Blockchain technology and its derivative uses, such as Bitcoin and smart contracts, have made many attention-grabbing headlines over the past couple years. As the uses (both real and theoretical) and public awareness of blockchain continue to proliferate, we continue to encounter tension between this technology and existing paradigms. For example, securities regulators and tax authorities have struggled to articulate how cryptocurrency transactions ought to be characterized and treated within existing frameworks. The same paradigm-breaking reckoning with blockchain may soon come to the world of data privacy and information security as both privacy regulations and blockchain technology continue to evolve.
First, what exactly is blockchain technology? In the simplest terms, a blockchain network is a distributed ledger (i.e. decentralized database) with lots of bells and whistles. Being distributed / decentralized means that data does not live in one single place and there is no single owner or administrator of data; instead, data is replicated and synchronized across multiple locations across the network. Instead of an automated clearing house (ACH) for electronic transfers, there is Bitcoin, where a transaction is validated by checking its parameters against records dispersed across the Bitcoin network; instead of an escrow agent, there are smart contracts, where transactions can be automatically executed upon the occurrence of certain conditions. Among the bells and whistles that come with blockchain technology, one important feature is that records on a distributed ledger are immutable – for certain technical reasons that are beyond the scope of this article, records effectively cannot be modified.
The features of blockchain technology make it a great choice for data security. One of the fundamental principles in data security is the “C-I-A” triad, which stands for confidentiality, integrity, and availability. Blockchain technology can help with all three. It can improve the confidentiality of data and transactions because cryptography (i.e. encryption) is central to the blockchain. A smart contract or other blockchain-based application could, for example, allow the conditions and parameters of a transaction to be verified and executed without revealing the underlying substantive data. Blockchain can also improve data integrity because records are immutable and cannot be modified once they are on the blockchain – not even by the original creator of the record. Finally, blockchain can improve data availability because records are distributed and decentralized. The failure of any one location that holds a copy of the data would not compromise the ability to access that data – i.e. there is no single point of failure.
Many people may mistake security for privacy, but the design features of a blockchain network that make it such a useful tool for data security actually make it problematic for privacy. This becomes evident after considering how any blockchain application can comply with the requirements of the European Union’s General Data Protection Regulation (the “GDPR”) and the California Consumer Privacy Act of 2018 (the “CCPA”). The GDPR, which became effective on May 25, 2018, and the CCPA, which does not become effective until January 1, 2020, guaranty that individuals retain a certain amount of control over their personal data and personal information, but blockchain applications are intended to prevent individuals from changing the information contained within their digital ledgers.
For example, Article 16 of the GDPR, which governs an individual’s right to rectification, is difficult to enforce in a blockchain network. It grants to each data subject, i.e., an identified or identifiable natural person, the right to obtain the rectification of his or her personal data retained by a controller, i.e., the person or entity that makes decisions about processing a data subject’s personal data. However, in a de-centralized blockchain network, like bitcoin and other cryptocurrencies, there is not necessarily a clearly identified controller for a data subject to contact to enforce this right.
Problems exist in other sections of the GDPR, as well. Article 17 grants data subjects the right to be forgotten, or, in other words, to right to require that a controller delete all of a data subject’s personal data. In the blockchain context that would likely mean deleting the block in the chain containing the data subject’s data, but that is not necessarily possible when no block in the chain can be deleted. Article 18 grants data subjects the right to place restrictions on the processing of their personal data, but that could limit the functionality of the entire blockchain. For example, a blockchain application that awards tokens, which can be used for retail discounts, based on the data about each person in the chain may not function the way it is intended if some of the individuals in the chain exercise their rights under the GDPR.
The CCPA could pose similar problems when it goes into effect. Under the new California Civil Code Section 1798.120(a), a consumer has the right to instruct a business not to sell its personal information to a third party. That is fairly easy when that information exists as an entry in a database. However, a business that tries to sell a blockchain network will have a harder time removing individual blocks from each chain.
The difficulties posed by the GDPR and CCPA are not necessarily insurmountable, and in fact, some of the limitations in those laws may create useful exceptions for blockchain applications. But if you represent clients that use, or are considering the use of, blockchain technology, they should be aware of the requirements that new and pending privacy laws place on them. Clients that know and address those requirements as they build their blockchain networks, or incorporate blockchain into their business operations, will be able to take advantage of blockchain’s data security features without stumbling on its privacy issues.