March 20, 2023 Blockchain Boosts Security, Complicates Compliance

Blockchain technology has become prevalent in our daily lives with cryptocurrency and blockchain becoming recognizable by the public.

By L. Hannah Ji-Otto

Blockchain technology has become increasingly prevalent in our daily lives, with notable examples such as Bitcoin (crypto currency) and IBM blockchain (supply chain management) even becoming recognizable by the general public. There are numerous use cases for blockchain technology in various industries. Manufacturing businesses can use blockchain to track the movement of goods and materials from raw materials to finished products, creating a transparent and secure supply chain. Financial companies can use blockchain to create an auditable and temper-evident ledger of financial transactions, reducing fraud and improving efficiency in financial processes.  Some businesses are now using blockchain to track their carbon footprint by creating a permanent record of the origin, production, and transportation of their products and services. However, when used to process personal information, the unique traits of blockchain may make it difficult for businesses to follow privacy laws that are currently in place around the world. 

Blockchain provides a secure way to store and transmit data. Some of the key security features of blockchain technology include:

• Immutability: Blockchain is well known to ensure data integrity. Once data is recorded on the blockchain, it cannot be easily altered or deleted, providing a secure record of all transactions.
• Decentralization: Blockchain networks are decentralized, meaning that there is no single point of failure or control. This makes it harder for hackers to compromise the network, as they would need to compromise multiple nodes simultaneously.
• Crypto Security: Blockchain technology uses advanced cryptographic techniques, such as public-key cryptography and hashing, to secure data on the network. This makes it very difficult for hackers to steal or modify data stored on the chains.

Given these security features, some businesses are implementing blockchain technology across their operations, without regard to the nature of data involved in a particular process. However, using blockchain for personal information of consumers, employees and individuals raises concerns because privacy laws treat personal information differently than business information. Personal information (or personal data) is defined differently under various laws, but it generally refers to data about a natural person. Examples of personal information include names, mailing addresses, email addresses, financial accounts, and social security numbers. When businesses use any technology to process personal information, they must assess their privacy compliance obligations, as non-compliance can be expensive. For instance, under the EU’s General Data Protection Regulation (GDPR), a single breach may result in a maximum fine of the greater of €20 million or 4% of the company’s annual global turnover for each violation.  It is crucial for businesses to conduct the same privacy evaluation before implementing blockchain for personal information processing.

The same characteristics of blockchain that make it good news for data security may also raise concerns under privacy laws. As a result, whenever a blockchain technology is used to process personal information, businesses are tasked with navigating a complex privacy compliance scenario.

Privacy Issues with Immutability: This is one of the main selling points of the blockchain. Modifications of data on blockchains are deliberately made difficult to ensure data integrity and build trust in the network. Many privacy laws give consumers the right to delete their data, which means companies are required to establish mechanisms to handle these deletion requests as part of their compliance efforts. For instance, under the CCPA, subject to certain exceptions, consumers can request that businesses delete their personal information within 45 days (unless an extension applies). Under the GDPR, this right is known as the right to erasure, or “the right to be forgotten.”  The fact that blockchain technology is immutable makes it difficult if not impossible for businesses to comply with those privacy laws. This could be a costly error. Failure to honor a deletion request from a data subject is subject to enforcement by the California attorney general’s office, which can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation. The penalties can stack up quickly. Fortunately, regulators in some jurisdictions have recognized this difficulty and have provided guidance on alternative methods to achieve data erasure on blockchain (see here for an example). To prevent expensive fines, businesses should seek advice from their privacy counsel or closely monitor regulatory guidance development when creating mechanisms to address data deletion requests on blockchain.

Privacy Issues with Decentralization:  In blockchain, a distributed network composed of nodes (which are physical electronic devices and, in many scenarios, computers) located in different places makes decisions instead of a centralized entity.  As a result, the same copy of the transaction will be stored by a number of nodes and it will be hard to track exactly where all those copies are. This characteristic promotes security, because a corrupted copy of the transaction is easily invalidated by other copies stored elsewhere. This also means that for a business to use the blockchain network in a way that complies with laws, it must assess its obligations under the various privacy laws of the jurisdictions where all the nodes are situated. There is currently not a single privacy law that all countries in the world are willing to adhere to and different jurisdictions have their own version of privacy laws and enforcement mechanisms.  Depending on where the data is collected and where it is being transmitted to, privacy laws of various jurisdictions may apply simultaneously. As a result, a business may be required to adhere to varying privacy principles as mandated by different laws, and be subject to enforcement actions by different regulatory authorities. Furthermore, some other jurisdictions such as the E.U. restrict data from being transferred out of their territories. Some other jurisdictions, including China and Russia, have data localization requirements, which means certain types of data must stay within their borders. These data transfer restrictions and localization requirements pose significant challenges to enabling unrestricted data movement across a blockchain network.  Anticipating those compliance difficulties, before utilizing a blockchain technology to process personal information, it is important for a business to have a solid grasp of the decentralized network to understand the nature and scope of the privacy issues you might be dealing with. 

Privacy Issues with Crypto Security. One of the advantages of blockchain is that it allows for encryption of data.  For example, Bitcoin uses public-privacy key encryption. The practical benefit of encryption is that it greatly enhances the security of the data. The legal effect is that data encrypted are generally exempted from state breach notification requirements in the United States. When it comes to privacy, however, in some jurisdictions with more stringent privacy regimes, including the E.U., encryption does not take a data processing activity out of the purview of the GDPR.  EU regulator has opinioned that public key is still considered personal data because it is “pseudonymized” instead of truly “anonymized.”  Pseudonymized data is still subject to GDPR regulations as personal data, meaning that companies must apply all data protection principles to blockchain applications that use public-private keys for encryption.

Blockchain is a good tool, but as with any other tools, it needs to be used in the correct time and place. Businesses should take a more nuanced approach in taking adoption of this technology and determining whether it is appropriate for a specific data string.

L. Hannah Ji-Otto is an attorney in the Nashville office of law firm Baker Donelson. She regularly advises domestic and international clients on all aspects of data security, privacy, and technology transactions. Ji-Otto can be reached at hjiotto@bakerdonelson.com or (615) 726-5758.

Subscribe to Industry Today