The blockchain technology enables new business models and processes. As for every technology which breaks new land a solid legal analyse is indispensable. The developer must be aware of all relevant restrictions and standards, which must be fulfilled to successfully bring the project off the ground.
According to the EU General Data Protection Regulation (GDPR), which is entered into force on May 25th, 2018 the non-compliant organisation or person can also be faced with heavy fines and compensation and liability payments toward any person who has suffered material or non-material damage as a result of an infringement. Even if developers of a blockchain project are usually neither controllers nor processors, they should consider the data protection aspects in the software design process. Non-compliance with data protection regulations can jeopardize blockchain projects and business models by orders from data protection authorities.
How can a developer avoid pitfalls?
Generally, you should make sure that the project complies with the highest standards. As the blockchain is global by nature, we recommend the GDPR as standard. The EU legislation is generally user friendly, however, sometimes difficult to comply with.
Under the GDPR personal data are defined as information which are related to an identified or identifiable natural person, whereas a person is considered as identifiable if there are means reasonably likely to be used for identification by the data controller or any other person. Even though information on the blockchain are pseudonymised, as soon as blockchain transactions are combined with off-chain goods making a connection between the pseudomysed data and the data subject is possible. In pure on-chain-transaction models, identification will be more difficult, however, not impossible. Therefore, in general there is a strong case for arguing that individual-related information on the blockchain is personal data.
The main issues for the blockchain technology with regard to data protection are the rights to rectification and to be forgotten as provided in Art. 16 and 17 GDPR. According to these rights the data subject has the right to claim rectification of inaccurate personal data of him/her or to claim erasure from the data controller of personal data if these data are no longer necessary for the purposes for which they were collected or processed or if the data subject withdraws its consent and there is no other legal ground for processing. In this context there are generally speaking two main challenges:
- First of all, there is no data controller in a public blockchain since the blockchain is decentralized. In most cases the miners cannot determine the content of the blockchain. Therefore, it is unclear, who could fulfil data subjects’ claim of rectification or erase.
- Secondly the blockchain architecture may technologically even preclude a simple rectification/deletion upon request by the data subject, since the data stored on-chain cannot be altered without acceptance of other nodes.
Having these challenges in mind, already at an early conceptional stage, privacy issues should be on the agenda of the architects and developers of the blockchain project. The earlier your team deals with privacy issues the lower is the risk that a blockchain application must be adapted or even rebuilt. The GDPR requires also privacy by design and by default. Privacy by design and default means implementation of appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. Possible technical measures to ensure data protection are secure multi-party computation, chameleon hash functions, codifications and zero knowledge proofs.
Furthermore, the GDPR requires in some cases (1) prior to the processing a Data Protection Impact Assessment (DPIA). DPIA is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data. DPIA is an important tool for accountability. It helps controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the regulation. DPIA is, therefore, a process for building and demonstrating compliance. (2)
But also once the project is running a careful developer must monitor the “legal climate” and how authorities deal with privacy and other issues on the blockchain. The issuers must be ready to answer all questions and give the necessary assurance to authorities. An efficient way to ensure that all Data Protection requirements are met is to get privacy certificates (such as the ePrivacy seal; www.eprivacy.eu).
The blockchain technology is still in its infancy and not all legal questions are clarified yet. Consequently, it is very important to have an eye on the development of the legal environment, especially regarding data protection issues, and be ready to implement changes as fast as possible. In the long run, will the data protection not only have an impact on the success of the project but also have a negative or positive impact on the value of any token.