. For example, there are many compliance considerations with regards to legislation and policies tied to PII or GDPR that identify that certain information should not be placed on the blockchain.

In essence, NIST appears to encourage that personal information not be placed on blockchains, a solution that does not appear to provide much value as blockchain innovations and uses continue to grow throughout many industries.

As the conversation heats up in 2020 around federal privacy legislation, blockchain and other emerging technologies are sure to play a role in how that legislation takes shape. 

Conclusion

Blockchain developers need to take into account core privacy principles, and the practical implications of various data protection regulations on the development and use of blockchain technology. While the concept of privacy within blockchain needs to be re-imagined to allow the power of blockchain to be harnessed without the violation of an individual’s privacy, data protection still needs to play a role within this very impactful technology. Even though blockchain is currently a hot topic, in many ways the technology is still in its infancy. Technology, security, and innovation can coexist; but, stakeholders from technology and legal need to come together to develop answers to these difficult questions. 

To learn more about this topic, please contact Jordan Fischer, who will be guest lecturing on blockchain and data protection in Helsinki, Finland at the University of Aalto in January

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.