The benefits of the distributed ledger are apparent when it comes to speed, cost, transparency and disintermediation. However, the blockchain sector can benefit from clearer guidance on application and standards when it comes to data protection and privacy.
Blockchain applications present a conundrum for many existing data protection laws, which assume a central and identifiable entity that is responsible for complying with the law. On the one hand, certain features of blockchain technology, such as encryption and anonymisation, seem to promise better security. On the other hand, certain features such as the immutability of data on the blockchain seem incompatible with requirements relating to correction and deletion.
While the blockchain sector is often associated with transparency, decentralisation and anonymity, blockchain applications do in fact collect and store user-related data and data relating to other individuals. Some blockchain applications, such as those relating to identity verification or health status records, may process personal data on-chain. However, even if blockchain applications do not conduct KYC checks and store only limited data on-chain, there still are data protection risks, such as the identification of individuals using public key information as well as re-identification attacks. Potential penalties can be severe – for example, the EU General Data Protection Regulation (GDPR) sets a maximum fine of €20 million or 4 per cent of annual global turnover, and significant monetary penalties may also be imposed in other jurisdictions such as in the United States and Asia (e.g., up to S$1 million in Singapore, HK$50,000 in Hong Kong and RMB 50 million in China, or a percentage of the annual turnover). Hence, the importance of data protection in the blockchain sector cannot be overstated.
In this FAQ guide, we break down key considerations as well as practical approaches in designing a blockchain product from a data protection perspective.
Background and context
The data protection regulations of many jurisdictions currently do not expressly deal with blockchains. Inevitably, there are gaps and uncertainties as to the application of regulations to the fast-evolving blockchain sector. Given the global nature of many blockchain applications, it is quite possible that an organisation has to comply with the data protection laws of more than one jurisdiction.
The participants we refer to in these FAQs include the blockchain operator (i.e., the entity responsible for the design, governance and operation of a permissioned blockchain network); node operators (or miners); application service providers (i.e., entities that operate an application on top of a blockchain network); and participating organisations (i.e., those that make use of the services in a blockchain network).
Q: When would publishing data on the blockchain be subject to data protection regulations?
Personal data refers to information which, either alone or together with other data that an organisation has or is likely to have access to, can identify an individual. This can include, for example, the user’s name, email address or ID numbers that constitutes part of the metadata of an on-chain transaction.
In certain jurisdictions, personal data published on a permissionless blockchain (whether in cleartext, encrypted or anonymised) may constitute a form of public disclosure. Generally, personal data should only be written on a permissionless blockchain if consent for such disclosure has been obtained, or if the personal data is already publicly available.
Q: Transactions are anonymous so why is privacy a concern?
Many blockchains record public keys on-chain. It is possible to link individuals to public keys by analysing blockchain transactions and other publicly available data. Datasets that have removed identifiers such as names or email addresses are also analysed to discern the identity of the data subjects in re-identification attacks.
Certain blockchains also include personal data as ‘payload’. This refers to including identifying information in the message accompanying the transaction, such as when addressed to a smart contract.
Q: Blockchain technology relies on encryption and cryptography. Is that not sufficient?
These technologies assist in providing for security of the system, but they are not foolproof. Encrypted data may still be considered personal data. Cryptography links each block to the previous entry, helping to provide transaction immutability. However, immutability is often not guaranteed. For example, 51% attacks occur where bad actors compromise a majority of participants and alter blockchain contents.
The persistence of on-chain data in a permissionless network means that data continues to be open to attacks in the long term. These include re-identification attacks, the decryption of encrypted data by brute-force attacks or emerging methods such as quantum decryption.
These technologies also do not address other data protection requirements. For example, data immutability may make it difficult for an organisation to cease to retain personal data when it no longer has business or legal reasons to do so.
Q: I am a miner – do I have obligations?
As node operators run blockchain nodes that store copies of all blockchain data, they could potentially be considered to collect, use or disclose personal data. In permissionless blockchains, node operators may be able to rely on exemptions relating to data that is publicly available. In permissioned blockchains, node operators may be considered data processors of the blockchain operator. Those who process personal data on behalf of an organisation are data intermediaries who are directly subject to regulation under the law in many jurisdictions whilst in other jurisdictions they are subject to compliance with contractual terms in their agreements with organisations which control the collection, holding, processing or use of the data. For example, data intermediaries who are directly regulated may need to comply with obligations relating to protection (security), data retention and data breach notifications.
Ideally, an operator of a permissioned blockchain should make clear the delineation of roles and responsibilities between itself, node operators and application service providers, by setting these out in legally binding consortium agreements or contracts that contain clear data controller and data intermediary obligations.