The Data Privacy Block in the Chain: Blockchains and Immutability
June 04, 2019
By Louis Bruno, Matthew Bernstein, and Fritz Spencer
Blockchain has taken the world by force, and we are seeing large companies—like Walmart, American Express, Oracle, Facebook and others—adopt blockchains into their everyday operations. Although the concept of a blockchain, which functions as a distributed ledger, is relatively straight forward, there are inherent regulatory complexities that arise due to the premise of the underlying technology.
A blockchain can store essentially anything on an immutable data chain which cannot be broken in any way. The inability to unlink data in this “distributed ledger” presents a problem for firms who seek to comply with data privacy laws.
The established European General Data Protection Regulation (“GDPR”) and new California Consumer Privacy Act of 2018 (“CCPA”) provide specific rights to individuals who want to restrict the use of or delete their personal information.
Compliance Challenges and Risks
The GDPR and CCPA define a set of rights for data owners which contradict the fundamental functionality of blockchain technology and present an inherent compliance risk.
|Data Owners’ Rights||“Block in the Chain”|
|Right to erase, correct errors, and restrict access to their data||Existing records cannot be edited or deleted on a blockchain.|
Right to prevent processing and/or transfer of their data
|Public blockchains are distributed to data “miners” and can be viewed by anyone.|
These data privacy regulations define the responsibilities of data controllers (or “Businesses” under the CCPA) who dictate how personal data is used. This means that an entity utilizing blockchain technology is the data controller. Data processors (or “Service Providers” under the CCPA) are simply entities that process the data for the controllers. In most cases a single entity is both the controller and the processor; however, they can be unrelated parties.
Although private blockchains can use permission controls to prevent access to the data owners’ information, the challenge remains that blockchain users cannot edit or delete records once they are on the blockchain and thus seemingly cannot comply with data owners’ requests to exercise their data rights.
In a decentralized blockchain, there are no processors or controllers, per se. Blockchain users oversee data creation, while third-party programmers merely control how the blockchain technology operates. Thus there is no single easily identifiable entity in charge of the data or processing, and it’s not clear who would be held accountable for failure to comply with data privacy regulations.
Although private blockchains can use permission controls to prevent access to the data owner’s information, the risk remains that data owners cannot edit or delete the records once they are on the blockchain. Blockchain enthusiasts and top authorities have debated ways to comply with data privacy regulations, including simply preventing any personally identifying information on the blockchain or restricting access to the data.
To prevent personal data from being integrated into blockchain ledgers, companies should implement effective governance of data processing and storage. Governance should incorporate traditional methods, such as policies and controls; but could also implement a “gateway,” utilizing new technologies that identify personal data, to review data before it is uploaded to the blockchain.
Blockchain will play a major role in the transformation of how companies process and store the data that makes every day operations efficient and possible. It is crucial that the technology industry and regulators work together to overcome “blocks in the chain” to best serve the interests of consumers and society. Through careful planning and coalition, society should see the challenges and risks surrounding data privacy mitigated.
More content from eMerge Americas: