The very nature of Distributed Ledger Technology (DLT) raises some interesting issues around privacy laws and their application to DLT. It is important for industry participants to understand this important area of law and its application to their business.
Blockchain is a technology that enables the secure validation, recording, and sharing of data. The data is stored in a distributed database, meaning there is not one centralised database controlled by a single person, but rather multiple copies of the database which are continuously updated in real time across the network of participants. Not only does this eliminate one single point of failure risk, but it also makes tampering with the data a significantly more onerous task, as a person would need to tamper with all copies of the data near simultaneously.
Blockchain utilises cryptographic methods to protect the data from unauthorised access. Crytopgraphy is a type of data security measure which converts any type of data into a new format that can be read only by users who are permitted to access it, therefore the data cannot be accessed by users with no authorisation. Cryptography involves several steps to securely alter the format of the data. This is achieved through the following steps: firstly, converting the data into a coded form, which is referred to as a hash, that bears no resemblance to the original data; secondly, designing the hash such that it cannot be reverse-engineered, meaning it can only be decoded by guessing the underlying original data; and thirdly, storing the hashes in a manner which enables a user to easily confirm whether any of the original underlying data or hashes have been tampered with. This enables a user to trust the integrity of the data once stored, without necessarily having to trust its counterparts.
Blockchain technology utilises cryptography for wallets, transactions, security, and privacy-preserving protocols.
How does this structure tie into compliance with privacy law?
One of the key features of blockchain is its purported immutability, meaning that data stored in a blockchain-based database cannot be subsequently altered. The immutability of blockchain is often held out as incompatible with data privacy laws, such as the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), that empower data subjects to have control over their personal data, including how it is collected and stored, and dictates that persons collecting and storing such data must agree to hand over, correct, and delete that data on request. In addition to the data subject rights, the GDPR also contains a principle on data minimisation, whereby organisations should only process personal data that is relevant and necessary for the defined purpose, and the principle of storage limitation, whereby organisations should only keep personal data for as long as necessary for the purposes for which it was collected.
On the face of it these obligations are in conflict with the inherent “immutable” feature of the blockchain. However, understanding whether a particular network is compatible with the obligations under respective data protection frameworks requires a case-by-case analysis. And, it is possible that technological mechanisms can be built into the blockchain network and relevant consensus protocol to facilitate regulatory compliance. In practice, many of the privacy “challenges” which are raised under the GDPR can in fact be addressed through transparency, such as clearly communicating with participants how the blockchain works and uses personal data and also how the exercise of an individual’s rights will be treated given the nature of the technology. This requires that companies utilising blockchain technologies thoroughly understand the nature of data processing activities.
Key to understanding the obligations of a party is to accurately designate the respective roles (i.e. controller or processor) under the data protection framework. Often in these complex relationships
between stakeholders, it is not black or white as to which party is acting as a controller or a processor. Indeed, in some scenarios, a party may take multiple roles depending on the processing activity. Nevertheless, being clear about the roles of a party in respect of processing is central to assessing both risk and the applicable obligations under the GDPR. For example, controllers have to comply with the transparency principle, part of which requires that they provide individuals with a fair processing notice stating (amongst other things) the ways in which their data is used, who else may have access to it, how long it is kept for, and so on. However, it may be that a party that it quite far removed from the end-user is acting as a controller, and it would be impracticable for that party to provide the individual with a notice.
The solution, more often than not, is to contractually delegate the responsibility to notify the end-user to the party with the direct relationship. We now see many businesses providing template wording for counter-parties to include in their privacy notices to address this issue.
Separately taking a more principles based assessment of GDPR obligations, it seems that blockchain technologies have many shared objectives with the GDPR. For example, the GDPR recognises “pseudonymisation” (i.e. ‘the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.’) as a security measure and risk mitigation technique. It follows that there is a good argument that blockchain use of cryptography is a ‘Privacy by Design and Privacy by Default’ technology and offers increased security of data.
The GDPR introduces a number of enhanced rights for individuals in respect of their personal data, such as the right to be forgotten, the right to data portability, the right to not be subject to automated decision-making, and the right to object. Organisations should consider, at the outset, how a data subject request will be handled and implemented, as well as, how to ensure that the network of stakeholders, which may be in receipt of the data, are also notified, and assist with such requests.
What are enforcement penalties for breach?
Under the GDPR, businesses may also be exposed to significant fines for non-compliance or other sanctions from regulators (such as undertakings to remediate areas of non-compliance or orders to cease non-compliant processing). Fines associated with infringements by an organisation of its obligations to comply with a data subject request to exercise his or her rights, may result in the higher tier of fine available under the GDPR of up to 4% of global turnover, or €20 million. Importantly non-compliance may also result in lack of consumer trust and reputational damage, either of which is likely to materially impact the adoption of blockchain technologies and potential innovation. Accordingly, it is vital for businesses to give serious consideration to compliance and take proper legal advice to avoid being penalised.
Given the unique nature of blockchain technologies, how can one manage the coexistence of blockchain and GDPR?
In parallel with the plethora of digital technologies, the GDPR came into effect in May 2018 and introduced the highest standard for data protection laws globally, as well as new rights for individuals that are aimed at enabling greater control in respect of their data. It follows as no surprise that data protection regulators acknowledge the tension between technology innovation and regulatory compliance, often emphasising that data protection should be seen as an opportunity, rather than a barrier to innovation. With proper upfront legal advice and planning the challenges faced by businesses that use DLT can be managed.
The UK ‘s Information Commissioner’s Office (‘ICO’) has published its Technology Strategy 2018- 2021, in which it states: “The most significant data protection risks to individuals are now driven by the use of new technologies… and the ICO ‘s approach to technology will be underpinned by the concept that privacy and innovation are not mutually exclusive”. When they both work together this creates true trust and data confidence. Technology is therefore viewed by the ICO as a risk and an opportunity. That is a fair and balanced approach. Yes it does require some resource to manage compliance with data and privacy laws when utilising blockchain technologies, it is however conducive to a sustainable ecosystem where users are afforded some protection which will in the medium to long term lead to a sustainable use and growth of this wonderful technology.
By Abradat Kamalpour, Partner Ashurst LLP and Architect of FinTech Legal Labs (www.fintechlegallabs.com), Gita Shivarattan, Counsel Ashurst LLP and Ida Mokhtassi, Associate Ashurst LLP.