May 2019 Issue
Cryptocurrency has its share of sceptics, but even those sceptics have recognised the relevance and promise of blockchain technology for all types of organisations as a way to verify and trace transactions. Yet for companies with operations in the European Union (EU), or that collect and process the personal information of EU residents, blockchain poses both challenges and potential solutions to compliance with the General Data Protection Regulation (GDPR).
Both the French Commission Nationale de l’Informatique et des Libertés (CNIL) and the EU Blockchain Observatory and Forum (EUBOF) have recently issued reports that address the intersection of blockchain and privacy laws: how blockchain can assist in complying with the GDPR, and how to implement blockchain without running afoul of GDPR. Below is a discussion of how blockchain interacts with the GDPR, and what companies should be asking based on this recent guidance.
What are the benefits of blockchain?
Blockchain is a type of ‘distributed ledger technology’ which allows for the decentralisation of data processing and storage. Blockchains can be fully public, meaning anyone can download the ‘ledger’ and begin using their computing power to verify transactions, or they can be ‘permissioned’, meaning only certain individuals or entities are allowed to participate.
The benefits of this decentralisation are that transactions can be processed and verified nearly instantaneously, blockchains provide robust audit trails and there is no single point of failure open to cyber attack or technological failure. On the other hand, every node in the blockchain has access to all of the data in the ledger, meaning information is only as closely held, or tightly controlled, as the blockchain itself. Recent hacks of the blockchains underlying the Coinbase and Gate.io cryptocurrency exchanges illustrate that fully public blockchains are susceptible to attacks.
Whether blockchain’s rewards outweigh its risks depends on the organisation concerned. Organisations can employ blockchain technology to ensure that transactions are securely processed without delay. Additionally, blockchain’s instant and unalterable transaction records can allow organisations to quickly and easily demonstrate regulatory compliance or respond to inquiries from government authorities.
Is blockchain GDPR-compliant?
The short answer is it can be. As the EUBOF explains, “GDPR compliance is not about technology, it is about how it is used”. While blockchain may help an organisation meet some of the GDPR’s requirements, such as security by design, its implementation also presents numerous compliance hurdles, like ensuring data subjects can exercise their rights.
What compliance issues does blockchain raise?
As the GDPR was written to be technologically neutral, every piece of technology an organisation might employ to handle personal data will need to fit its contours. Compliance issues raised by blockchain include those listed below.
Data control. Central to the GDPR’s notion of accountability is determining whether an organisation “controls” personal data or whether it merely “processes” it. Data controllers have more onerous compliance requirements, including robust notice requirements and strict limitations on who parties can share personal data with and how they do so. With a decentralised blockchain, personal data is potentially spread out among myriad entities, which may be either ‘data controllers’ or ‘data processors’ depending on their exact role in the blockchain. Under the GDPR, each controller has an obligation to the data subjects whose personal data is added to the blockchain to hold the other controllers and any processors to account for the manner in which they process personal data. This amount of coordination and need for contracts between different parties may necessitate using a permissioned rather than public blockchain, which may reduce some of the benefits provided by large-scale decentralisation.
Cross-border data transfers. Related to the issue of data control is the flow of personal data, particularly if data in the blockchain is leaving the European Economic Area (EEA). The GDPR requires that any personal data leaving the EEA be afforded protections equivalent to those that would be available within it. As every node in a blockchain has a copy of all the data in the ledger, any personal data in that ledger is flowing to and from each node. This would not necessarily present problems in countries like Canada or Japan, where EU officials have determined that the legal protections are “adequate”. But placing a node in a country that has not been found to have “adequate” protections – the US, for instance – would necessitate coordinating and implementing a legally binding mechanism to ensure that personal data subject to GDPR is processed in a manner that satisfies GDPR’s requirements. This may chip away at some of the efficiencies of the blockchain.
