12 Nov Data Privacy Act vs. Blockchain Technology

Blockchain technology brings about certain challenges, particularly in terms of compliance with the Data Privacy Act (DPA). In a nutshell, the DPA mandates that individuals must have control over the use or removal of their data. In contrast, blockchain’s greatest feature is its unchangeable record or immutability. On the surface, these concepts seem in direct conflict.[1] However, as will be shown below, these two apparently conflicting concepts may be reconciled.

Essential Features of Blockchain                     

Blockchain derived its name from the way it stores transaction data — in blocks that are linked chronologically in a chain.[2] Each block contains a hash (a digital fingerprint or unique identifier) of the previous block that links the blocks together and prevents any block from being altered.[3] As the number of transactions grows, so does the blockchain.

 Not all blockchains are created equal. There are various ways in which blockchain technology is being used. Blockchain networks can either be public, in that everyone can access the network, or they can be private, in that they are limited to certain individuals. They can also either be permissioned, such that an individual needs authorization to be able to access the network, or they can be permissionless, such that anyone can post to the network. [4] Despite the many forms it may take, blockchain has two essential characteristics:

Decentralized: The blockchain is distributed to every validator (node) on the network. Sharing these encrypted “spreadsheets” creates a distributed system where each validator can access the transaction data and add blocks to the blockchain, which is then shared with everyone in real time, similar to Google Docs.[5] It is a like a “giant spreadsheet for registering all assets.”[6]

 Immutable: Hashing or the conversion of personal data into an output of a fixed length strengthens the verification of the previous block and hence the entire blockchain. The method renders the blockchain impossible to alter, hence the key attribute of immutability.

Applicability of the Data Privacy Act

 The DPA only applies to the processing of personal data and defines personal information as “information from which the identity of an individual is apparent or can be reasonably and directly ascertained”.[7] It is possible that the data on the blockchain may be subject to the DPA, since hashing merely involves replacing any personal data with a pseudonym, this type of data on the blockchain should still be subject to the DPA.[8]

Moreover, the public key associated with a person may qualify as personal information. On a blockchain, a participant initiates a transaction by signing it with his private key and broadcasting the transaction to all other network participants. The other participants only see the public key representing the participant making the transaction. However, if the participant uses the same public key for other transactions, the participant becomes identifiable. The public key might also display information, such as an IP address or connection with a website, which allows the participant to be identified.[9]  The public key may hence be regarded as personal data.

 Points of Conflict

 Identification of Personal Information Controller or Processor.

To comply with the DPA, it is crucial for the data controller and data processor in each blockchain to be correctly identified. The extent to which an organization is subject to obligations under the DPA depends on whether or not they are a personal information controller or processor. In general, the controller is the person who determines the ‘why’ and the ‘how’ of a data processing activity, whereas the processor processes personal information in behalf of the controller.[10]

Given the decentralized feature of blockchain, where all participants share information and can add information to the blockchain without requiring any authorization from a central administrator, identifying these persons can be a very challenging task. Any participant entering personal data in blocks of the chain can qualify as a data controller of the data he has provided. At the same time, any participant can be regarded as a data processor in respect of the personal data of which he has a copy.[11]

 Upholding the Right to be Forgotten, the Right to Rectification, and the Principle of Proportionality

Complying with the right to be forgotten and the principle of proportionality present another challenge for blockchain technology. Under the principle of proportionality, personal information may be retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise, or defense of legal claims, or as provided by law. Also, it may not  be retained in perpetuity in contemplation of a possible future use yet to be determined.[12] Meanwhile, the right to be forgotten allows data subjects to order the blocking, removal, or destruction of his or her personal information from a personal information controller’s filing system.[13]

Immutability, one of the key features of blockchain technology, seems to conflict with both the principle of storage limitation and the right to be forgotten. As mentioned, the immutable nature of blockchain means that data added to blocks cannot be removed. Thus, the data controller may not be able to erase data even where grounds for their erasure exist.[14]

