As blockchains are being used across an ever-growing list of applications, equally European privacy laws are becoming more sophisticated, evolving, as they have been for some time, in an attempt to play catchup with technological developments.
Key attractions of blockchains are, of course, their permanency and transparency, ie the data store is added to and is very difficult to take away. However, since new EU rules would essentially give individuals a right to no longer have their data processed – the 'right to be forgotten', as it is labelled – an important tension arises of which users and developers of blockchain should be aware.
To recap, put simply and as it says on the tin, blockchains record a series of transactions in blocks, and could include data of any sort, including 'personal data' as defined under EU laws (ie data relating to a living individual).
In theory, any record that can be stored electronically and recognised by a computer could be stored on a blockchain with the potential to be used by a wide range of players and for a wide range of uses.
For example, it has recently been reported that the UK government is exploring using blockchain tech to store the information of benefits claimants.
Blockchains are only added to and are maintained by a peer network of nodes in which each node has a copy of the blockchain and has an equal authority to add to it. This is a key attraction of blockchains – once data is embedded, it cannot be altered without that amendment being approved by other nodes in the network. Where personal data is concerned, however, this inability to remove data could lead to problems, particularly in light of the new laws coming down the pipeline.
In particular, the new EU General Data Protection Regulation (GDPR), which was approved earlier this year following over four years of negotiations and replaces a law which is more than 20 years old, introduces, amongst other things, a 'right to be forgotten'. Generally speaking, this means that if an individual no longer wishes for his or her data to be processed, provided that there are no legitimate reasons for retaining it, he or she could ask the person controlling his or her data to erase it.
Since the GDPR will apply to all those processing data in the EU or those who process data relating to EU data subjects, it is easy to see how this could extend to those within a peer network storing data, such that someone could now technically ask those within the network to erase data they hold.
And since the GDPR is set to become law in spring 2018, this gives those that process data and to whom the GDPR applies, some homework to do before then.
Conflict: technology vs the law
Since blockchains could be used for a range of purposes, for example, from recording visits to health practitioners to ascertaining the owner of an asset, it is easy to imagine times where an individual may wish that data be no longer held about him or her in the same way, or times where an individual may request that data relating to him or her be deleted.
Nevertheless, to clear data out, various nodes would have to work together to rebuild the blockchain from before that data was added, which is no mean feat.
That said, there are some steps which can, and should, be considered to reduce the risk of a court order compelling data to be removed, or worse, nodes to be shut down in light of a failure to recognise this right to be forgotten.In particular, there is significant value in designing the content of blockchains and the network that supports them from the outset in a way which reduces risk.
One key way to minimise such risk might be to simply use blockchains to provide a timestamp for information stored elsewhere – for example, on a website – if the content needed to be removed, that way the exercise would be far less cumbersome. Similarly, designing transactions so that they can't be used to add comments that might include personal data would help, from a privacy compliance perspective at least.
Other solutions include controlling what becomes public within a peer-to-peer network of trusted nodes, therefore, hiding data in the blockchain that should not be shared in the first place, or encrypting data within the blockchain – although problems may of course arise if the decryption key were ever made public or lost.
How the right to be forgotten plays out in the context of blockchain does of course remain to be seen. For example, could it be argued that there is a 'legitimate reason' for retaining transaction blocks and precisely how EU regulators/courts would look to police this right in light of jurisdictional hurdles are just two key questions which spring to mind.
Nevertheless, for those blockchain users, the advice is that this change in the legal landscape requires careful planning and consideration. Taking some steps upfront with these new EU laws in mind and baking privacy concerns and workarounds in to any structure developed at the design phase should inevitably reduce the risk of individual claims or privacy regulator action down the line.