The Data Privacy Block in the Chain: Blockchains and Immutability

Blockchain has taken the world by force, and we are seeing large companies—like Walmart, American Express, Oracle, Facebook and others—adopt blockchains into their everyday operations. Although the concept of a blockchain, which functions as a distributed ledger, is relatively straight forward, there are inherent regulatory complexities that arise due to the premise of the underlying technology. 

A blockchain can store essentially anything on an immutable data chain which cannot be broken in any way.  The inability to unlink data in this “distributed ledger” presents a problem for firms who seek to comply with data privacy laws.

The established European General Data Protection Regulation (“GDPR”) and new California Consumer Privacy Act of 2018 (“CCPA”) provide specific rights to individuals who want to restrict the use of or delete their personal information.

Compliance Challenges and Risks

The GDPR and CCPA define a set of rights for data owners which contradict the fundamental functionality of blockchain technology and present an inherent compliance risk.

These data privacy regulations define the responsibilities of data controllers (or “Businesses” under the CCPA) who dictate how personal data is used. This means that an entity utilizing blockchain technology is the data controller.  Data processors (or “Service Providers” under the CCPA) are simply entities that process the data for the controllers. In most cases a single entity is both the controller and the processor; however, they can be unrelated parties. 

Although private blockchains can use permission controls to prevent access to the data owners’ information, the challenge remains that blockchain users cannot edit or delete records once they are on the blockchain and thus seemingly cannot comply with data owners’ requests to exercise their data rights.

In a decentralized blockchain, there are no processors or controllers, per se. Blockchain users oversee data creation, while third-party programmers merely control how the blockchain technology operates. Thus there is no single easily identifiable entity in charge of the data or processing, and it’s not clear who would be held accountable for failure to comply with data privacy regulations.

Solutions

Although private blockchains can use permission controls to prevent access to the data owner’s information, the risk remains that data owners cannot edit or delete the records once they are on the blockchain. Blockchain enthusiasts and top authorities have debated ways to comply with data privacy regulations, including simply preventing any personally identifying information on the blockchain or restricting access to the data.

To prevent personal data from being integrated into blockchain ledgers, companies should implement effective governance of data processing and storage.  Governance should incorporate traditional methods, such as policies and controls; but could also implement a “gateway,” utilizing new technologies that identify personal data, to review data before it is uploaded to the blockchain. 

Final Link

Blockchain will play a major role in the transformation of how companies process and store the data that makes every day operations efficient and possible. It is crucial that the technology industry and regulators work together to overcome “blocks in the chain” to best serve the interests of consumers and society. Through careful planning and coalition, society should see the challenges and risks surrounding data privacy mitigated.

More content from eMerge Americas:

• eMerge Americas
• How Women are Disrupting Venture Capital
• Re-imagining Cities: Miami -- The City of Sun, Fun and … TECH?
• eMerge Americas Attendees and Their Social Media of Choice