The General Data Protection Regulation of the European Union (GDPR) was initially drafted before the blockchain became a widely used technology in almost all sectors of the economy. One of the attractions of a blockchain platform is the immutability of data recorded on it, which seems to conflict with the right to cancel under the GDPR that allows an individual to delete their personal information.
How can this tension be solved?
The GDPR – and the right to cancel
Despite the EU law, the GDPR applies to New Zealand companies processing personal data with an office in the EU and, more generally, in New Zealand companies processing personal data of persons resident in the EU in certain circumstances.
The right of cancellation of the GDPR provides that people have the right to delete their personal data under certain circumstances, for example, the individual has revoked his consent to the processing of their data. In contrast to the GDPR, the New Zealand Privacy Act of 1993 (privacy law) does not currently contain an explicit right for users to request the deletion of their personal data. However, this could change. On March 20, 2018 the Minister of Justice introduced a bill that modifies the law on privacy, which should enter into force on July 1, 2019.
The current form of the bill includes a number of additional privacy requirements, such as mandatory reporting of violations, but does not currently contain many of the additional requirements set out in the GDPR, including the right to cancel. The bill could still undergo significant changes before the implementation and the commissioner for privacy asked for the right to cancel.
So, how can this right of cancellation be reconciled with the use of blockchains – which store personal data, since once stored, the information can not be deleted?
Is encryption the answer?
Encryption allows you to store information so that it can not be read by anyone except the intended recipient. Public-key cryptography uses a cryptographic key pair: a public key, which encrypts data, and a private (or secret) private key for decryption. Publish your public key in the world by keeping your secret private key so that anyone with a copy of your public key can then encrypt information that only you can read.
Just like door locks, there are different forms of cryptography, different strengths. But the strongest forms are for all practical, indestructible purposes.
Can personal data stored on a blockchain be "erased" by encrypting them and then destroying the private key so that it can never be read? At the moment there is no definite answer, but there are reasons to hope that this is an acceptable solution:
-
It would be ironic that the promise of blockchain platforms is being countered by the GDPR. One of the central objectives of GDPR is to protect people in relation to the processing of their data. This is also the attraction of blockchain platforms. It is consistent with the policies behind the GDPR to find solutions that enable the development of blockchain platforms that store personal data.
-
The GDPR is vague about when exactly personal data is deleted. The wording is sufficiently broad to destroy a private key to meet the specified requirements, provided that the level of cryptography is sufficiently robust to ensure that personal data, once encrypted, can not be subsequently rendered intelligible without reference to the destroyed private key.
-
The concept of cryptography is already recognized in the GDPR which recommends it as a method of protection of personal data and security. It is a natural extension to be accepted in the context of the right to cancel.
Notes of caution
These are therefore some reasons to expect the use of cryptographic techniques to allow blockchain platforms to store both personal data and to respect any right of cancellation. However, we should play some cautionary notes:
1. Much will depend on the details. To allow any right of cancellation, personal data stored on a blockchain should be strongly encrypted and the private key should be permanently deleted or otherwise rendered inaccessible to others. These are practical problems that must be carefully processed.
2. Because strong cryptography makes the work of intelligence agencies harder, some countries have enacted laws or regulations that restrict or simply prohibit the unofficial use of strong cryptography. Cryptography may therefore not be a viable solution in all jurisdictions.
3. In theory, any type of cryptography can be broken enough time, energy and processing power. What is considered safe today may not be secure in the future. Therefore, the encrypted data are at risk and the processing of the nature and the extent of this risk will be an important part of the discussion.
Lawyers of Russell McVeagh Liz Blythe, Michael Taylor, Rachel O & Brien and Zoe Sims recently published blockchain legal precedents with Lexis Nexis.
Tags privacylegal issuesRussell McVeaghBlockchainGDPRIT transformaldecital transformationsecurity
Learn more about BillEULexis NexisO & # 39; BrienUnion
[ad_2]Source link