By Carmen Tang, Senior Associate, Digital Business Practice Group, Oldham, Li & Nie
The General Data Protection Regulation (GDPR), a single, pan-European law for data protection which will come into force on 25 May 2018, operates to regulate the processing of personal data in the context of the activities of an establishment of a controller or a processor in EU, regardless of whether the processing takes place in EU or not.
When one harmonized set of regulations meet with one decentralized and self-maintaining technology, how much an individual can be reassured that he/she can still maintain control over his/her personal data as promised under the GDPR?
WHAT is the “personal data” within blockchains?
Under Article 4 of GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person. GDPR accepts indicators which allow a natural person be ‘identified’. The explicit inclusion of ‘online identifier’ makes it clear that IP addresses, mobile device IDs and the like are all regarded as ‘personal data’ which is thus protected under GDPR. On the other hand, the definition denotes the exclusion of the following data: (i) data does not relate to an identified or identifiable natural person; and (ii) data rendered anonymous in such a way that the data subject is no longer identifiable.
(i) Public key and Private key
The gist of blockchain technology is that it works hand in hand with crytopgraphy. Take the use of bitcoin as an example, which operates in blockchains. Each bitcoin address has one public key and one private key. The public key is what the "bitcoin address" is created from. Anyone can look it up and send bitcoins to it. The private key is similar to a password. Only with it can the owner of bitcoin address send bitcoins from it. To send bitcoins from a bitcoin address, you prove to the blockchain network that you own the private key that corresponds to the address, without revealing the private key. Anyone using the system can see how much money each bitcoin address has, but they cannot identify the owner of each address. Having said that, if the public key in some circumstances becomes information from which the identity of an individual may be directly or indirectly ascertained, it will then fall within the definition in Article 4. For example when service provider of a blockchain platform or other third party can match the public key with other data in their possession, combination of such is then sufficient to lead the conclusion of identity of the relevant individual.
In cases when institutions are in possession of different types of online identifier, some of which are chains of meaningless numbers and/or alphabets, e.g. public key, IP address, mobile device IDs, IT experts may be engaged to facilitate the tracing exercise which then enable supervisory authority to determine whether the relevant public key should be classified as anonymous data or identifier for the purpose of streamlining GDPR enforcement.
(ii) Encrypted data in blocks
Similar to public key, transactional data encrypted in blocks can be regarded as ‘personal data’ and thus protected as long as the participants of the relevant transactions, to whom the data belongs, can be identified.
WHO are the “data controllers” and “data processors” in blockchains?
‘Controller’ is defined under GDPR as the one which determines the purposes and means of the processing of personal data, while ‘processor’ refers to one which processes personal data on behalf of the controller, which includes whether or not by automated means, collecting, recording, organising, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise making available, alignment or combining, restricting, erasing or destroying personal data.
Distinguishing the degree of participation of each role player in a blockchain network may not be an easy task, and this in turn poses challenges for enforcement agency in determining the parties liable in GDPR infringements.
Blockchain is a distributed online platform which is managed by nodes, i.e. data points on the network, instead of a processor stored in one computer. It allows everyone to add value to the chain which forms new blocks. With such decentralized mode of operation, strictly speaking, every participant in the network can be said to have determined the means and purposes of processing, and also processed the relevant data in the operation. That includes the data subjects, i.e. users who send transactions which in turn allow miners to solve mathematical problem (permissionless networks), or validating nodes to validate transactions (permissioned networks), both resulting in the addition of new blocks to existing chain.
Are the expended ‘data subject rights’, such as right to be forgotten, right to access, data portability, applicable to transactions using blockchains?
(i) Right to be Forgotten
Right to be Forgotten, also known as data erasure, entitles data subject to have data controller erase his/her personal data or cease further dissemination of the data. In a blockchain environment, all the transactions are stored on nodes that are part of the network. The network is designed to be non-editable so that any fraudulent version of public ledger can quickly be spotted and rejected by other network users. Thus, in theory, if the data subject/data controller/data processor wants to delete data from a specific node, one would have to get control of 51% of the nodes in the network first, which requires the controlling of majority of computing power of that network.
Recently, a variation of the “chameleon” hash function is developed, which allows designated authorities in a blockchain to edit, rewrite or remove previous blocks of information without breaking the chain. Nonetheless, this invention is only applicable in ‘permissioned’ blockchain systems, and not for ‘permissionless’ system which remains open and decentralized.
