“Legal responsibility needs to be in line with technical control” – Jörn Erbguth, blockchain and dat
Blockchain provides a new level of protecting data against manipulation. This is an opportunity for data protection but also a challenge to existing regulation. In the interview, Jörn Erbguth discussed the reliability of the blockchain technology, data protection issues, GDPR compliance, and governance in the distributed ledger technology.
Interviewer: Blockchain & Bitcoin Conference Switzerland (BCS).
Speaker: Jörn Erbguth, Blockchain and Data Protection Consultant (JE).
BCS: Hello, Jörn. Do you think the blockchain is the most reliable of all methods to protect data?
JE: Our society is increasingly dependent on data stored in computer systems. Conventional computer systems are controlled by single institutions or even single administrators. Protection is mostly provided against hacking from the outside. If the institution itself turns out to be corrupt, conventional systems provide little protection.
Blockchain technology provides a new level of protection against manipulation. The consensus mechanism combined with hashing and encryption can only be manipulated if at least a majority of participants colludes. Although this means that blockchain can theoretically be manipulated, the burden to do so is much higher than with conventional systems.
BCS: What are the main advantages of blockchain-based data protection solutions?
JE: Data protection is not about protecting data but about protecting the individuals that are connected to that data. Protecting critical data from being manipulated serves the individuals who are dependent on that data.
One important aspect of data protection is to limit the use of personal data to agreed and legitimate purposes. Zero Knowledge Proofs, a technology used in some blockchains, can provide a means to technically enforce some of those limitations.
Another example of use is controlling the use of personal data. The General Data Protection Regulation (GDPR) has two, sometimes conflicting, aims: to minimize the data collected and to be able to justify any processing of personal data a company does. Blockchain can provide the individual with a means to control effectively the processing of their personal data without creating even more personal metadata.
BCS: Which business areas will find such solutions the most useful?
JE: Use cases of these technologies can be found in the health sector, for example. In this sector, the anonymity and control of data processing are too sensitive to be left to a single institution.
BCS: What are the biggest issues blockchain has regarding data protection?
JE: Data stored on a blockchain cannot be modified or erased anymore. Therefore, personal data that might need to be corrected or forgotten according to the GDPR should not be stored on a blockchain. Only data that do not allow identification of a person, like hashes, should be stored on a blockchain.
However, almost any data might turn out to be personal data as time passes. Encryption might be broken and even hashes might turn out to be personal data if methods of AI-based guessing are developed. External data might become available to identify specific persons in otherwise anonymous data. This means that most data are potentially personal data.
Another problem is legal uncertainty concerning the roles and duties under the GDPR. GDPR was not made for decentralized technology. A blockchain typically knows the roles of users submitting an entry, node operators, and miners. Although node operators and miners have no control over the data stored on a blockchain, it is not clear yet if they are regarded as “controllers” or “processors” under GDPR.
Data Protection Authorities can impose fines if systems turn out not to be GDPR-compliant. These fines go up to € 4 million or 4% of total worldwide annual turnover of a company – whichever is higher. This poses a big legal and financial risk to any company that uses blockchain technology.
BCS: What other legal issues do you see concerning Distributed Ledger Technology?
JE: Distributed Ledger Technology (DLT) is a technology that provides immutability of data stored on it. No single participant has any control over the data stored on a blockchain. As a society, we urgently need this level of data immutability. At the same time, we do not provide node operators with the same type of immunity that we grant communication providers, for example. This will be a huge issue in the future for public blockchains but also for other kinds of DLT. Legal responsibility needs to be in line with technical control.
Another issue is governance. DLT as a decentralized technology should not be subject to any centralized governance. However, there is still a lack of decentralized governance in most blockchains to decide on software updates or disputes, for example. And even if a decentralized governance exists, some courts will probably not recognize it. So here, we need something similar to the New York Arbitration Convention.
BCS: What will you discuss at Blockchain & Bitcoin Conference Switzerland?
JE: At the conference, I will give an overview of what you need to do to use blockchain in a GDPR-compliant way. I will discuss possible conflicts, solutions, and open questions.
Jörn Erbguth will take part in the Blockchain & Bitcoin Conference Switzerland. As a speaker, he will deliver the presentation “Blockchain and the European Union’s General Data Protection Regulation (GDPR)”.