R3’s director of research Antony Lewis believes banks using blockchain for data sharing require stronger privacy regulations and guidelines.
As the author of the paper Blockchains and Laws, written in collaboration with Baker McKenzie, the Singapore-based Lewis said in his blog post that banks need their technology to conform to certain standards – resilience, security and so on.
Antony Lewis
“The banks (not the technology) get penalised if they can’t demonstrate high standards with technology they choose to deploy,”
“But blockchains and distributed ledgers share data, and often business is conducted across borders. And many countries have data protection laws specifying that certain types of data (e.g. personally identifying data) need to remain stored on computers within the borders of the country itself. How do we reconcile data sharing with data protection laws?” he wrote.
The white paper seeks to address this pertinent conundrum. Distributed ledger technology (DLT), was not designed for the finance world in mind, wrote Lewis. Bitcoin and Ethereum, the two biggest blockchains were designed to be both unstoppable and uncensorable. One of the issues with a broadcast blockchain is the lack of privacy of the shared data.
In Bitcoin and Ethereum, each computer on the network receives a record of every single transaction and update, and each computer validates these transactions according to a set of pre-programmed rules. In an industry network, particularly financial services, it is not necessary or acceptable for all transactions to be revealed to all participants in real time, said the white paper.
Emerging shared ledgers spawned by experiments done by the finance industry replace public blockchain with a more nuanced model where only those who need to agree on the specifics of a particular transaction see and agree on it — certain people see certain transactions. This resolves a major privacy issue that is prevalent in public blockchains given that a disinterested third party on this type of network does not need to know that a transaction has taken place or need to validate it, wrote Lewis.
Blockchain’s privacy implications
The white paper asks: how can a system that broadly distributes personal information comply with laws prohibiting dissemination of personal information? And with various parties involved in the DLT network, from data storage providers to banks, who is liable if prohibited data is found? The cross-border nature of DLT transactions add to the complexity of the matter. One solution is to apply contractual agreements for entities participating in private distributed ledgers, said Lewis.
Even data server providers could be caught up in legal tussles if a piece of prohibited info appears on a private distributed ledger technology network.
Key data protection concerns
Despite this complexity, the white paper noted some key themes that are likely to arise in most if not all jurisdictions when it comes to compliance with privacy and data protection requirements in the context of blockchain and distributed ledger implementations.
- Is the data regulated by privacy laws at all? A threshold question is whether the particular data sets are regulated at all — for example, whether the data is considered “personal data” in Europe or “personally identifiable information” in the US. Data can, for example, be confidential without being personal to an individual — sensitive corporate data might well fall into that category.
- Can data sharing occur anonymously? The treatment of anonymous or pseudonymous data is an even more difficult question under many data protection regimes.
In many cases, data that relates to an individual who is not identified will not be within the scope of data protection laws. However, many jurisdictions contemplate that anonymous or pseudonymous data that can be subjected to re-identification processes, or can be combined with other data sets to identify the individual in question, must be treated as personal data. - How are end users made aware of their rights?Most data protection regimes focus on the relationship between collector and data subject as a key point in the compliance cycle.
The key to compliance here is that the collector of the personal data clearly sets out for the data subject how the collector proposes to treat data subject’s personal data, including what personal data will be collected, how it will be used, to whom it will be transferred and how it will be secured. - How are cross-border transfers of data to be treated?Data protection regimes will seek to restrict the transfer of personal data to countries where the strength of data protection that will apply in that country is not “adequate” (ie, not up to the standards imposed in-country).
Essentially, the EU views the underlying US privacy laws as not meeting EU adequacy requirements, and has expressed concerns relating to the transfer of personal data from EU data subjects to the US.
Data protection laws in Asia
Laws in Asia regarding data protection are still premature. For instance, a key feature of privacy law in Singapore is its nascence, noted Lewis. The Personal Data Protection Act was only implemented in 2013, meaning that Singapore does not yet have as much history or precedent of data protection law as do some other jurisdictions such as those in Europe.
In the context of new and evolving technologies such as blockchain and DLT implementations, this means that difficult questions, such as the treatment of anonymous and pseudonymous data, and questions around the de-identification and re-identification of data, may be uncertain.
Of course, these types of concerns are not limited to Singapore, added Lewis, with much of the law of data protection in the rest of the Asia Pacific region also having undergone rapid development in the last five to 10 years.
Featured image: data center via pixabay
