When blockchain meets data privacy and security
How the paradigm is shifting as regulations and the technology evolve
Blockchain technology and its derivative uses, such as bitcoin and smart contracts, have made attention-grabbing headlines over the past couple years.
Securities regulators and tax authorities have struggled to articulate how cryptocurrency transactions ought to be characterized and treated within existing frameworks. The same paradigm-breaking reckoning with blockchain may soon come to the world of data privacy and information security as both privacy regulations and blockchain technology continue to evolve.
What exactly is blockchain technology?
In the simplest terms, a blockchain network is a distributed ledger (i.e. decentralized database) with lots of bells and whistles. Being distributed/decentralized means that data does not live in one single place and there is no single owner or administrator. Instead, data is replicated and synchronized across multiple locations across the network.
Instead of an automated clearing house for electronic transfers, there is bitcoin, where a transaction is validated by checking its parameters against records dispersed across the bitcoin network. Instead of an escrow agent, there are smart contracts, through which transactions can be automatically executed upon the occurrence of certain conditions.
One important feature of the technology is that records effectively cannot be modified.
Its features make blockchain technology a great choice for data security because it can improve the confidentiality of data and transactions because encryption is central to the blockchain.
A smart contract or other blockchain-based application could, for example, allow the conditions and parameters of a transaction to be verified and executed without revealing the underlying substantive data. Blockchain can also improve data integrity because records are immutable and cannot be modified once they are on the blockchain — not even by the original creator of the record. Finally, because records are distributed and decentralized, there is no single point of failure.
But the design features of a blockchain network that make it such a useful tool for data security actually make it problematic for privacy. This becomes evident after considering how any blockchain application can comply with the requirements of the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA).
The GDPR, which became effective on May 25, and the CCPA, which does not become effective until Jan. 1, 2020, guarantees that individuals retain a certain amount of control over their personal data and personal information, but blockchain applications are intended to prevent individuals from changing the information contained within their digital ledgers.
For example, Article 16 of the GDPR, grants to each identified or identifiable natural person the right to obtain the rectification of his or her personal data retained by a person or entity that makes decisions about processing a data subject’s personal data. However, in a decentralized blockchain network there is not necessarily a clearly identified controller for a data subject to contact to enforce this right.
Article 17 grants data subjects the right to be forgotten, or, in other words, the right to require that a controller delete all of their personal data. In the blockchain context, that is not necessarily possible when no block in the chain can be deleted. Also, Article 18 grants data subjects the right to place restrictions on the processing of their personal data, but that could limit the functionality of the entire blockchain.
The CCPA could pose similar problems. Under the law, a consumer has the right to instruct a business not to sell personal information to a third party, meaning that a business that tries to sell a blockchain network will have a harder time removing individual blocks from each chain.
The difficulties posed by the GDPR and CCPA are not necessarily insurmountable — and, in fact, some of the limitations in the laws may create useful exceptions for blockchain applications. But if you use or are considering the use of blockchain technology, you should be aware of the requirements that new and pending privacy laws place on them.
Bill Cheng and John Frank Weaver are attorneys in the Privacy and Data Security Practice Group at McLane Middleton, P.A. Weaver can be reached at firstname.lastname@example.org. This article was previously published in NH Bar News.