"Blockchain and Data Protection" -- Privacy Commissioner's article contribution at Hong Kong Lawyer (July 2019)
Blockchain is a technology platform that seeks to facilitate trusted transactions securely. Blockchain is rapidly gaining momentum in its development and acceptance. This article approaches the subject from a data protection perspective and identifies the possible privacy issues arising from the use of this new technology.
In an open and distributed ledger, transactions recorded in a blockchain are shared and synchronised across a distributed network of participants called a node. In other words, each participant of a blockchain has an identical copy of the whole ledger, i.e. the whole blockchain. Participants of a blockchain can create and add new transaction records (i.e. blocks) to the shared ledger in a secure way based on agreed network rules, without going through a central authority.
Blockchain is well-known for its deployment in recording transactions of cryptocurrencies, such as Bitcoins. Use of blockchain is being also considered in many other operations, such as smart contracts, international payments and remittances, trading of securities and supply chain management.
A blockchain, if designed and built properly, is said to be tamper-proof and resistant to modification of the data under the current technology level. It is also set to guarantee trust among participants as to the integrity of the records. A blockchain is generally highly transparent because all transactions are public, traceable and permanently stored in the blocks.
When a blockchain is used to store personal data, privacy issues may arise. The distributed ledger system means that transaction data (possibly containing personal data) could be openly-displayed for participants. In a blockchain, new participants may be admitted to the network from time to time, and each participant will have a copy of the whole digital ledger. Existing participants may not be certain about who will have access to their records in future. This may challenge the basic data protection principle in that a data subject will be notified of the identity of the data user who collects the personal data and a list of persons who would potentially have access to such data. The problem is particularly acute for “permissionless blockchains”, which are public networks that allow anybody to join, read the contents and conduct transactions. In contrast, in private blockchain networks, only authorised parties can join, and the privacy risk is relatively lower.
A blockchain is immutable and tamper-proof by design. A “block” cannot be deleted or amended even if the data stored in it is obsolete or inaccurate. The retention and continuous availability of inaccurate or obsolete personal data may well prejudice an individual’s rights to personal data privacy. These characteristics of blockchain give rise to compliance difficulties in relation to data accuracy, data retention and right to erasure.
As a distributed technology, there is no single entity responsible for the administration, as well as maladministration, of a blockchain. This causes enforcement difficulty in the event of data breach as responsibility to comply with data breach notification requirement is unclear. In addition, a data subject may also find it difficult to identify the entity who is responsible for responding to data access requests.
As the French data protection authority (CNIL) pointed out in its guidance on the use of blockchains (https://www.cnil.fr/en/blockchain-and-gdpr-solutions-responsible-use-blockchain-context-personal-data), organisations should exercise caution when deciding whether they need to adopt blockchain technologies. Furthermore, CNIL suggested data minimisation should be a priority when recording data on a blockchain. CNIL also proposed all participants in a blockchain be deemed as data users, if no single central management of the blockchain can be identified, in order to ensure accountability.
There has yet to be a solution to the privacy issues brought about by the use of blockchains. As an enforcer, educator and facilitator, my office (PCPD) has a mandate to find the way out for both data users (organisations) and data subjects (individuals). Compliance with and enforcement of the laws alone are not adequate in protecting personal data privacy in the use of blockchains, not to mention striking a balance between data protection and facilitation of technological innovation. The long-term solution lies in accountability and ethics, whereby organisations are expected to do not only what they have to, but what they ought to in order to be respectful, fair and beneficial to all stakeholders. In this regard, conducting privacy impact assessments and ethical data impact assessments is a prerequisite for the use of blockchains.
(See also Information Leaflet on “Fintech” published by PCPD in March 2019: https://www.pcpd.org.hk/english/resources_centre/publications/files/fintech.pdf)