Blockchains Forever Memory Confuses EU’s “Right to be Forgotten” – Bloomberg Law | Omd Cialis

The European Union’s “right to be forgotten” privacy law is on a collision course with blockchain, whose key feature is that it “never forgets” the vast amount of information it collects.

The technology is becoming an integral part of a growing number of businesses, and companies across the European economic bloc want data protection authorities to clarify how blockchain and the EU’s landmark General Data Protection Regulation can co-exist.

“There are serious tensions between blockchain and GDPR,” said Jörg Hladjk, a partner at Jones Day in Brussels. “There is a general belief that blockchain technology uses anonymous data, but that’s not really the case.”

The stakes grow. The global blockchain market is predicted to explode this decade – from about $6 billion last year to $160 billion by 2029.

Blockchain’s distributed ledgers — which contain data that cannot be deleted or altered — are rapidly evolving beyond cryptocurrency transactions, facilitating efficient supply chain management, product traceability, proof of identity, and myriad other business functions.

“This is a whole new area for regulators, which raises a lot of problems,” Hladjk said.

Europe’s data protection authorities have to grapple with who controls blockchain data and who is liable if things go wrong, and “how to exercise rights.” [and] Legal bases for processing,” said Hladjk. “And what is often overlooked is whether a data protection impact assessment is required – and at what level of detail.”

“Most of the time, the data is more of a pseudonymous type of data and therefore personal data, which triggers the application of the GDPR,” he said.

EU, US guidelines

The European Data Protection Board, an independent EU body tasked with facilitating GDPR, is working on blockchain guidance, but “we cannot say when the guidance will be ready for publication, nor can we comment on what it might contain.” , it said in an email statement.

That leaves companies to navigate the fast-paced technology as best they can.

“I’ve been asked so many times whether blockchain is legal or illegal,” said Marijn Storm, data protection officer at Morrison & Foerster LLP in Brussels. “It depends,” he said, on how the technology is used.

In the US, Congress this summer is considering sweeping digital privacy legislation for the first time in years, inspired in part by the EU but also by a handful of state laws that mimic the GDPR that came into force in 2018.

The US federal privacy law (HR 8152), which is bipartisan and awaiting a vote in the House of Representatives, would for the first time give all Americans the right to access, correct and delete their data. Laws in California, Colorado, Connecticut, Virginia and Utah include a right to erasure, similar to the European right to erasure.

companies are waiting

In the EU in particular, legal uncertainty could “be a reason not to use blockchain” and tempt companies to wait and see, Storm said.

According to Deloitte’s 2021 Global Blockchain Survey, data security and privacy are the top issues for those just venturing into blockchain.

Public blockchains that can be accessed by anyone, such as Ethereum and Bitcoin, “do not simply fit into the principle of minimalism, nor can they always guarantee that the data subject can change or delete data,” says Liisi Jürgen, head of IT law at NJORD law Company in Tallinn, Estonia.

A Bcash cryptocurrency vending machine kiosk in Athens, Greece.

Photographer: Yorgos Karahalis/Bloomberg via Getty Images

With public blockchains, which by definition are open to everyone, it can be impossible to identify a central data controller responsible for compliance, creating a headache for authorities who want to know who is liable when things go wrong.

Despite the uncertainties, the data protection authorities were slow to step in.

The French Commission Nationale de l’Informatique et des Libertés published guidelines in 2018, stating that storing personal data on a blockchain should be limited to “commitments” or hashes linked to off-chain data. The CNIL also said that permissioned blockchains, or non-public blockchains set up by a limited number of known users, are preferable to public blockchains.

“Reflections at European level are essential” to issue definitive guidance on blockchain and the GDPR, said CNIL.

But four years later, that still hasn’t happened.

Encrypted Data

“We follow the CNIL guidelines and I think everyone follows them,” said Niels Vandezande, a consultant at Timelex Digital Technology Lawys in Brussels. “There are many projects going on; Everyone now wants to do everything on the blockchain.”

Blockchain and crypto are evolving so fast “that it’s very hard for regulators to understand,” he said.

The Hungarian data protection authority was a step ahead of the CNIL and issued blockchain guidelines in 2017, but in relation to the Hungarian data protection law, which was replaced by the GDPR in May 2018.

Since 2017, the Hungarian law has received “general consultation requests from certain controllers” related to blockchain, but “did not receive any specific complaints from data subjects regarding blockchain-based data processing,” said Gabriella Dél, the international rapporteur for the Hungarian Data Protection Authority.

The encrypted nature of data on a blockchain — typically a hash associated with a wallet address — also makes it difficult in practice to actually access personally identifiable information.

By using encryption technology, blockchain is a tool to manage data in a way that protects information and facilitates trust in the records rather than disclosing them or compromising their integrity, said Sujit Raman, general counsel of blockchain analytics firm TRM Labs.

“Puncture the Veil”

There are some areas that need further theorizing to be compliant with privacy regulations, such as blockchain’s rejection of centralized authorities controlling the flow of data. The fixed nature of blockchain could also pose a challenge for changing or deleting personal data.

“There are ways to reconcile the concept of privacy with blockchain technology,” said Raman, who previously represented the US government in international privacy negotiations.

But under the European GDPR, even encrypted data that can only be linked to a digital wallet counts as personal data because it can identify wallet holders.

Chain analytics firms are already profiling cryptocurrency wallets based on public blockchain data, said Yannis Kalfoglou, author of Blockchain for Business: A Practical Guide for the Next Frontier.

Data “can be anonymized, it can be pseudonymized, it can be hashed, but that doesn’t mean it’s unrecoverable,” he said. “You can always penetrate the veil.”

risks ahead?

Contrary to the 2018 CNIL recommendation that permissioned blockchains are preferable, the future lies in public blockchains, said Mary Lacity, director of the Blockchain Center of Excellence at the University of Arkansas.

“The problem with private networks is that they don’t scale,” while “governance issues pose a challenge” in larger private blockchains with many participants, she said.

Public blockchains could facilitate decentralized identity, where individuals store credentials in digital wallets and use them as the basis for a range of transactions – from purchasing an untrustworthy token to recording a real estate purchase to accessing online government services and providing Prove of legal age to get into a bar.

For land registers, for example, “it would be perfect to have something immutable,” said Storm of Morrison & Foerster.

The decentralized identity could be attractive in Europe as a digital alternative to ID cards, which are issued by most EU countries. Governments would grant the credentials stored in digital wallets.

“The basic concept is that I would control all of my identity data,” said Jeremy Grant, managing director of technology business strategy at Venable LLP in Washington, DC. “I decide who can see them and when.”

However, the challenge for a decentralized identity would be implementation, since this type of identity architecture relies on people’s ability to navigate their set of cryptographic keys, Grant said.

“Digital ID places a lot of ownership on the citizen,” who would have to “actively manage” their credentials to make sure they don’t fall into the wrong hands, Kalfoglou said.

Leave a Comment