In the upcoming "The Handbook of Blockchain Law: A Guide to Understanding and Resolving the Legal Challenges of Blockchain Technology" by Matthias Artzt, CIPP/E, and Thomas Richter, Chapter 5, "Blockchain and Data Privacy," written by Artzt, Lothar Determann and William Long, offers a detailed review of the privacy issues raised by blockchain technology, with most of its focus on the EU General Data Protection Regulation — understandably, since it has seen the most discussion among scholars, practitioners and regulators. It also addresses the more recent California Consumer Privacy Act, but there is simply less to say on that topic.
The authors do a great job of identifying most of the areas of conflict between privacy law, which focuses on privacy as an individual right to autonomy based on trust and accountability, and security and cryptography, with attention on some things that sound similar but apply differently. In many cases, what blockchain enthusiasts see as a feature, privacy pros see as a bug. And we are left echoing the movie "Clerks": "This job would be great if it wasn’t for the … customers." Let me explain.
Blockchain solves some problems involved in conducting transactions — or recording them —without trusting any of the parties or using an intermediary. Today, we record sales of real estate in a public repository that’s operated by a trusted party: the government. There are still many transactions that are "secret" and a fair amount of disputed or fraudulent ones, as well.
Blockchain seeks to solve these problems by allowing parties to transfer things without relying on a "middle person" and without trusting each other. It does this by creating a competition between multiple participants to repeat all the previous transactions, plus the new ones in a public (everyone can see the work), distributed (there are multiple copies of the ledger all over the place) and tamper-proof way. That’s a massive oversimplification, but it should work for this discussion.
Information security is based on the U.S. Central Intelligence Agency triangle: confidentiality, integrity and availability. Much of information security is about balancing focus among these three values to meet a particular objective. Blockchain focuses on transaction integrity and gives lower priority to availability and confidentiality. Integrity, in turn, tends to be linked to identification (who do I claim to be?), authentication (am I the same person who claimed this identity in the past?), authorization (what privileges does the authenticated identity entitle me to?), accounting (how can I be sure the privileges were used appropriately?) and non-repudiation (if I deny a transaction, can you prove I did it?). It gets there by establishing an immutable or "append-only," semi-public, consensus-based, decentralized and distributed ledger. It’s hard to fool a blockchain because to falsify a transaction, you’d need to conspire with 51% of the participants, all of whom are in a race to verify transactions, and, in most cases, not interested in whatever trick you are trying to pull.
Modern privacy laws, like the GDPR, focus on control and certainty and include multiple principles, like:
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimization.
- Storage limitation.
- Integrity and confidentiality.
- Accountability.
Even the principles that seem to match those in the security world tend to have different meanings or focus. That’s what makes this complicated.
The authors start at the beginning. The work of various blockchain participants is tough to fit into the role expectations of privacy laws. The GDPR identifies three basic roles: data subject (whose information processed), controller (who determines the what and how of the processing) and processor (who processes the data as instructed by the controller). Of the three, the controller is the most important under privacy regulation — the controller is accountable for the processing and must respond to requests from regulators and data subjects. But remember, blockchains are built to avoid centralized control.
The authors rightly note the mismatch and conclude, in effect, the puzzle is the answer. They cite guidance from France's Commission nationale de l'informatique et des libertés, the U.K. Information Commissioner's Office, and various EU bodies that solve some easy cases, note the problem, and conclude: "it depends."
The authors also note that this guidance suggests in many cases that a private or permissioned blockchain may solve some problems, and that’s correct. But private blockchains still leave many problems unsolved.