The European Union privacy law on the “right to be forgotten” is on a collision course with the blockchain, whose distinguishing feature is that it “never forgets” the large amount of information it collects.
Technology is becoming an integral part of a growing number of businesses, and companies across the European economic bloc want privacy regulators to clarify how blockchain and the EU’s General Data Protection Regulation can coexist.
“There is a strong tension between blockchain and GDPR,” said Jörg Hladjk, partner of Jones Day in Brussels. “There is a general belief that blockchain technology uses anonymous data, but that’s not quite the case.”
The stakes are growing. The global blockchain market is expected to explode within this decade, from around $ 6 billion last year to $ 160 billion by 2029.
Blockchain’s distributed ledgers, which contain data that cannot be deleted or changed, are rapidly evolving beyond cryptocurrency transactions to facilitate efficient supply chain management, product traceability, proof of identity and countless other business functions.
“This is a whole new area for regulators that raises a lot of issues,” said Hladjk.
Privacy regulators in Europe are confronted with who controls blockchain data and who is responsible if something goes wrong, as well as “how to exercise rights [and] legal basis for processing, “said Hladjk.” It is often overlooked, whether a data protection impact assessment is needed and at what level of detail. ”
“Most of the time the data will rather be pseudonymous data and therefore personal data, which triggers the application of the GDPR,” he said.
United States, guide of the United States
The European Data Protection Board, an independent EU body in charge of facilitating the GDPR, is working on a blockchain guide, but “we cannot say when the guidelines will be ready for publication, nor can we comment on the possible content”, yes reads in a statement sent by e-mail.
This leaves companies with the ability to navigate rapidly changing technology in the best possible way.
“I have been asked so many times whether blockchain is legal or illegal,” said Marijn Storm, data protection associate with Morrison & Foerster LLP in Brussels. “It depends,” she said, on how the technology is used.
In the US, Congress for the first time in years this summer is considering comprehensive digital privacy legislation, encouraged in part by the EU but also by a handful of state laws that mimic the GDPR, which went into effect in 2018. .
The US Federal Privacy and Data Protection Act (HR 8152), which has bipartisan support and is pending a vote in the House, would give all Americans the right to access, correct and delete their own for the first time. data. The laws in California, Colorado, Connecticut, Virginia and Utah include a right to erasure, similar to the European right to erasure.
Especially in the EU, legal uncertainty may be “a reason not to use blockchain” and is leading companies to take a wait-and-see approach, Storm said.
Data security and privacy are the main concern for those who have just ventured into the blockchain, according to Deloitte’s Global Blockchain Survey 2021.
Public blockchains that anyone can access, such as Ethereum and Bitcoin, “do not simply fit the principle of minimality, nor can they always guarantee the data subject’s ability to modify or delete data,” said Liisi Jürgen, head of IT law. at the NJORD law firm in Tallinn, Estonia.
For public blockchains, which are by definition open to anyone who can join, it can be impossible to identify a central data controller responsible for compliance, creating a headache for authorities who will want to know who is responsible if something goes wrong.
Despite the uncertainties, data protection authorities have been slow to intervene.
The French Commission Nationale de l’Informatique et des Libertés published a guide in 2018, finding that the retention of personal data on a blockchain should be limited to “commitments” or hashes, which connect to off-chain data. The CNIL also said that authorized blockchains, or non-public blockchains created by a limited number of known users, were preferable to public blockchains.
“Reflection at the European level is essential” to issue a definitive guide on blockchain and GDPR, said the CNIL.
But four years later, this hasn’t happened yet.
“We are following the lead of the CNIL and I think everyone is following it,” said Niels Vandezande, consultant for Timelex digital technology lawyers in Brussels. “There are many projects underway; everyone wants to do everything on the blockchain right now.
Blockchain and cryptocurrencies are moving so fast that “it’s very difficult for regulators to understand,” he said.
The Hungarian data protection authority was one step ahead of the CNIL, issuing a blockchain guide in 2017, albeit in connection with the Hungarian data protection law which was replaced in May 2018 by the GDPR.
Since 2017, Hungarian law has received “requests for general consultation from specific processors”, in relation to the blockchain, but “has not received any specific complaints from data subjects regarding blockchain-based data processing”, said Gabriella Dél, international rapporteur of the Hungarian data protection authority.
The encrypted nature of the data on a blockchain, typically a hash that links to a wallet address, also makes it difficult in practical terms to actually access personal data.
Through the use of cryptographic technology, blockchain is a tool for governing data in a way that protects information and facilitates trust in record keeping, rather than exposing it or compromising its integrity, said Sujit Raman, general counsel. from blockchain analytics firm TRM Labs.
‘Penetrating the Veil’
There are some areas that need further theorizing to integrate with privacy regulations, such as the blockchain’s rejection of centralized authorities that control data flows. The fixed nature of the blockchain could also pose a challenge in modifying or deleting personal data.
“There are ways to reconcile the concept of privacy with blockchain technology,” said Raman, who previously represented the US government in international data protection negotiations.
But under the European GDPR, even encrypted data that can only be linked to a digital wallet counts as personal data due to the possibility of identifying the holders of the wallet.
The chain analytics firms already profile cryptocurrency wallets based on public blockchain data, said Yannis Kalfoglou, author of “Blockchain for Business: A Practical Guide for the Next Frontier”.
The data “can be anonymized, it can be pseudonymized, it can be hashed, but that doesn’t mean it’s not recoverable,” he said. “You can always penetrate the veil.”
In contrast to the 2018 CNIL advice that licensed blockchains are preferable, the future is public blockchains, said Mary Lacity, director of the Blockchain Center of Excellence at the University of Arkansas.
“The problem with private networks is that they are not scalable,” while “governance issues are challenging” in larger private blockchains with many participants, he said.
Public blockchains could facilitate decentralized identity, where individuals hold identity credentials in digital wallets and use them as the basis for a range of transactions, from purchasing a non-fungible token, to registering a property purchase. access to online government services, the provision of adult proof to enter a bar.
For real estate registers, for example, “it would be perfect to have something immutable,” said Storm of Morrison & Foerster.
Decentralized identity could be of interest in Europe, as a digital alternative to identity cards issued by most EU states. Governments would grant credentials held in digital wallets.
“The basic concept is that I would check all of my identity data,” said Jeremy Grant, chief executive of technology business strategy at Venable LLP in Washington, DC. “I decide who can see it and when.”
The challenge, however, for decentralized identity would lie in implementation, as this type of identity architecture relies on people’s ability to navigate their own set of cryptographic keys, Grant said.
“The digital ID gives a lot of ownership to the citizen,” who should “actively manage” their credentials to make sure they don’t fall into the wrong hands, Kalfoglou said.