Jacek Czarnecki is an attorney at Warsaw-based law firm Wardynski & Partners, where he specializes in areas including fintech, digital currencies and blockchain.
In this opinion piece, Czarnecki discusses data protection laws in the EU, outlining in an easy-to-read overview how they present both challenges and opportunities for industry innovators.
Not a day goes by when we don't hear about a new application for blockchain technology.
And this isn't just about technological improvements or the reconstruction of business models: different blockchain use cases will leave a mark on the economy, society and, perhaps, also on politics.
Blockchains - especially public ones such as bitcoin or ethereum - break many paradigms, including legal ones. We are thus entering an interesting transition period when successive applications of this technology will encounter legal norms not always adapted to the new reality.
One of the more interesting examples to look at is personal data protection.
Legal regulations protecting personal data are of great importance in many areas where blockchains already exist: finance, healthcare, electronic identification systems, etc. And while the application of existing data protection regulations in blockchain technology will cause issues, there are solutions.
Challenges and benefits of blockchains
First things first, why are blockchains a challenge for the protection of personal data? There are three main reasons:
- Blockchains are decentralized and distributed. It is virtually impossible to identify the entity responsible for what is happening on the blockchain and for the processing of personal data.
- Blockchains are public and transparent. As a rule, all information on a blockchain, which may include personal data, is accessible to everyone.
- Blockchains are non-editable. It is impossible to change or delete information contained on a blockchain (eg personal data). Transactions are irreversible.
Why are blockchains an opportunity for personal data protection?
- Blockchains are decentralized and distributed. Currently, various trusted third parties process our personal data. These entities are centralized and, therefore, often constitute single points of failure. Leaks of unimaginable amounts of data as a result of cybercrime often occur in the form of an attack on a single entity, such as a hospital, email service provider, etc.
- Blockchains are public and transparent. We do not currently have any effective control over who processes our personal data and how. In fact, the data subject is in control of their personal data only to a restricted degree. Upon a transfer of that data, the subject loses control over how it is subsequently used.
- Blockchains are very safe. Through the use of cryptography (digital signatures, encryption, time-stamping) and systemically embedded economic incentives for network maintaining entities, blockchains provide a fairly secure way of storing and managing information, including personal data.
What legislative problems are we facing?
The legislation that most governs the protection of personal data in the European Union is the General Data Protection Regulation (GDPR).
Although the GDPR is said to have been designed to be technologically neutral and adapted to processing personal data in different contexts, structures and manners, in the case of blockchain technology, many questions are raised, nonetheless.
The answers will be different for different types of blockchains, but here are some issues that need to be addressed:
- Who is the controller of personal data on a blockchain?
The controller determines the purposes and means of the processing of personal data. Does such an entity exist at all in the context of a distributed blockchain? We can potentially treat transaction-confirming miners as controllers (in the case of the proof-of-work consensus) - something that in the case of large public blockchains will be unfeasible in practice.
- Which laws should be applied to blockchain technology?
In situations where it is not possible to identify the personal data processing entity and the place where the data is processed (there are probably as many of these entities and places as there are network nodes), it is difficult to pinpoint the jurisdiction which will be appropriate for the legal assessment of data processing - in other words, the applicable national law.
- What constitutes personal data in the blockchain context?
The concept of personal data is becoming more and more broad. So can we treat public keys as personal data? After all, they do not have the features of anonymous data and they are often associated with specific natural persons, although their characteristics are similar to pseudonymized data.
- Does the blockchain limit the purpose of collecting and processing data and its minimization?
According to the GDPR, the specific purposes for which personal data is processed should be specified, explicit and legitimate (purpose limitation). The personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation). These are just examples of principles set out by the GDPR. Meanwhile, in a public blockchain, data is maintained on every node of the network and is publicly accessible to anyone, regardless of the original purpose of their collection and processing.
- Are blockchains compatible with the personal data protection system by design and by default?
- How to realize the right to be forgotten?
Blockchains are practically non-editable and data held therein is often impossible to update, delete, change or correct.
- Who is liable for violations of the above requirements and obligations, since it is not possible to indicate the data controller?
What lies ahead?
A look at blockchains through the prism of data protection laws - especially laws as ambitious as the GDPR - is an interesting exercise, since it is not just a question of concluding that the application of this technology will generate legal problems.
This is only one side of the coin.
Blockchains may also become key components of future institutions, systems and mechanisms developed to cope with data protection regulations. For maximum efficiency, blockchain elements will likely combine with traditional solutions.
The advantages of this technology can be used to build a truly effective framework for the protection of personal data, in which the data subject will have actual power to control how their data is used.
Therefore, we are facing quite a challenge. We should interpret the laws, and design and build blockchain applications, in a manner that maximizes their synergy. Otherwise we will be stuck in a situation where the law will hold back the development of technology and innovation, while personal data will be protected less and less effectively.
Data protection image via Shutterstock