While there are conflicts between DPA and blockchain, such as the immutability of data on the blockchain, an analysis of the flexibility of blockchain technology suggests that it can be compatible with the GDPR obligations.^[15]

DPA-Compliant Blockchain Solutions

As far as personal data removal is concerned, one solution is off-chain storage of personal data, wherein data is kept separate from the blockchain itself.[16] It is possible to store data on a private encrypted database and only include a hash of personal information on the blockchain, serving as a reference point to an off-chain database. The hash, essentially the fingerprint of specific data, can be used to confirm that the data in the database has not been tampered with.  Moreover, the off-chain system can be set up to allow access to authorized parties only. If data needs to be erased, the records in the database can be deleted, essentially leaving the immutable hash on the blockchain referencing a non-existent file.[17]

Another solution is to make the blockchain private and permission-based. Here, the original owners of certain data determine if they  should be storing the data or if trusted nodes can store a copy as well.[18]

Indeed, the use of blockchain technology is becoming increasingly prevalent. The above solutions demonstrate that blockchain can be flexible and can comply with the DPA.[19] By storing data off-chain or by making the blockchain permission-based, its potential will be fully harnessed while remaining DPA-compliant.

[1] Daniela Bencova, Clifford Chance, Blockchain Technology and the GDPR, available at https://talkingtech.cliffordchance.com/en/cybersecurity/blockchain-technology-and-the-gdpr.html (last visited October 22, 2018).

[2] Justin Joseph, The Blockchain Revolution, available at https://erpinnews.com/the-blockchain-revolution (last visited October 22, 2018).

[3] Sachin Gupta, Blockchain Basics, available at https://www.linkedin.com/pulse/blockchain-basics-sachin-gupta/ (last visited October 22, 2018).

[4] Bruce Bennett, Sophie Bertin, et. al, The GDPR and Blockchain, available at https://www.insideprivacy.com/international/european-union/the-gdpr-and-blockchain/ (last visited October 22, 2018).

[5] Jay Stanley, Blockchain Explained: How it Works, Who Cares, and What Its Future May Hold, available at https://www.techspot.com/article/1567-blockchain-explained/ (last visited October 22, 2018).

[6] Shashank Venkat, The Regulator’s Dilemma: GDPR’s Conflict with Blockchain, available at https://www.cerillion.com/Blog/September-2018/Regulators-Dilemma-GDPR-conflict-with-blockchain (last visited October 22, 2018).

[7] Section 3(g), Republic Act 10173, “An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for rhis Purpose a National Privacy Commission, and For Other Purposes”.

[8] Luke Sayer, Can GDPR and Blockchain Co-exist, available at http://www.internationalinvestment.net/comment/comment-can-gdpr-and-blockchain-co-exist/ (last visited October 22, 2018).

[9] Id.

[10] Disini & Disini Law Office, Controller v. Processor/ Data Sharing v. Data Outsourcing, available at https://privacy.com.ph/dndfeature/9599/ (last visited October 22, 2018).

[11] Supra note 1.

[12] Disini & Disini Law Office, Data Privacy Principles and Rights, available at https://privacy.com.ph/dndfeature/data-privacy-principles-rights/ (last visited October 22, 2018).

[13] Disini & Disini Law Office, The Right to Be Forgotten in the Philippine Context, available at https://privacy.com.ph/news-article/the-right-to-be-forgotten-in-the-philippine-context/ (last visited October 22, 2018).

[14] Supra note 1.

[15] Supra note 8.

[16] Supra note 6.

[17] Supra note 8.

[18] Id.

[19] Lucas Mearian, Will Blockchain Run Afoul of GDPR? (Yes and No), available at https://www.computerworld.com/article/3269750/blockchain/will-blockchain-run-afoul-of-gdpr-yes-and-no.html (last visited October 22, 2018).