The European Union's General Data Protection Regulation (GDPR) was first drafted before blockchain became a widely adopted technology utilised across nearly every sector of the economy. One of the attractions of a blockchain platform is the immutability of data recorded on it, which seems to conflict with the right to erasure under the GDPR which allows an individual to have their personal information deleted.
How can this tension be resolved?
The GDPR – and the right to erasure
Although EU law, the GDPR applies to New Zealand businesses that process personal data with an office in the EU and, more broadly, to New Zealand businesses that process personal data of individuals residing in the EU in certain circumstances.
The GDPR's right to erasure provides that individuals have the right to have their personal data erased in certain circumstances, for example, the individual has withdrawn their consent to have their data processed. In contrast to the GDPR, the New Zealand Privacy Act 1993 (Privacy Act) does not currently contain an express right for users to require the deletion of their personal data. However, this may change. On 20 March 2018 the Minister of Justice introduced a Bill amending the Privacy Act, which is expected to come into force on 1 July 2019.
The current form of the Bill includes a number of additional privacy requirements, such as mandatory breach reporting, but does not currently contain many of the additional requirements set out in the GDPR, including a right to erasure. The Bill may yet undergo significant changes before enactment and the Privacy Commissioner has advocated for a right to erasure to be included.
So, how might this right to erasure be reconciled with the use of blockchains – which store personal data, given that once stored, information cannot be deleted?
Is encryption the answer?
Cryptography enables you to store information so that it cannot be read by anyone except the intended recipient. Public key cryptography uses a pair of keys for encryption: a public key, which encrypts data, and a corresponding private (or secret) key for decryption. You publish your public key to the world while keeping your private key secret so anyone with a copy of your public key can then encrypt information that only you can read.
Just like door locks, there are different forms of encryption, of differing strengths. But the strongest forms are for all practical purposes, unbreakable.
Could personal data stored on a blockchain be effectively 'deleted' by encrypting it and then destroying the private key so it can never be read? There is currently no firmly established answer, but there are reasons to be hopeful that this would be an acceptable solution:
- It would be ironic for the promise of blockchain platforms to be thwarted by the GDPR. One of GDPR central aims is to protect individuals in relation to the processing of their data. That is also the attraction of blockchain platforms. It is consistent with the policies behind the GDPR to find solutions that allow the development of blockchain platforms which store personal data.
- The GDPR is vague as to when exactly personal data is "erased". The wording is sufficiently wide for destroying a private key to meet the specified requirements, provided the level of encryption is sufficiently robust to ensure the personal data, once encrypted, is unable to subsequently be rendered intelligible without reference to the destroyed private key.
- The concept of encryption is already recognised in the GDPR which recommends it as a security and personal data protection method. It is a natural extension for it to be accepted in the context of the right to erasure.
These are then some reasons to expect the use of encryption techniques to allow blockchain platforms to both store personal data and comply with any right to erasure. However, we should sound a few notes of caution:
- Much will depend on the details. To allow for any right to erasure, personal data stored on a blockchain would have to be strongly encrypted, and the private key would have to be permanently deleted or otherwise made inaccessible to others. These are practical issues which will have to be carefully worked out.
- As strong cryptography makes the job of intelligence agencies more difficult, some countries have enacted law or regulation restricting or simply banning the non-official use of strong cryptography. Encryption may therefore not be a viable solution in all jurisdictions.
- In theory, any type of encryption can be broken given enough time, energy and processing power. What is considered secure today may not be secure in the future. Merely encrypted data is therefore at risk – and working out the nature and extent of that risk will be an important part of the discussion.
This article was first published by CIO New Zealand and available to view here.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.