Strict new laws have come into effect for organisations dealing with personal data. What does that mean for businesses that store information on transparent, open and permanent ledgers?
News of Cambridge Analytica’s misappropriation of data from some 87 million Facebook users has brought the issue of data protection squarely back into the spotlight. For years, consumers have effectively traded personal data for online services: data is considered the ‘oil’ of the internet, and the users of social networks, e-commerce platforms and almost every other free service have upheld this tacit bargain.
In the last few weeks, we have seen where this leads — where, in fact, it was always and inevitably going to lead. It has become abundantly clear what the price of our personal data might be: freedom and democracy itself. Real life, it turns out, may not be so very far away from the kind of technological dystopia portrayed in the cult Netflix show Black Mirror. The maxim that knowledge is power has proven true, if the narrative is correct that Cambridge Analytica was able to use the insights gained from its massive data mining exercise to laser-target a handful of undecided voters with highly-tailored propaganda that would swing the election for Donald Trump.
Regulation always lags technology, so the new EU General Data Protection Regulation (GDPR) — billed as the most important change in data privacy regulation in 20 years — comes just too late to prevent the scandal that has engulfed Facebook. It is, however, extremely timely. It was four years in the making, and its enforcement date is looming fast. Businesses must be compliant by 25 May 2018.
‘The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.’
Key changes in the law for businesses dealing with personal data include:
- The obligation to notify those affected promptly in the case of a data breach
- The right for ‘data subjects’ to know what personal data is stored and how it is being used
- The right to be forgotten for data subjects — to have their personal information erased
- The right for a data subject to access personal data and provide it to another controller (data portability)
- Privacy by design is now a requirement for data controllers
- Data Protection Officers must be appointed and keep appropriate records.
This will have an impact far beyond Europe, since so many businesses deal with European customers and have infrastructure in Europe. As Wired comments, ‘The law protects individuals in the 28 member countries of the European Union, even if the data is processed elsewhere. That means GDPR will apply to publishers like WIRED; banks; universities; much of the Fortune 500; the alphabet soup of ad-tech companies that track you across the web, devices, and apps; and Silicon Valley tech giants.’
But what does all this mean for businesses that use the blockchain — a public, immutable database — as part of their everyday activities?
Open blockchains and ‘public’ data storage
While application of these rules may be clear enough within a centralised system, managing them on the blockchain is entirely different. For starters, all information stored on the blockchain is available to every node in the network — effectively, anyone, anywhere who wants to view it. Responsibility for storing and managing information is distributed across many different jurisdictions and different data protection laws may apply. Realistically, any business storing personal data on the blockchain should comply with the EU’s GDPR — because it is highly likely that at some point, data will be stored by nodes and/or from users located within the EU.
Blockchains are pseudonymous by design: nodes are identified by an address which is simply a string of characters. No personal information (like an email address) is required to use the blockchain. Thus a degree of protection is built in. If a business like an e-commerce provider is dealing with customer information, transactions and interactions between accounts remains pseudonymous, and personal data can stay entirely within their control (and arguably should).
One caveat here is that the GDPR considers still considers pseudonymised data as personal data, and that may well include public keys on a blockchain. It is also a requirement that if a user can be identified by assembling and organising otherwise anonymised data then further protections should be undertaken. This has key relevance, since an online purchase can be traced publicly to a blockchain address, which might then be linked to other public information available on the same platform. Pseudonymity is only as good as the weakest link in the chain.
In order to prevent this, any personal information stored on the blockchain may be protected by further encryption, and rendered inaccessible to anyone who does not have the right or need to access it. The company responsible for launching and maintaining a platform may wish to ensure that they cannot view that information, and that it is only granted to those with whom the customer chooses to have direct contact — for example, the seller on an online marketplace, or a third party involved in dispute resolution. Access to the relevant transactions can be given temporarily, via smart contract, until the necessary event has been undertaken.
Blockchain immutability and the right to be forgotten
Of particular relevance in the context of an open and immutable ledger is the requirement that users have the right to demand the erasure of their personal information from the Internet in the following cases:
- Where that personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to processing and there is no overriding legitimate interest for continuing processing.
- If the personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
- If the personal data has to be erased in order to comply with a legal obligation.
- If the personal data processed belongs to a child.
Blockchains are unalterable by design, and therefore data cannot be erased from them. Any organisation that openly stores customer data on the blockchain is liable to find themselves in serious trouble. However, there is some discussion about what the right to erasure means in practice when applied to the blockchain. The Guide to blockchain and data protection (issued by Hogan Lovells in 2017) notes that ‘What constitutes “erasure” is still open to debate. Some data protection authorities have found that irreversible encryption constitutes erasure. In a blockchain environment, erasure is technically impossible because the system is designed to prevent it. However, smart contracts will contain mechanisms governing access rights. Therefore the smart contract can be used to revoke all access rights, thereby making the content invisible to others, albeit not erased.’
The GDPR has already had far-reaching impacts on the activity of global web corporations, and once the new laws come into effect next month we can expect to see a flurry of effort by all kinds of businesses as enforcement begins in earnest.
Like other companies, blockchain businesses will need to adapt quickly, but have both unique opportunities and challenges to the laws. These include:
- The pseudonymous nature of the blockchain.
- The wide range of functionality at their disposal provided by strong encryption and smart contracts, potentially offering an unprecedented degree of control to users.
- Conversely, the open nature of the blockchain means particular care must be taken.
- The immutability of the blockchain means that the worst mistakes cannot easily be corrected.
At present, there remains some uncertainty about the impact of the GDPR on blockchain initiatives. Expect to see both further clarification and unwelcome test cases in the near future.