As we know, GDPR is new regulation. New regulation faces teething issues. This is an unavoidable reality. While many have claimed that blockchain is a solution in need of a problem, Covid-19 has proved a powerful springboard for a surge in blockchain based
platforms, designed with the intention of solving pandemic induced problems.
This push for innovation grounded in blockchain technology has brought forward the need for clarification on a number of legal uncertainties in the space. Not least of which being fundamental conflicts between essential characteristics of blockchain technology
and how that interacts with certain elements of the GDPR.
Both this regulation and this technology traverse new territories and it is only natural for areas of uncertainty to arise, but it is clear that for the sake of data analysts, engineers and developers, alongside lawyers, fintechs, financial institutions
and every individual set to benefit from access to such technologies, prompt clarification on key areas is critical.
The release of Tech London Advocates and The Law Society’s report ‘Blockchain: Legal & Regulatory Guidance’ has hence been warmly received by players
across the blockchain community.
As Anne Rose, co-lead of the report, Mishcon de Reya LLP, points out, the UK Jurisdiction Taskforce’s Public Consultation and subsequent
Legal Statement on the status of cryptoassets and smart contracts under English law was previously the single existing formal legal statement in the UK in respect of distributed ledger technology (DLT)-related matters.
In true understated British fashion, the Rt Hon Sir Geoffrey Vos, Chancellor of the High Court aptly notes in the report’s Foreword, “Guidance in this area is in short supply.”
This piece looks to highlight three key recommendations made in the report which canvas definitional challenges surrounding ‘personal data’, how ‘erasure’ should be interpreted and what a data controller looks like in the blockchain context.
We have reached out to the ICO for clarification of these three key areas, however beyond informing us that the ICO’s Data Sharing Code is scheduled for launch next month, they did not wish to provide comment on their position.
Definition is the heart of the matter
Recommendation 1: What does ‘all means reasonably likely to be used’ mean under Recital 26 GDPR? Does this require an objective or subjective approach?
Perhaps a more relevant question to ask, is whether the ICO and other supervisory authorities will follow the Working Party’s (now European Data Protection Board) suggestion in Article 29 that a risk-based approach to the definition of personal data is not
appropriate.
As we know, the GDPR applies to personal data and its definition in Article 4(1) is
generally understood to be interpreted broadly. Yet, in circumstances where the categorisation of this data is unclear or may change in the future, we need to be able to determine whether the data should be defined as personal, pseudonymous or anonymous.
This requires reading
Article 4(5) GDPR and
Recital 26 GDPR together.
Recital 26 says that data is anonymous if it is ‘reasonably likely’ that it cannot be linked to an identified or identifiable natural person. This is the risk-based approach to assess whether or not certain information should be defined as ‘personal data’
and therefore will fall within the GDPR’s purview.
To date, the ICO has adopted a relativist understanding of Recital 26,
which stresses “that the risk of re-identification through data linkage is essentially unpredictable because it can never be assessed with certainty what data is already available or what data may be released in the future.”
This consideration is particularly relevant in the context of blockchain technologies as it allows for the possibility that anonymisation can never be absolute.
Despite this the Working Party’s guidance
seems to suggest that this risk-based approach is not appropriate and that “anonymisation results [only] from processing personal data in order to irreversibly prevent identification.” This absolute approach takes a strict stance toward the requirement
for anonymisation of data, and as the report holds, does not allow for the possibility that anonymous data today may become personal data in the future (upon further data being acquired, allowing for the controller or another to identify the person).
It appears that there is a strong likelihood, as Dr Michèle Finck, senior research fellow, Max Planck Institute for Innovation and Competition,
outlines “that contrary to what has been maintained by some, perfect anonymisation is impossible and that the legal definition thereof needs to embrace the remaining risk.”
Comparing the two approaches, Dr Finck notes that “Further statements by various courts and supervisory authorities fall somewhere on the spectrum between both approaches,
clearly highlighting the lack of consensus regarding the legal test to be applied, hence threatening the homogenous application of data protection law across the EU.”
Needless to say, it is difficult to see the full benefit or true intention of the GDPR come to fruition when agreement cannot be reached around certain fundamental principles – both in interpretation and in application.
Permanently impermanent
Recommendation 2: How should ‘erasure’ be interpreted for the purposes of Article 17 GDPR in the context of blockchain technology?
The Group argues that close attention to this recommendation is essential, as a core tenet of GDPR recognises a right to ‘erasure’ of personal data. As it stands, contention around the definition of ‘erasure’ is proving frustrating if not defeating for those
wanting certainty around regulatory requirements for blockchain.
The GDPR does not currently indicate what ‘erasure’ requires, that is, whether a common-sense understanding of ‘erasure’ should apply and what precisely that would look like. Does ‘erasure’ equal the destruction of personal data or a private key? Is the
ICO’s position to ‘put beyond use’ the data sufficient? It remains to be seen in case-law, however, regulatory guidance would undoubtedly be welcomed by blockchain and DLT communities.
Though it seems a straightforward premise, the very nature of blockchain presents a complex scenario for ‘erasure’ because blockchains are
usually deliberately designed to render (unilateral) modification of data difficult or impossible.
