Senior Associate Steven De Lara and Associate Cecile Gomez’s article examines the duties (from a data protection perspective) that Distributed Ledger Technology providers will have when providing the technology, and what regulatory actions, if any, they could face if they are in breach of them.
Steven and Cecile’s article was published in Global Banking & Finance Review, 21 February 2018, and can be found here.
The General Data Protection Regulation (GDPR) comes into force in May. It has taken years of effort by the European Parliament, the Council of the European Union and the European Commission to strengthen and unify data protection for everyone who lives within the EU, and to address the export of personal data outside it, creating a compliance challenge for every company.
GDPR creates one set of EU rules for protection applicable to personal data. It also applies to businesses dealing with personal data in the EU, even if they are based elsewhere. By updating the law on individual privacy and autonomy, it recognises the enormous changes in technology and data usage that have taken place.Specifically, GDPR will introduce new accountability obligations, stronger rights and restrictions on international data flows.
Stepping into line with the new regulations has kept in-house lawyers and their law firms busy. GDPR’s impact on every business is most apparent in the new consent rules: many companies have had to change their current data protection practices and policies to ensure compliance. Ambitious and complex, the new framework is also harsh. Failure to comply could result in severe sanctions: a maximum fine of €10m or 2% of annual worldwide turnover, whichever is greater.
Beyond non-compliance penalties, there is an upside: GDPR enables organisations to realise the opportunities of the digital age by taking advantage of everything presented by new technologies, data analytics and personal information. The great technological strides that gave life to GDPR really matter for economies at a micro and macro level. This applies especially to data gathered from individual internet footprints, each with distinct interests and characteristics. Collated, sorted and analysed by AI computer systems, the information gathered about each individual and their online habits forms the raw ingredients for the creation of refined profit.
One prominent example is blockchain, most commonly used in cryptocurrencies. Although bitcoin is the best known, there are now nearly 1500 different types. These are increasingly used by starts ups and fintechs to access funds cheaply: $5.6bn was raised in Initial Coin Offerings (ICOs) last year. The boom in digital currency fundraising has been supplemented by free trading on online exchanges, which provide greater liquidity than traditional equity investments.Presently unregulated, this may soon change: initiatives are underway in the EU to have cryptocurrency regulations in place by 2020.
Attracting start-ups is a competitive business. Although some financial institutions refuse to accept cryptocurrency funds, others are much keener. The same applies in different jurisdictions: banned in the payment systems of China and India, they are welcomed in Switzerland, Sweden, the US and Canada.
Located in an ambitious jurisdiction, the Gibraltar Blockchain Exchange (GBX), a subsidiary of the Gibraltar Stock Exchange, was launched in January to provide a blockchain-based, decentralised cryptocurrency exchange: the world’s first token sale platform for fintech firms using blockchain distributed ledger technology(DLT). As Gibraltar became the first jurisdiction to license and regulate fintech firms using blockchain technology, GBX also formally recognised the use of blockchain records as an accepted mechanism for transmitting payments.
So where does data protection fit into blockchain? With the advent of centralised models of data storage, users believe that their information is protected by a trustworthy custodian. Different types of blockchain were initially designed to function in a “trustless” environment, i.e. one where people can transact directly with each other without needing to trust any third party actor in the ecosystem. In place of a middleman or custodian, a mathematical algorithm, executed and validated by a network of computers, functions as a substitute.
Without a third party custodian, individuals who are true owners of their personal data face an increased risk of that data being lost or stolen making data protection a very real concern. Companies which provide the technology still have the same legal duties as other businesses. The solution mandated by GDPR is that data controllers and processors have to abide by the principle of “data protection by design and default.”
GDPR anticipates that centralised digital data storage will be replaced by DLT: the design and default principle limits “digital states” i.e. software platforms, and those who use them. This requires designers and providers of blockchain technology to create system architectures which includes privacy as a fundamental cornerstone at the outset rather than being introduced as an afterthought.
Various techniques are used to protect privacy: pseudonymisation, which decouples data from individual identity, and data minimisation which involves only sharing data points that are absolutely necessary.Most blockchain technologies already have pseudonymity and data minimisation built in. These record only the public keys of the sender and recipient for each transaction and a cryptographic hash of the transaction content.
It is not possible to reconstruct a transaction or the identity of either of the two participants from a cryptographic hash -data protection by design and default- which means that it automatically complies with GDPR. Unless a party to a transaction chooses to link a public key to a known identity, transactions cannot be traced to an individual or organisation. All blockchain transactions may be public, but personal information relating to them remains confidential.
Even if GDPR were not to apply to Gibraltar after Brexit, The GibraltarFinancial Services Commission (GFSC), would still be concerned as the regulator – and be equally robust – about data protection on DLT transactions. The GFSC has a statutory duty to promote good business practice, protect the public from financial loss and enhance Gibraltar’s reputation as a quality financial centre. Data protection in relation to DLT rests on the latter.
Notwithstanding clever technology, no system is fool-proof. For example, hackers recently stole more than $500m from the Tokyo-based cryptocurrency exchange Coincheck, raising concern about security and regulatory protection. Further regulation over ICOs and blockchain technology is inevitable to protect individual privacy. Whether consumers are best protected by ensuring that ‘key management’ be simplified by central authorities that deny users being true owners of their personal data is debatable: a topic which regulators will, no doubt, address in due course.