Amsterdam is one of the world’s most important start-up hubs. Within that ecosystem, there is a need for specialist legal knowledge, because new technologies and developments lead to innovative, interesting and complex legal issues. TK Tech is an Amsterdam-based tech hub of TeekensKarstens attorneys, specialized in tech law. TK’s tech lawyers are experts in fields such as privacy (GDPR), intellectual property law, IT law, M&A and new tech.
In the upcoming period, TK Tech will update the members of the Swedish Chamber of Commerce on relevant and interesting (legal) tech issues. To kick off: privacy and blockchain, where do they meet?
The GDPR became enforceable May 2018. The GDPR should not be about avoiding fines, but about how your company is able to showcase their responsibility and transparency regarding data protection. It creates business opportunities. Insight in the way personal data is handled allows companies to use the available data in a correct and efficient way. Therefore, data protection should be of the upmost importance to innovative businesses.
The GDPR applies to all personal data processing activities. It aims at protecting EU citizens’ data privacy and ensuring the free flow of personal data between member states. In this context it expands the rights of data subjects. Among these rights is the right to be forgotten, entitling the data subject to have its data erased, cease further dissemination of it and stop third parties from processing it. Subsequent, it requires companies to prove their compliance to the GDPR. Therefore, accountability is the magic word around the GDPR.
One of the new technologies which requires special attention when it comes to privacy is blockchain. Some people might say it is the most important invention since the internet, while others say it is highly overrated and a solution looking for a problem. Whatever may be, blockchain may be relevant for many of us. In general, blockchain is a ledge (database) of immutable data. This record is managed by a number of servers that keeps track of all transactions on the ledge. Blockchain does not need a central authority and once data is added to the chain, it cannot be undone. There are public blockchains and private blockchains. The first is open for everyone to read, write and participate, the latter is only open to authorized participants.
Blockchain is used for a wide variety of applications. The characteristic features of a blockchain are:
- Transparency: all participants can view and review all data and transactions;
- Sharing and decentralisation: several copies of the blockchain coexist on different computers;
- Disintermediation: all decisions are made by consensus between participants, without a central arbitrator.
Blockchain is regarded as independent, safe and transparent. This sounds like an opportunity for the critical, conscious and free citizen to ensure its privacy and act independent of central authorities and tech giants, doesn’t it?
Privacy vs. Blockchain
It may be clear that the characteristics of blockchain not always reconcile with those of the GDPR. The immutability of a blockchain clashes with the rights of data subjects in the GDPR, such as the right to be forgotten and the right of rectification of personal data. The whole point of a blockchain is to ensure transactions are never forgotten in order to enable decentralised trust. What is in the chain, will always be in the chain. Without immutability, the chain will be destroyed. Several solutions to this problem are suggested, such as certain encryption techniques coupled with key destruction. These techniques can potentially be considered as an alternative for deletion of the data, as the French data protection authority acknowledged.
In addition, to exercise his or her rights, the data subject must be able to address the data controller. But when it comes to accountability in a public blockchain, there may be challenges as well. With no central trusted authority or server involved, it is not always transparent who determines the means and purposes of the data processing as a controller within the meaning of the GDPR. Therefore, it isn’t clear who is responsible for the processing activities.
Blockchain as a solution to privacy issues
However, despite these challenges, blockchain could also be of value regarding accountability. Every act to or transaction on the chain is recorded and cannot be altered. That affects the transparency as well. The chain shows who has had access to data or what could be the legal ground for processing the data. This information can easily be presented to stakeholders like data subjects or data protection authorities. Furthermore, by the absence of one central server, a blockchain is less vulnerable for attacks by ill-intentioned parties.
Both data protection and the implementation of new technology should be top priority of every innovative business. Separately they are of importance, but they also inevitably interact. For now, when personal data is involved, a private blockchain is the obvious choice. Blockchain should only be used for data processing purposes when really necessary By implementing the technology, a conscious choice should be made for a blockchain committed to data protection. When choosing blockchain it is essential to pseudonymize or anonymize personal data. And about every blockchain, the question should be who is the data controller within the meaning of the GDPR in order to meet the requirements of accountability.
When you take these recommendations into account, blockchain enables and enhances innovation and data protection. This asks for software engineers, managers and tech lawyers to unite and create an environment where creative solutions are designed and innovation and the implementation of new technologies is supported. Developments we, as TK Tech, can only applaud!
Welcome to our What’s New? Breakfast Meeting on September 23, 2019 at the Swedish Chamber of Commerce. For more infom