Why Blockchain Poses an Unusual Challenge for GDPR Compliance
Many of GDPR's biggest mandates are fundamentally incompatible with blockchain technology. How can blockchain operators find common ground with the new regulation?
May 25, 2018 at 08:00 AM
7 minute read
|
With the deadline for those serving EU customers to prepare for the General Data Protection Regulation (GDPR) finally here, companies are tightening up information governance structures, sending out new privacy policy updates to consumers, and preparing for the regulation's mandate that individual consumers be able to request the return and erasure of their personal data from big companies.
Blockchain technology companies, however, are worried they may not be able to do enough to comply with their GDPR obligations. Not because they don't want to, but because they can't.
Because of the way that blockchain technology is structured, the GDPR poses what some have called the “blockchain-GDPR Paradox”: In an effort to protect consumer control of information, the GDPR requires that organizations erase any personal information. However, in an effort to protect consumer control of information, blockchain is structured to retain information indefinitely.
“It's an issue that has many lawyers and other people who work in the blockchain space crashing their heads,” Bess Hinson, senior associate at Morris, Manning, & Martin, told Legaltech News.
“One of the problems is that the GDPR was developed based on this assumption that we can identify the data controller, the person who collected the personal data, and that person would remain in control of the data,” Hinson explained, adding that the regulation's authors had an eye toward cloud service providers, who can manage data through contractual provisions when working with third-party groups.
“Blockchain is not built under those assumptions. It becomes much more difficult under the regulation under those assumptions in terms of how to govern and control where the data is to whom it's transferred and who can access it,” Hinson noted.
|At Odds With Innovation
Blockchain identity solutions are secured through a hard-coded ledger system of data copied and distributed across multiple nodes, making them essentially impervious to tampering. Blockchain-based identity projects, like the Sovrin Foundation, have attempted to use this structure to allow individual people to verify their own personal information, and be more selective in the data they choose to share with companies.
Part of the contradiction around GDPR and blockchain, Baker & Hostetler partner Laura Jehl explained, is that both seem to have the same ultimate goal. Blockchain-based identity solutions, where blockchain's ledger infrastructure retains personal information, ”are intending to do a lot of the same things that GDPR aspires to, which is give individual control over their data,” Jehl explained.
Nevertheless, blockchain technologists are left scratching their heads as to how to appropriately comply with some of GDPR's specific mandates. A recent study from cloud data management company Veritas Technologies found that nearly 40 percent of U.K. consumers plan to take advantage of GDPR's “right to be forgotten” policy within six months of the regulation's May 25 effect date. The industry most likely to be subjected to these requests, according to the report, is financial services, with 56 percent of those polled indicating that they intend to retrieve personal data from these organizations.
Stripping that data out and handing it back isn't particularly feasible for blockchain-based companies. “That doesn't work on a blockchain because it's immutable. The whole point is that it's immutable,” Jehl noted.
However, as written, the GDPR does not specifically define “erasure” of data, meaning that blockchain technologists have a little more leeway to develop compliant solutions. Anonymized personal data theoretically wouldn't be covered under GDPR, but pseudonymization, where a hash or encrypted pointer acts as a reference to personal data (but remains inaccessible to blockchain operators), is a little iffier.
“One way to think about it is that it has to be truly anonymized, at least as to the blockchain's creator. They have to not be able to reidentify it,” she said.
Under GDPR, data “controllers” are subject to the regulation's obligations, a designation that remains somewhat unclear where blockchain is concerned. “In an open blockchain”—that is, a blockchain operated without any specific permissioning—“every individual that adds data to that blockchain could be considered a data controller,” Hinson said.
Maarten Stassen, Brussels-based senior counsel at Crowell & Moring, noted that individual blockchain operators need to consider the role they play with respect to data housed in the blockchain they operate. “Depending on the type of blockchain, you need to check whether the user is the data subject, the individual protected, or the controller,” he noted.
Some organizations operate blockchains somewhat like a physical storage unit, allowing people to store encrypted information on the blockchain without themselves holding decryption keys. “If they're not the controllers, they don't have to comply with the obligations, you can control it how you want to, on the back end of it,” Jehl noted.
Other blockchain organizations have considered other variants, like creating private, off-chain storage for blockchain that is secured through only just a few nodes, which would keep anyone outside of those channels blind to the information kept there.
While these solutions may be viable now, Jehl pointed out that blockchain companies may not be able to rely on them indefinitely. Forthcoming technological advances like quantum computing may allow cyberattackers to decrypt currently unbreakable encryption in the future, which could make pseudonymised data re-identifiable. “It's good now, but for how long?” she noted of the strategy.
|Regulatory Reconciliation
Though attorneys see a viable legal argument for each of these solutions, few know exactly what to expect for blockchain organizations after the May 25 deadline for GDPR. As it stands, some blockchain infrastructure is purely just incompatible with the regulation as written. “For open blockchain, your compliance is likely not possible in the immediate time frame coming up on the enforcement deadline,” Hinson said.
While the European Union is clearly not keen on being left out of the potential technological revolution promised by blockchain technology, Jehl doesn't expect that regulators will be making any special case amendments to the regulation right off the bat. “I don't think they're in the mood to carve out exceptions in GDPR right this second,” Jehl said.
For the time being, cracking down on personal information living in blockchain infrastructure seems to be a low priority for regulators. “I don't think blockchain will be targeted in the initial months, or the first year. I think resources will be devoted elsewhere,” Hinson said.
“The challenge they have in the deadline is to work with all the legacy systems. The IT person is always being asked not to lose any information, but systems are not set up to delete information,” Stassen agreed.
Some of the risk to blockchain companies, Stassen noted, is not in blockchain technology itself, but in the legacy systems it may be connected to: “It's very easy for these new technologies to fall in scope. The awkward thing is that the new technology is more likely to be in scope because of the old technology that's linked to it.”
Further down the line, Jehl expects that blockchain will likely grow adjacent to the regulation. “It really is an emerging technology. The direction it will emerge will be guided by GDPR,” she said.
Blockchain operators, Jehl believes, see the opportunities to align their technology with the GDPR's ultimate goals. ”They're much more focused on the opportunities to use blockchain to do what GDPR wants, which is data minimization and only sharing data you wish to share and you control,” she said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250