Privacy Law Issues in Blockchains: An Analysis of PIPEDA, the GDPR, and Proposals for Compliance
The purpose of my article “Privacy Law Issues in Blockchains: An Analysis of PIPEDA, the GDPR, and Proposals for Compliance” (2019) is to identify how blockchain technologies may clash with, and reconcile, privacy legislation. The research identifies legislative issues related to the data subjects’ privacy rights, and proposes technical and policy oriented solutions for privacy law compliance. Part one defines blockchain technology and distinguishes between blockchain forms to identify the nuances of public, private, and hybrid blockchains. Part two outlines the primary privacy law challenges to blockchain as a database and medium of exchange, using Canada’s PIPEDA and the European Union’s GDPR as a benchmark for legal analysis. Part three offers a non-technical primer of privacy-centric technologies designed to facilitate the compliant processing of data on public blockchains; this section also discusses analytical techniques used to identify users on public blockchains. Part three also explores the implications of privacy-centric technologies as a solution to legislative compliance. Part four offers policy recommendations designed to complement proposed technical safeguards and generate a system of accountability in a network characterized by anonymity. The following summary is designed to identify the inherent struggle between decentralization and privacy, and outline key considerations made in the article.
Proponents of crypto-economics regard decentralized coordination as an opportunity for new forms of economic innovation, forms designed to increase value for individuals and decrease the power of intermediaries (Catalini & Gans 2016). Blockchains enable decentralized coordination by increasing the transparency of information between parties. Transparency allows the blockchain network to police itself by allowing users to collectively verify the legitimacy of every network transaction (Di Fillipi 2016). Agents to a transaction can presume fair play in this system because the transparency, security, and immutability of data should theoretically lead to increased accountability for all participants. But while transparency can facilitate decentralized business relationships by allowing individuals and businesses to trust in the network itself (rather than the intermediary), unchecked transparency can pose a paradoxical threat to the privacy rights of network participants.
Public blockchain features of decentralization and transparency conflict with contemporary privacy legislation like PIPEDA and the GDPR. Decentralization often renders the designation of accountability impossible, and transparency leaves the personal information of data subjects vulnerable. Both PIPEDA and the GDPR rely on accountable entities like processors and controllers to serve as both the champions of the regulation and the targets for infringement. This is complicated on public blockchains because the data subjects themselves often assume the roles of processors and controllers as transactional ability is conducted peer-to-peer. However, the primary privacy problem associated with the transparency and decentralization of the network is derived from the fact that the analytical ability to identify pseudonymous users, and the personal information associated with their transactions, already exists. While privacy-centric technologies like zk-SNARK’s, Ring CTs, and mixing techniques, generate anonymity for transactional information and accounts, this approach is not a standalone answer to our privacy needs. Anonymity without a complimentary regulatory response may exacerbate societal vulnerabilities by creating a marketplace with limited enforceability and oversight. While early blockchain adopters were looking for a system with less oversight and government intervention, a degree of regulation is likely required for the technology to achieve mainstream adoption. Privacy-centric technologies that provide anonymity require a complementary policy response to establish the foundation of a system that provides accountability for data processors and controllers.
A grassroots approach to regulation borrows from the GDPR’s principle of privacy-by-design and encourages anonymous transactions, supported by regulatory oversight at the entrance and exit points of the public blockchain ecosystem. Anonymity will allow participants to utilize the network without concern for data theft or eavesdropping, whereas the backend ability to identify participants will deter bad actors from taking advantage of the system for unlawful purposes like financial crimes or illicit dark web activities. If regulators and developers work together, privacy law and privacy technologies can provide the answer to many of the legal issues and economic impediments facing mainstream public blockchain adoption.
Noah Walters - Faculty of Law, University of Ottawa