How blockchain fits in the privacy legal landscape
By Scott W. Pink, special counsel, O'Melveny & Myers Llp.
This is part one of a series looking at blockchain technology and the transforming privacy legal landscape. Part one will look at blockchain and privacy regulations in general.
Blockchain and distributed ledger technologies are poised to revolutionize the way we transact business, from making payments to conducting transactions to entering contracts. They enable decentralized, user-centric services that can create a shared, immutable ledger for recording a history of transactions. Its value lies in the integrity of the data that is tamper-resistant and can only be modified by consensus. Even governments have started to embrace blockchain as a means for electronically documenting agreements and other transactions.
At the same time, government regulators have been increasingly demanding that technology companies consider consumer privacy while designing their technologies. The European Union’s General Data Protection Regulation that took effect in May 2018 and the California Consumer Privacy Act that takes effect in January 2020 require that controllers and processors of personal data provide more notice of and transparency in their data collection practices. They also ushered in a new wave of data privacy rights to give individuals more control on how their data is collected, used, sold, and disclosed.
These two trends are on a collision course in that the decentralized nature of blockchain and distributed ledgers is viewed as incompatible in many ways with the principles of transparency and control that are the hallmarks of recent privacy legislation. However, with the proper approach by both industry and regulators, these technologies can comply with and even enhance most of the protections contemplated by the new privacy regulations.
What Is blockchain?
At the most basic level, blockchain is a series of blocks of data that are secured and connected using a cryptographic hash. The cryptographic hash is a mathematical algorithm that maps the data block to a unique string of bits (a hash value) that serves as a form of fingerprinting for that data. Each block of data includes a hash of the block that precedes it thereby creating a continuous chain. The data in any block of chain cannot be changed without changing all the hashes in the chain.
One of the more well-known implementations of blockchain technology is the distributed ledger, which is a database that is maintained independently by multiple participants through consensus and across multiple points (nodes) on a network. All files in the distributed ledger are timestamped and given a unique cryptographic signature. All of the participants on the distributed ledger can view all of the records in question. In this way, it provides a verifiable and auditable history of all information stored on that particular dataset.
What is unique about the use of blockchain and distributed ledgers is that the network has no central authority; in addition, the data on the network is shared and immutable. This is in contrast to traditional forms of ledgers and databases that are typically maintained in a centralized database that lives in a fixed location and is operated by a particular entity. As discussed below, most data privacy laws were written based on more traditional forms of centralized databases. The challenge for companies implementing or using blockchain technology or distributed ledgers is applying those laws in a sensible and reasonable way to the new forms of databases created by blockchain technology.
Stay tuned for part two which will look at newer privacy laws that affect blockchain.
Gloss