The European Parliament report, ‘Can distributed ledgers be squared with European data protection law?’ explains that there is immense difficulty applying the right of ‘erasure’ to blockchain:
“Deleting data from DLT is burdensome as these networks are often purposefully designed to make the unilateral modification of data hard, which is in turn supposed to generate trust in the network by guaranteeing data integrity.”
Tied to the above queries regarding the definition of personal data, there are also fundamental challenges in the attempt to determine whether ‘erasure’ should be interpreted as anonymisation in the absolute sense (as seemingly recommended by the Working
Party). Yet, as has already been raised, the reality that absolute anonymisation in the context of blockchain is likely, leads to the uncomfortable conclusion that personal data can only ever be pseudonymised.
Pseudonymous data in this sense
relates to personal data which can no longer be attributed to a specific data subject without the use of additional information. Anonymous data on the other hand is data which cannot be attributed to a specific data subject, including with the application
of additional information.
Every data controller needs purpose
Recommendation 3: Can a data subject be a data controller in relation to personal data that relates to them?
The question of the data controller’s purpose must also be addressed when considering the definition of personal data. The Working Party emphasises that “to argue that individuals are not identifiable, where the purpose of processing is precisely to identify
them, would be a sheer contradiction in terms.”
The report refers to a decision by the French supervisory authority (the CNIL) which found that Google’s accumulation of data, enabling it to individually identify persons using personal data, is “[the] sole objective pursued by the company to gather a maximum
of details about individualised persons in an effort to boost the value of their profiles for advertising purposes.”
The right to erasure in the GDPR has certain exceptions, such as in cases where the processing of this personal data is still necessary for the performance of a contract.
In its 2019
study, the European Parliament states that when determining who is a data controller for blockchain-enabled processing of personal data, the purpose and means of data processing in the specific use case must be considered, along with the governance design
of the specific blockchain.
The study underscores the lack of consensus as to who should be considered the data controller in the context of blockchain-enabled processing, but provides a
number of possible actors which may qualify.
Notably, the study reads that “a recent European Parliament report embraces the same view in suggesting that users ‘may be both data controllers, for the personal data that they upload to the ledger, and data processors, by virtue of storing a full copy
of the ledger on their own computer.’” It continues that accordingly, there is broad consensus that DLT users will in at least some circumstances be considered as data controllers under the GDPR.
In the report however, Rose calls for guidance on the topic, noting that “the lack of consensus as to how (joint-) controllership ought to be defined, and how it impacts upon accepted (or even contested) meanings within GDPR, hampers the allocation of responsibility
and accountability.”
Privacy by design
If it is the
case that consensus can’t be achieved about blockchains being either all compatible or incompatible with European data protection law, how do we go about building on blockchain innovation?
The
Europarl report observes that “where much of the debate has focused on the tensions between blockchains and European data protection law, the former may also provide means to comply with the objectives of the latter.”
That is to say, while the technical idiosyncrasies of blockchain are difficult to reconcile with GDPR, if blockchain can be architected with a view to compliance with data protection law, then perhaps compliance by design is the best solution available.
Further, the lack of legal certainty regarding achieving compliance with blockchain technology and indeed other technologies underscores the conceptual uncertainties inherent within GDPR itself.
The report adds that there is currently no legal certainty for developers who wish to handle public keys in a GDPR-compliant manner. How is this impacting innovation? When there appears to be only risk for individuals pursing such innovation, we can’t expect
to see ground-breaking developments.
Where do we stand today?
In a Q&A following the release of the European Commission’s Digital Finance package in September, the Commission
noted that it remains vigilant about ensuring consumers remain in charge of their data. The Commission also underscores that compliance with data protection rules, in particular
the General Data Protection Regulation (GDPR) is a prerequisite for a financial sector driven by data.
Also explaining that crypto-assets are digital representations of values or rights, which can be transferred and stored electronically using specific technology (known as distributed ledger technology), the Commission
states that crypto-assets are inextricably linked to blockchains, as they are the blocks that make up the chains themselves.
The Commission’s pilot regime for market infrastructures that trade and settle transactions in financial instruments in crypto-asset form is therefore a significant step. Importantly, the Commission also observes weak legislative areas and hope to propose
some related amendments where current legislation presents clear issues to the application of distributed ledger technology in market infrastructure.
In the
text of the package itself, the Commission says it will pay particular attention to “due compliance with data protection rules, in particular the General Data Protection Regulation.”
Ideally, this pilot will yield further clarity on the conceptual challenges sooner than waiting for appropriate case law to trickle through. As flagged earlier in the piece, it is also hoped that the ICO’s Data Sharing Code, scheduled for launch next month
(November 2020), will provide clarification across some of these complex issues.
Alongside work being carried out related to Data Sharing Code, the ICO’s
Regulatory Sandbox for 2020-2021 is targeting innovations related to data sharing particularly in the areas of health, central government and finance (among others). Developers focused on products or services which are likely to enable substantial public
benefits but may involve the use of innovative data governance frameworks or data sharing platforms, or involve the processing of sensitive personal data are encouraged to apply.