After 13 years, Blockchain is starting to have meaningful impact across industry. How do Blockchain and Data privacy regulations collaborate to provide business value despite their known tensions?
Since Satoshi Nakamoto’s white paper back in 2008, Blockchain began life surrounded by much fanfare and this excitement continues. Indeed, Gartner are setting expectations that areas of this technology are entering into the ‘slope of enlightenment’ phase of their hype cycle. Cryptocurrency, Blockchain Wallets and Consensus Mechanisms are all identified Use Cases in this stage of the cycle - and are being followed by Blockchain Platforms, Smart Contracts & Tokenization within the next 5-10 year period.
Whilst blockchain will provide opportunities for innovation and signific disruption across industries, blockchain take-up has been slower than expected. Image problems, lack of suitable use cases, immaturity and blockchain fatigue are all cited as reasons that are holding blockchain back. Companies have been nervous to use blockchain for anything other than internal applications.
Nonetheless, blockchain is considered a foundational technology that will provide a basis for a fundamental paradigm shift, particularly when looking through a Financial Services lens. Made up of already existing technology components, Blockchain is a Distributed Ledger Technology (DLT) with a copy of the data, residing on multiple computers in many places including across multiple jurisdictions. These different jurisdictions raise interesting questions & challenges around legislation, regulation and data privacy across the globe due to the absence of common legal and data privacy frameworks.
As an example of the tensions that can exist between Data Privacy regulations and the blockchain technology we can explore the EU’s General Data Protection Regulation (GDPR) which can be distilled into two main points:
Centralisation (GDPR) versus Decentralisation (blockchain)
GDPR has implicit assumptions around centralisation and a single legal entity whereas blockchain, being a grouping of multiple technologies, explicitly uses decentralisation at its core and achieves its resilience through replication.
As an example, the GDPR defined ‘Data Controller’ is difficult to identify in a Blockchain and would depend on the use case. To take this further and explore both public and permissionless blockchains then there are many different actors involved and many of the actors could be identified as Data Controllers – who then does a data subject actually address? (GDPR Article 26).
Immutability (blockchain) versus mutability (GDPR)
Blockchain databases are effectively append-only ledgers. To remove data or to modify data in a blockchain requires massive disruption and is only carried out in exceptional circumstances (an example being a 51% attack). With GDPR principles such as the right to erasure and the right to restrict (other principles are available!) this creates significant challenges and barriers when considering the Data Controller obligations under GDPR articles 16 & 17.
Currently there is no agreement on what right to erase means as different jurisdictions interpret the rules in different ways. However, erasure doesn’t always necessarily mean the destruction of data. Anonymising data can be interpreted as erasure and one such way would be to destroy the private key associated with the transaction on the blockchain which, according to the French data authority, would achieve anonymity as required by GDPR Article 17.
Although there are concerns around whether Data regulations such as GDPR should be revised to take into account technology advancements such as blockchain these tensions are not considered insurmountable.
Regardless, and even after 13 years, Blockchain is a technology that will realise meaningful impact across industry and has already identified benefits for Data Protection Regulations in the following ways:
Accountability – who accessed the data and when did this occur?
Compliance with the Data Controller’s obligations
Increased control for Data Subjects over their personal data
A technology that allows for increased data-sharing
Following intive’s acquisition of SimTLix in November 2021 our experience in blockchain technologies - particularly surrounding Financial Technology in areas such as Cryptocurrency, Blockchain Wallets and Smart Contracts - has expanded our capabilities into a global reach across EMEA, LATAM and the US regions. We are putting our intive design-led skills to good use for features such as Wallet and User creation; wallet limits; Public & Private key Validations; receiving and sending funds to internal and external addresses; fund recovery and signing verification.
What’s more, we are leveraging our experience and are actively engaged in projects that include multi-signature wallets and custodial services. These types of projects are providing our client’s customers with key market differentiators such as the ability to hold and transfer native tokens using hot and cold wallets, delegate their funds and claim their rewards using API integrations or a client UI.
If you’d like to know more about how and where we can help, we’d be delighted to talk further with you. Start small and contact us.