(ii) Right to Access and Data portability
Under GDPR, data subject is entitled to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. The controller shall provide a copy of the personal data free of charge.
Besides, the data subject shall have also the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
Every participant in a blockchain do have a copy of anonymous data of the entire chain and he/she has complete access over his/her own block by using the private key. To an extent, the right to access and data portability can be said to have been embedded from the onset of designing the blockchain system.
Data privacy in Hong Kong is regulated under the Personal Data (Privacy) Ordinance (Cap. 486)(“PDPO”), which came into force in 1996. Comparing to the GDPR definition, the scope of ‘personal data’ protected in Hong Kong is further restricted to data relating directly or indirectly to a living individual and: (i) ‘from which it is reasonably practicable for the identity of the individual to be directly or indirectly ascertained’; and (ii) ‘in a form in which access to or processing of the data is reasonably practicable’. For limb (ii), it is now confirmed by Hong Kong courts that ‘form’ refers not just to the physical form of the data, but also the state of existence of the data. One High Court Judge quoted an example of ‘non personal data’ in a judicial review case where an institution, although in physical possession of certain computerized data, has no access to the decoder necessary for decoding the encoded data. Applying to blockchain transactions, arguably the encrypted data should not fall within the definition of ‘personal data’ because they exist in a form which data retrieval is impossible as only the user (i.e. the data subject) has the private key. But on the other hand, the encrypted data does contain data which can ascertain individual’s identity in most cases, and for users of blockchain, who have control over the data, access and processing are reasonably practicable.
“Data user” and “Data Processor”
To qualify as “data user”, it is sufficient that he/she/organization controls the collection, holding, processing or use of the personal data. Data processors include those who process personal data on behalf of another person, not just the data controller under GDPR. As mentioned in previous sections, data subjects in theory do have control of data in a decentralized ledger technological network. One can say, blockchain technology is in essence placing duties on data subjects in protecting their own personal data. For the time will come when revamping legislation for the purpose of introducing contributory element on the part of the data subjects in privacy infringement cases becomes indispensable. But such development may seem odd as privacy laws exist to uphold fundamental rights of individuals over own personal data, rather than imposing burden on individuals in guarding their own property.
Data Protection Principles (“DPPs”)
The six DPPs represent “the core of PDPO covering the life cycle of a piece of personal data”: (1) purpose and manner of collection; (2) accuracy and duration of retention; (3) use; (4) security; (5) information to be generally available; and (6) access. The blockchain technology may provide new insights to application of some of the DPPs.
DPP2 stipulates that all practicable steps must be taken by data users to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data is or is to be used. In bitcoin network, a user’s account balance is represented by transaction ledger, which means the existence of all previous transactions are necessary for conducting all future transactions and thus have to be kept in the blockchain. Data may become no longer necessary when user ‘empties’ bitcoin wallet and wishes to ‘leave’ the chain. However, as mentioned in previous section, deletion of transaction records seems impossible for the time being.
Under DPP4, all practicable steps shall be taken to ensure that personal data held by a data user are protected against unauthorized or accidental access, processing, erasure, loss or use. Blockchain are secure by design. If the user, i.e. the data subject, has lost his/her private key, the system is so secure that he/she may not be able to recover it, and, for bitcoin blockchain, the bitcoins in the wallet do remain in the chain, but become irrecoverable. Again, in blockchain context, it looks like data subject becomes the responsible party to ensure safety of his/her own public key.
GDPR and PDPO are said to have been designed to be technologically neutral, still, rules and regulations are mostly derived with reference to previous course of dealings in real world. Failing to catch up with the development of technology and innovation may ultimately defeat the very purpose of the existence of a piece of legislation. As time goes by, hopefully, privacy issues arising from blockchain applications can be fully addressed with collaborative effort by legal experts, regulators, IT engineers, technological specialists.
Carmen, Senior Associate of OLN and former legal counsel of Office for Privacy Commissioner for Personal Data, Hong Kong, is a member of OLN’s Digital Business Practice Group (DBPG). DBPG encompasses experienced legal professionals, admitted in different international jurisdiction, with key expertise in IT, IP, data protection, telecoms, corporate commercial. Carmen’s areas of expertise cover commercial and probate litigation, data privacy issues, risk management and regulatory matters.
Further details of the OLN’s expertise and recent articles can be found at our website: www.oln-law.com
 Website of Office of the Privacy Commissioner for Personal Data, Hong Kong