In the 10 years following the creation of blockchain, global business has been transformed.
Blockchain is a secure, distributed ledger, that helps companies cut out intermediaries and maintain secure records of every transaction at a fraction of the cost of traditional systems. Originally used as infrastructure for trading cryptocurrencies like Bitcoin, its multiple use cases have subsequently been realised and blockchain has now become integral to many firms in various sectors. Blockchain is now used for various transactions such as payment processing by banks to customer shipments by retail companies. In doing so, large quantities of business and personal data are harvested, from the details of transactions to customer information. This also raises questions for GDPR.
So, what are the implications for personal data when it comes to looking at the Blockchain? Blockchains used by corporations contain vast amounts of data about individuals. Commercial retailers for example, record a wide variety of data on their customers such as their preferences and store details about why and what they buy and how they pay for it. In such examples data protection law has implications in blockchains.
GDPR enables EU citizens to find out what data is being held about them and to protect them from the misuse of their personal data. It applies wherever in the world that data is stored. Its implications are that Individuals have the right to see what companies hold about them and to request deletion under certain circumstances. It aims to provide the right to keep private data private.
Visibility of Transactions, Accountability and Transparency
One of the fundamental principles of GDPR is “privacy by design”, and this requirement applies to all types of business systems that are used to capture and store personal data. Systems must be built to ensure the privacy of the people whose data they process. This requirement therefore also applies to blockchains.
Another GDPR requirement that applies to all type of business is that data collected on individuals must not be stored for longer than necessary and must be relevant to the purpose. This is problematic for blockchain because, by virtue of the design of the technology, data is stored permanently. If evidence of transactions is removed or deleted, the integrity of the technology is compromised as a major strength of the technology is the security that multiple records provide. However, nothing prevents personal details being either archived or deleted if data regulations determine that it is no longer necessary. Companies, therefore, need to think carefully about what this requirement entails and ways in which they adhere to this requirement.
Those that support the use of the technology frequently talk about its transparency, but privacy does not necessarily follow from this. Personal data may still be identifiable, even if there is transparency in terms of the visibility of the transactions recorded in the blockchain. Nevertheless, transparency in blockchains is one of the defining characteristics of the technology as it provides accountability and traceability.
The use of permissioned blockchains are growing in frequency and can be used to combat issues of privacy required by GDPR regulations. The use of pseudonyms and encryption help achieve privacy for users. Pseudonyms enable users to have virtual identities which can be derived, for example, from a public key that is associated with the person’s real identity. What this essentially means is the blockchain makes the existence of a transaction or record visible to users but not the name of the person involved. So, while the person’s real identity is secure, you will still see all of the transactions completed by their pseudonyms. Combined with this, encryption helps achieve confidentiality of transactions. Encrypting transactions ensures they are kept private and the transaction data is only available to authorized parties.
The use of permissioned blockchains is growing, and large corporations have identified this as a means to protect the personal data of their customers in order to ensure their blockchain technology remains compliant with GDPR.
Recently now in 2020 the Tech London Advocates’ (TLA) have a dedicated Legal and Regulatory Blockchain Group and have released a brand new report on blockchain and distributed ledger technology which we will now discuss further below.
TLA's dedicated Blockchain working group was founded in 2018, and serves as a hub for talented multidisciplinary Distributed Ledger Technology (DLT) experts. The TLA Blockchain Legal and Regulatory Group (the Group) was founded as a sub-group of TLA Blockchain in May 2018 by Anne Rose (Mishcon de Reya LLP). The Group is comprised of lawyers and technologists from the UK's leading law firms, legal consulting firms and academic institutions.
The guidance covers smart legal contracts and DLT related matters such as commercial applications, smart contracts, data governance, data protection and security, IP, dispute resolution and cryptocurrency and blockchain consortia. In the Guidance it was raised in the Group and agreed that the focus should be on providing legal practitioners with a useful and practical resource that expresses the knowledge and ideas of its members whilst leaving space for interpretation.
Blockchain Consortia Recommendations:
- Blockchain consortia can be essential in order to develop and scale blockchain platforms which enable digital transformation across a sector or a group of industry stakeholders.
- Lawyers can add significant value to a consortium project and it is recommended that they get involved early in consortium discussions to ensure that the consortium is set up for success
Data Protection and data security recommendations:
- Recital 26 of the GDPR assumes a risk-based approach to assessing whether or not information is personal data; in contrast, the Article 29 Working Party (now the European Data Protection Board) suggests that a risk-based approach is not appropriate.
- as well as the elements that should be taken into account when assessing whether information is personal data, particularly in relation to how such data is stored, transferred and expressed on DLT and blockchain platforms.
- some of the questions to be addressed by the ICO and other data authorities are:
- Does the use of a blockchain automatically trigger an obligation to carry out a data protection impact assessment?
- Does the continued processing of data on blockchains satisfy the compelling legitimate ground criterion under Article 21 GDPR?
- How should 'erasure' be interpreted for the purposes of Article 17 GDPR in the context of blockchain technologies?
- How should Article 18 GDPR regarding the restriction of processing be interpreted in the context of blockchain technologies?
- What is the status of anonymity solutions such as ZKP under GDPR?
- What is the status of the on-chain hash where transactional data is stored off-chain and subsequently erased?
- Can a data subject be a data controller in relation to personal data that relates to them, particularly in the context of a data subject operating a node on a DLT or blockchain platform?
- How should the principle of data minimisation be interpreted in relation to blockchains?
- Legislation and/or regulatory guidance should be provided clarifying that any cryptoassets will not be considered as a commodity or fiat currency under the laws of England and Wales.
- Legislation and/or regulatory guidance should be provided clarifying which regulatory requirements apply to "hybrid" cryptoassets and cryptoassets that move between categories throughout their lifetime, particularly with respect to authorisation requirements under the Electronic Money Regulations 2011 and Financial Services and Markets Act 2000, and the registration requirements under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
- Perimeter guidance should be provided with respect to the activities of acting as a "cryptoasset exchange provider" and "custodian wallet provider".
We are informed that The Rt Hon Sir Geoffrey Vos, Chancellor of the High Court said; “This sudden acceleration in use has only emphasised our need to understand the ways in which technology is affecting our professional lives and lawyers face a steep learning curve. They will need to become familiar with DLT, smart legal contracts and cryptoassets – conceptually and functionally. This Guidance is an important step on that path.”
This is a link to the report for a more in depth read -
If you would like to discuss the Blockchain, GDPR or any of the guidance in this matter please contact our solicitors at A CITY LAW FIRM.