Blockchain’s Perpetual Memory Confounds EU’s ‘Right to Be Forgotten’

Blockchain’s Perpetual Memory Confounds EU’s ‘Right to Be Forgotten’

The European Union’s “right to be forgotten” privacy law clashes with blockchain, whose unique feature is that it “never forgets” the vast amount of information it collects.

The technology is becoming integral to more and more businesses, and businesses across the European economic bloc want privacy regulators to clarify how blockchain and the EU’s landmark General Data Protection Regulation can co-exist.

“There is a serious tension between blockchain and GDPR,” said Jörg Hladjk, partner at Jones Day in Brussels. “There is a common belief that blockchain technology uses anonymous data, but in fact it does not.

Tables grow. The global blockchain market is projected to grow this decade, from roughly $6 billion last year to $160 billion by 2029.

Blockchain distributed ledgers, which contain data that cannot be deleted or altered, are rapidly developing beyond cryptocurrency transactions to facilitate efficient supply chain management, product traceability, proof of identity, and many other business functions.

“It’s a whole new area for regulators that raises a lot of issues,” Hladjka said.

Europe’s privacy regulators must grapple with who controls blockchain data and who is liable if something goes wrong, as well as “how to exercise rights [and] legal basis for processing,” Hladjka said. “And it is often overlooked whether and in what detail a data protection impact assessment is required.”

“In most cases, the data will be pseudonymous and therefore the personal data that triggers the GDPR,” he said.

US, US guidelines

The European Data Protection Board, an independent EU body tasked with facilitating the GDPR, is drafting blockchain guidelines, but “we cannot say when the guidelines will be ready for publication, nor can we comment on their potential content,” the statement said. statement sent by mail.

This allows companies to best navigate rapidly evolving technologies.

“I’ve been asked so many times whether blockchain is legal or illegal,” said Marijn Storm, data protection associate at Morrison & Foerster LLP in Brussels. “It depends on how the technology is used,” he said.

The U.S. Congress is considering comprehensive digital privacy legislation this summer for the first time in years, spurred in part by the EU but also by several state laws mimicking GDPR, which took effect in 2018.

The federal American Data Privacy and Security Act (HR 8152), which has bipartisan support and is awaiting a House vote, would give all Americans the right to access, correct and delete their data for the first time. The laws of California, Colorado, Connecticut, Virginia and Utah include a right to erasure similar to the European right to erasure.

Companies wait

In the EU in particular, legal uncertainty could be “a reason not to use blockchain” and force companies to take a wait-and-see approach, Storm said.

According to Deloitte 2021 global blockchain survey, data security and privacy are top concerns for blockchain startups.

Public blockchains that can be accessed by anyone, such as Ethereum and Bitcoin, “do not fit only the minimal principle and cannot always guarantee the ability of the data subject to change or delete data,” said Liisi Jürgen, head of IT law at NJORD. company in Tallinn, Estonia.

Bcash cryptocurrency ATM kiosk in Athens, Greece.

Photographer: Yorgos Karahalis/Bloomberg via Getty Images

On public blockchains, which essentially anyone can join, it can be impossible to identify a central data controller responsible for compliance, creating a headache for authorities who will want to know who is responsible if something goes wrong.

Despite the uncertainty, data protection authorities have been slow to intervene.

French National Commission for Information and Freedom 2018 published guidelines stating that on-blockchain storage of personal data should be limited to “commitments” or hashes that link to off-chain data. CNIL also said that permissioned blockchains, or non-public blockchains created by a limited number of known users, are better than public blockchains.

“It is necessary to reflect on the European level” to issue final guidelines on blockchain and the GDPR, the CNIL said.

But four years later, it still hasn’t happened.

Encrypted data

“We follow the CNIL’s instructions and I think everyone does,” said Niels Vandezande, a digital legal consultant at Timelex in Brussels. “There are many projects going on; Everyone wants to do everything on the blockchain now.

Blockchain and cryptocurrencies are moving so fast that “it’s very difficult for regulators to understand,” he said.

The Hungarian Data Protection Authority was one step ahead of the CNIL and in 2017 published blockchain guidelines, but due to the Hungarian data protection law, which in 2018 May. replaced the GDPR.

Since 2017 Hungarian law has received “general consultation requests from specific data controllers” related to blockchain, but “has not received any complaints from specific data subjects about data processing on the blockchain,” said Gabriella Dél, international rapporteur for the Hungarian data protection authority. .

Encrypted blockchain data — typically a hash that links to a wallet address — also makes it harder to actually access personal data.

Using encryption technology, blockchain is a tool for managing data in a way that protects information and fosters trust in record storage, rather than revealing or compromising their integrity, said Sujit Raman, general counsel at blockchain analytics firm TRM Labs.

“Pierce the Veil”

There are several areas that need further research to comply with privacy regulations, such as the rejection of blockchain for centralized authorities that control data flows. The fixed nature of blockchain can also present a challenge when it comes to changing or deleting personal data.

“There are ways to reconcile the concept of privacy with blockchain technology,” said Raman, who previously represented the US government in international data protection negotiations.

However, under Europe’s GDPR, even encrypted data that can only be linked to a digital wallet is considered personal data because the wallet holders can be identified.

On-chain analytics companies are already profiling cryptocurrency wallets based on public blockchain data, said Yannis Kalfoglou, author of Blockchain for Business: A Practical Guide for the Next Frontier.

Data “can be anonymized, it can be pseudonymized, it can be hashed, but that doesn’t mean it can’t be recovered,” he said. “You can always break through the veil.”

Risk ahead?

In contrast to 2018 CNIL has advised that permissioned blockchains are preferred, public blockchains are the future, said Mary Lacity, director of the Blockchain Center of Excellence at the University of Arkansas.

“The problem with private networks is that they are immutable,” and “governance issues are complex” on larger private blockchains with many participants, she said.

Public blockchains could facilitate decentralized identity, where individuals hold identity credentials in digital wallets and use them as the basis for a variety of transactions, from purchasing an immutable token to registering real estate purchases, accessing online government services, and providing evidence. of age to enter the bar.

For real estate registries, for example, “it would be great to have something immutable,” said Storm of Morrison & Foerster.

Decentralized identity could be attractive in Europe as a digital alternative to identity cards issued by most EU countries. Governments would grant the powers held in digital wallets.

“The basic concept is that I will control all of my identity data,” said Jeremy Grant, director of technology business strategy at Venable LLP in Washington, D.C. “I decide who can see it and when.”

But the challenge of decentralized identity would be implementation, since such an identity architecture is based on people’s ability to navigate their own set of cryptographic keys, Grant said.

Kalfoglou said “Digital ID gives a lot of ownership to the citizen” who should “proactively manage” their credentials to prevent them from falling into the wrong hands.

Leave a Comment

Your email address will not be published.