Individual rights. Perhaps the most well-known aspect of the GDPR is its enshrinement of an individual data subject’s rights over their own data. Under the GDPR, individuals have the right to: (i) be informed as to how their data is being used; (ii) access their data; (iii) object to the manner in which their data is processed; (iv) rectify mistakes in or erase their data; and (v) have their data provided to them in a portable way. Data controllers are in turn responsible for ensuring individuals can exercise those rights, by putting in place mechanisms to handle and implement data subject requests. Controllers that use blockchain will have to be able to plainly explain to individuals the role blockchain plays in the processing of their data. Further, an organisation would need procedures to allow a data subject to exercise their rights, and would need to have a firm grasp on what data and what nodes fall within the scope of its responsibility. As with some of the GDPR’s other requirements, fulfilling the obligations of a data controller necessitates exercising a degree of control over a blockchain that may dampen some of the characteristics that make blockchain attractive in the first place.
Can blockchain help meet GDPR requirements?
While there are hurdles to clear, GDPR-compliant blockchains are not only possible, but actually could help an organisation fulfil its obligations under the GDPR. In particular, blockchain can be a robust tool in complying with two specific provisions, outlined below.
Accuracy. A principle of the GDPR is ensuring that all personal data an organisation holds is accurate, and that there are processes in place to check or verify accuracy. Blockchain technology, with its virtually incorruptible audit trails, can both provide a method for ensuring accuracy and allow data controllers to demonstrate what data they process and, at least in part, the manner in which they do so.
Data protection by design and default. Organisations that process personal data are required to consider data protection before beginning processing operations. The idea is that data protection should be ‘baked into’ decisions about what data to process and how to undertake any data processing. While protecting data from unauthorised access and disclosure is the form of data protection most people might think of, protecting the integrity of personal data is just as important. Data integrity is one of the hallmarks of blockchain – no one node can erroneously change the ledger as all transactions are wholly verified by the blockchain.
How can an organisation implement blockchain?
Analysing the potential pitfalls and windfalls of employing blockchain should give an organisation a better handle on its data processing activities and how to improve them. If organisations determine blockchain is an appropriate technology, there are a number of steps that need to be taken to successfully introduce it.
Data mapping. First and foremost, an organisation should take the time to understand what data it processes, where or who it is coming from, and how that data is processed. This will identify where blockchain could be useful.
Determine type and scope of blockchain. After identifying the scope of its data processing activities, an organisation can investigate what type of blockchain is right for it. Public blockchains give organisations less control, while permissioned blockchains lack some of the benefits of a truly decentralised system.
Assess how to comply. Perhaps the most complex aspect of the process will be evaluating myriad ways an organisation will be expected to comply and the possible methods for that compliance. For many organisations, robust encryption and pseudonymisation of personal data will lessen the risks of disclosure. Additionally, an organisation should assess how its technological controls could be complemented by administrative controls. These can range from reviewing, drafting and executing new data processing agreements with third parties to implementing industry-developed codes of conduct.
Calculate compliance costs. An organisation will need to assess compliance costs in terms of both capital and time. Any data processing operations will need to be governed by appropriate contracts to ensure that data flowing across international borders does so pursuant to appropriate safeguards, and new systems may need to be purchased and implemented.
Cost and benefit analysis. Ultimately, an organisation will have to decide whether the value blockchain adds to its operations outweighs the cost of putting in place necessary compliance measures.
Blockchain is an exciting new technology that can provide myriad benefits, including data protection and verification. For companies with operations in Europe or that process European residents’ data, those benefits must be weighed against the cost of complying with the EU’s complex set of rules for processing personal data. Organisations looking to head down this route and begin employing blockchain should reach out to their lawyers and legal representatives for help navigating the sea change that has followed the GDPR.
Priya Aiyar is a partner and Nicholas Chanin is an associate at Willkie Farr & Gallagher. Ms Aiyar can be contacted on +1 (202) 303 1189 or by email: firstname.lastname@example.org. Mr Chanin can be contacted on +1 (202) 303 1164 or by email: email@example.com.
© Financier Worldwide
Priya Aiyar and Nicholas Chanin
Willkie Farr & Gallagher