When it comes to data privacy law and your personal data, blockchain technology represents the proverbial round peg that does not fit squarely within the four corners of the law. Tom Kulik an IP & IT Partner Dallas-based law firm Scheef & Stone, LLP –
If you haven’t heard about blockchain technology by now, you probably have not been paying attention. Promising to transform everything from currencies to supply-chain management, blockchain (also referred to as distributed ledger technology, or DLT) provides an independent, distributed, secure mechanism to handle and process huge numbers of records in a traceable and verifiable way. That said, data can be made up of many different elements, including personally identifiable information (referred to broadly in this article as “personal data”). In the march to deploy this technology, however, there are questions that need to be asked regarding personal data that may be uploaded to the blockchain, and how the technology will comply with current U.S. and international data privacy laws. Needless to say, the answers are elusive, and more difficult to address than you may think.
For one, blockchain records are immutable — once a record is added, it is designed to remain unchanged. This is at odds with requirements of the General Data Protection Regulation (GDPR) in the EU. The GDPR requires that personal data of a “data subject” be changed or removed if the data subject so requests (sometimes referred to as the “right to be forgotten”). Further, California’s recently enacted Consumer Protection Act (CCPA) seems to have taken a cue from the GDPR by providing “consumers” the right to have their “personal information” deleted under Cal. Civil Code § 1798.105. Blockchain applications that seek to incorporate personal data within the blockchain will need to address this conundrum, such as by “forking” to a new chain (not really a viable long-term solution, IMHO), using mutable “side chains” (which deflates one of the powerful features of blockchain), or otherwise placing such personal data outside the blockchain (which, some would argue, starts defeating the purpose of using a blockchain in the first place).
Further, the blockchain is highly distributed by design, creating some interesting jurisdictional issues. Whether public or private, a blockchain is made up of many, many, different nodes, Does each node need to be GDPR compliant? If so, who is responsible for ensuring each node is GDPR-compliant? In the event of a personal data breach, what is the appropriate jurisdiction and applicable law? Just to make things more complicated, how will EU regulators view (and answer) such issues? These are compelling questions with elusive answers, but answers will be required. The penalties for non-compliance with the GDPR are up to €20 million or four (4) percent of gross annual turnover, whichever is greater (and yes, you read that correctly).
Notwithstanding the foregoing, I don’t believe that these questions will remain unanswered, as blockchain has arrived and is only getting started. The pros of the technology are far outweighing the cons at this point. That said, the answers will be challenging, and will push both blockchain technology development as well as the law. For the complete story https://abovethelaw.com/2018/10/why-blockchain-and-the-gdpr-collide-over-your-personal-data/?rf=1