Blockchain vs GDPR: Technology Meets Regulation (Again!)

Unless you've been living under a series of highly distributed rocks, you'll be aware that blockchain (or at least the group of technologies known as Distributed Ledger Technologies or DLTs) is causing a huge stir in the tech world.  Almost daily, we see the launch of potentially game-changing new cryptocurrencies or announcement from major corporations of significant new DLT trials or implementations.

However, another major force shaping the digital world is the ever-strengthening focus on the privacy and security of our personal data, fuelled by regular revelations of attacks on and other activities involving huge and sensitive data sets.  Popular narrative has turned towards an increased questioning of whether the processes and arrangements which underlie many of our daily interactions are appropriately structured so as to safeguard our valuable personal identities and interactions.

We are now at the point of one of the biggest shake-ups ever seen in the regulation of privacy and data protection.  The General Data Protection Regulation, or GDPR, will come into force in the European Union as from May 25, 2018, and will have a massive impact on the rights of individuals and the obligations of corporations in relation to personal data, not only in the EU but around the world. 

European privacy law, already generally accepted as the high-water mark for privacy regulation worldwide, is being both strengthened and expanded under the GDPR.  Penalties for breach of some obligations under GDPR can reach EUR 20 million or 4% of global annual turnover, whichever is the higher, putting GDPR compliance at the very top of the list of concerns for firms in almost every industry sector.  Substantive compliance obligations are extensive and potentially burdensome, including specific requirements around:

  • Clear notifications to individuals as to how data will be collected and used, and how and with whom it will be shared;
  • Specific rights for individuals to access and correct personal data, and to request that processing of personal data cease;
  • The so-called "right to be forgotten”, a right to request that data which is no longer being used be erased;
  • the right to data portability, being a right to require the export of data to alternative service providers in usable form; and
  • Significant obligations to secure personal data and to notify regulators and individuals of certain types of personal data breaches.

A common and important misconception about the GDPR (and indeed about the privacy laws of many jurisdictions) is that it applies only to entities located within the EU and can, therefore, be ignored by companies in say the US or APAC.  Far from this being the case, however, it is clear that the GDPR applies in the context of any personal data collected from any individual in the EU, meaning that the GDPR will have potentially significant impact on any entity, either directly because that entity collects personal data from data subjects in the EU, or indirectly, because that entity otherwise interacts with such data on a secondary basis (for example because the original collector of that data provides it to the offshore entity for processing or storage).  In this indirect scenario, offshore entities should expect to be required to sign up to detailed contractual provisions essentially requiring compliance with the GDPR.

Another frequent misunderstanding in the context of blockchain and other DLTs is that their distributed nature means that they are effectively unregulated, whether by privacy-related laws such as the GDPR or indeed at all.  Of course, this is not the case.  Operators of, and participants in, blockchain and other DLT implementations must comply with the law, as the issuers and promoters of some ICO activity are now beginning to realize.  While there are always challenges in how the interlocking laws of multiple jurisdictions apply to emerging technologies, particularly distributed and multi-participant technologies such as DLTs (whether public/permissionless or private/permissioned), the idea that we have entered some crypto-powered utopia where regulation can be ignored is simply untrue.

A particular emerging issue in the intersection of blockchain/DLTS and GDPR is how the immutability of such technologies can sit with the GDPR's right to be forgotten.  While there are some limitations on the scope of the right, parties will need to assess whether the operation of the blockchain requires the collection of certain data, and how long such data will need to be held.  This may be particularly difficult in public blockchains, where the data structures which power the core exchanges of information and value often require the wide dissemination of personal data (albeit in some cases on a pseudonymized basis).  In such a context, how would an individual assert a right to be forgotten?  Would this compromise the underlying basis for the blockchain, namely the immutability (and in many cases the transparency) of transactions?  How can the public blockchain be structured so that complying with a request by a blockchain participant to be forgotten will not destroy the immutability and integrity of the blockchain?

Similar issues may, of course, arise in the context of enterprise DLTs, although the private and permissioned nature of such implementations may provide additional scope for the management of GDPR obligations.  Indeed, we are starting to see a number of platforms focusing far more closely on how data is shared amongst the network participants in order to implement systems which provide a sounder basis for GDPR compliance.

While these issues will no doubt play out over many years, we might at least start to see the first act starting soon, with May 25, 2018, a critical date to watch.

For further detail on this topic please see Blockchains and Laws: Are they Compatible?, a joint White Paper between Baker McKenzie and R3.

This article is contributed by Adrian Lawrence, Partner, Baker McKenzie in Sydney; Anne Petterd, Principal, Baker McKenzie Wong & Leow in Singapore, and Paolo Sbuttoni, Partner, Baker McKenzie, Hong Kong. The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends.