The General Data Protection Regulation (“GDPR”) amounts to a significant overhaul of existing data protection regulation and is designed to be ‘technology neutral’. However, how the GDPR will cope with emerging block chain technology and a move towards the decentralisation of data storage remains to be seen.
What is a block chain?
Block chain is the underlying technology behind platforms such as Bitcoin and Ethereum. Whilst block chains are best known for their use in the field of ‘crypto currencies’, they have a broad range of potential applications such as storing medical data, supply chain management or social networking.
The term ‘block chain’ has no single definition but it is generally used to refer to a way of recording transactions across a network of computers. Transactions sent to the network are grouped into ‘blocks’ which are time stamped and linked to the previous block. Linking each block to the previous block confirms the integrity of the chain all the way back to the first block. Information on the block is encrypted and protected through cryptography.
The block chain is stored on a network and no centralised ‘official copy’ exists. The process of adding transactions to the chain is performed by mining ‘nodes’. Mining is essentially a record keeping service whereby miners compete to collect in and verify transactions.
Who are the data controllers?
The GDPR continues to use the existing concepts of data controllers (who determine the purposes for which and the manner in which any personal data are to be processed) and data processors. In addition to introducing penalties for data processors, it imposes even more stringent obligations on the controller of personal data and drastically increases the potential penalties for non-compliance.
In a decentralised system where there is no individual entity in control of the data, it is difficult to identify who the obligations are placed upon and, even once the controller has been identified, enforcement does not seem feasible. For example, in the case of Bitcoin, the miners who verify transactions and build the block chain may be deemed to be the data controllers. Identifying each of these individuals (a recent study found that there are likely to be over 100,000) and then taking action against them is clearly not possible.
What laws apply to a data controller or data processor?
The GDPR seeks to extend the territorial reach of EU data protection law. The Regulation will apply to EU-based controllers and processors or entities processing an EU resident’s personal data in connection with goods or services offered to them or tracking the behaviour of individuals in the EU.
Applications of this technology are broad and in many cases it is simply not possible to ascertain the identity or the location of the data controller, data processor or even the data subject. In such a situation, determining the appropriate choice of law may not be straightforward and regulators may struggle to argue that they have the jurisdiction to take enforcement action.
How does this fit in with the right to be forgotten?
The right to be forgotten is codified in the GDPR and provides individuals with the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
A key feature of the majority of block chains is their immutability. Once a block has been verified and added to the chain, it may not be removed, edited or updated. Whilst in the vast majority of cases the data is protected by encryption and pseudonymisation, it is easy to envisage a situation in which an individual may want their data removed. With the majority of public block chain platforms, such a request would not be possible.
The FCA has warned firms developing this type of technology to beware of the incompatibility of immutability and the right to be forgotten. Some solutions to this issue have been proposed such as allowing administrators to edit the block chain where necessary. However, immutability is one of the key security features of a block chain and it remains to be seen how this challenge may be overcome.
The GDPR was designed using the assumptions that custodians of data would continue to be centralised entities. However, technologies such as block chain are facilitating a move towards a decentralised model of data management. In spite of the dramatic changes taking place, regulators appear to be taking a ‘wait and see’ approach before considering how best to address the challenges of the future. Regulating the use of private block chains (such as the global payment network being developed by banks) may be facilitated by legislation such as the GDPR. However, the regulation of large public block chains (such as Bitcoin or Ethereum) may require a fundamental rethink as to how data is managed.
The GDPR will apply in the UK from 25 May 2018.