It is said that the blockchain technology is the next generation database that promises to deliver secure and efficient transactions between parties. However, the fact that everyone has access and can view the entire transaction history in the blockchain makes it a primary security concern. This means that anyone has an equal opportunity to view and verify information of others.

Now that store information on blockchain can be viewed by anyone, the biggest question for all users is what happens to “personal information” under privacy laws? Any entity that collects, uses or disclose “personal information” is subject to a variety of compliance obligations and must disclose to the public how they store and use such information. In this article, we will be discussing how data and privacy are being regulated on blockchain.

The Blockchain Privacy Paradox

What does it mean if the data stored and processed on blockchain networks qualify as personal information? There are three aspects of the blockchain technology that are being put in question when it comes to the issue of privacy, and these are:

Transparency

The very basis of trust in decentralized networks results from the transparency of the ledger. All participants in public blockchain networks trust in the sanctity of the information because they can all see and analyze that information equally and in real time. But if all the information is transparent, it becomes accessible to anyone and may, theoretically, be used by unknown actors for unknown purposes. Accordingly, how can an entity that leverages blockchain technology to execute transactions and/or store information provide the appropriate protections for data subjects around how their information may be used or disclosed?

Immutability

Records published to a blockchain cannot be deleted, but most modern privacy legislation grants individuals a “right to be forgotten.” How can an individual or data subject exercise their right to be forgotten when the information recorded on a blockchain’s ledger is permanent?

Accountability

Public blockchains are intentionally decentralized so that there is not one accountable entity. Moreover, the networks composed through public blockchains often span jurisdictions, and may consist of hundreds, thousands, or millions of people who all technically have the ability to inform updates to the blockchain (an ability akin to managerial decision making). Under these circumstances, how can a regulator enforce actions against the supporters of a public blockchain, when responsibilities around upkeep, management, and ongoing development are spread across a community of unassociated individuals?

Best Practices When Managing Personal Information in Blockchain

In some countries like Canada, there are still yet any official recommendations or interpretations published on how to process personal data on both public and private blockchains. However, a broad interpretation of personal information could deter blockchain stakeholders from processing personal data on public blockchains since these pieces of information are accessible by anyone and can be distributed/stored amongst all nodes within the network.

On the contrary, management of individual rights over personal information is possible in private blockchains since there are designated and accountable entities that control the number of stakeholders with access to the blockchain. With this, stakeholders may require compliance with privacy regulations as a means of accessing the private blockchain and its associated application/s. Stakeholders may also be removed from the network for failures to comply, and a sufficiently centralized private blockchain may be overwritten by participants through collaboration to respond to certain privacy infringing incidents.

The stakeholders behind decentralized applications of either public or private blockchain also have the ability to proactively mitigate privacy law risks by designing appropriate privacy policies and implementing best practices that involve:

The blockchain application should avoid storing personal data as a payload on the blockchain (i.e., including identifying information in the message accompanying the payment itself), and instead have blockchain transactions serve as mere pointers or an access control mechanism to more readily managed storage solutions off-chain.

Encryption techniques currently being used by privacy-centric chains include ZK-SNARKS, Ring Confidential Transactions, and mixing techniques, all of which are intended to mask the identity of the sender or recipient and/or allow participants to confirm transactional legitimacy by cryptographically proving that they know something without revealing the nature and identity of the information.

Other privacy enhancing encryption and destruction techniques may be used to protect an individual’s privacy rights, such as hashing data or applying other data transformation techniques to personal information, and revocation of access rights to a blockchain application (or entire blockchain in a private blockchain network). However, some regulators have yet to address if such measures are sufficient to meet the demands of a standardized privacy legislation.

Final Thoughts

Lawmakers have yet to dig deeper on the features of the growing blockchain technology, which is why until now there is not a standard framework that existed for data and privacy regulations. The main intention why blockchain was created was to eliminate central authorities that control and manage the data and information we provide, making transactions smoother and faster. This is beneficial to everyone but as time passes by, malicious actors have emerged wherein their only goal is to manipulate and use the free-access to blockchain on illicit activities.