Blockchain and Privacy

Blockchain is a ground-breaking distributed ledger technology which aims to replace the role of central intermediaries – especially in the financial sector – with an algorithm-based system of trust. A widespread belief is that blockchain bears privacy advantages by design which also helps to comply with tightening data protection laws in many jurisdictions. However, taking a closer look from both a technical and legal angle, this is far from certain. While most discussions on blockchain regulation are focused on financial law, blockchain and distributed ledger technology also raise considerable privacy implications. This may be challenging for investors and regulators alike.

To shed some light on privacy, it is important to review three core features of blockchain. First, blockchain technology is an append-only ledger, where all transactions are perpetually stored. New transactions are added in a new block, so that a blockchain will grow over time and include all transactions ever made. Second, blockchain is a decentralized peer-to-peer ledger, so that every node in the system has a complete blockchain copy, which is updated with new transactions by a distributed authentication process. Transactions are effected through a consensus algorithm which requires all transactions to be public and verified. And third, individual transaction data is asymmetrically encrypted. These features give blockchain its unique properties: immutability, public availability and decentralised algorithmic trust.

Yet, despite blockchain’s encryption, privacy doesn't always appear to be its main concern. Blockchain is good at preserving data integrity, ensuring data security and avoiding the need for central intermediaries. But it is precisely blockchain’s complete and 'multiply stored' transaction history, which cannot, without consensus of most participants, be removed that has implications for privacy. Contrary to widespread beliefs, blockchain does not guarantee anonymity. It should come as no surprise that technical de-anonymization approaches are possible and intensively discussed in the IT world (including de-anonymizing Bitcoin and Ethereum transactions for example). Especially when blockchain transactions involve not only cryptocurrencies or tokens, but real-world assets (such as legal titles, goods and money), it is possible to accumulate sufficient user information at some point and link it to a user’s real identity. Blockchain will therefore (depending on the specific use case) provide pseudonimity, but no strict anonymity that prevents transactions or the parties involved to be identified and analysed. The full, immutable and decentralized transaction information available may bring blockchain at odds with privacy laws in several jurisdictions. This requires attention.

For a closer look on privacy regulation, we will use the new EU General Data Protection Regulation (GDPR) as an example for two reasons. First, the GDPR has a wide extraterritorial reach that may affect non-EU resident businesses. The GDPR does not only apply where a data controller or processor has an EU establishment, but also to the processing of EU citizens’ personal data related to offering goods or services (irrespective of payments), or to behaviour-tracking. This broad scope could also be a wide catcher for distributed ledgers without EU localization. And second, the GDPR might set privacy standards in the years to come.

To bring a business model within the scope of privacy laws in many jurisdictions, the processed data must relate to individual persons. For such personal data under the GDPR, it will suffice that information is related to an identified or identifiable natural person. The threshold to be identifiable is rather low and depends on whether there are means for (re-) identification – which are ‘reasonably likely to be used’ by the data controller or any other person. As mentioned above, most current blockchain use cases involve transactions, which require specific information on the transacting parties, including at least their unique account information. Despite blockchain’s encryption, individuals can, in principle, be re-identified by various de-anonymization techniques. If that is the case, such information will be personal data, which opens the gates for privacy regulation of blockchain.

Although blockchain’s data encryption is normally a good thing for privacy, the technology’s other core features could be at odds with traditional principles of privacy and data protection laws. The lack of a central intermediary in open (public) blockchain systems makes it hard to identify a data controller who can be held responsible for compliance and the implementation of privacy. This is a general regulation challenge, since distributed ledgers run against any regulation focused on central intermediaries. But from a privacy perspective, every blockchain participant might potentially be seen as a data controller, because all of them process blockchain transaction data, at least in the verification process. Such a multitude of controllers would hardly make sense but might give authorities some leverage in a peer-to-peer (P2P) environment from a liability perspective. Just remember the 1990s, where courts at first struggled to enforce copyright in upcoming P2P file sharing networks, and nowadays it is common ground that every P2P user may face liability as a primary infringer. Other challenges, especially under the GDPR, will be the 'right to be forgotten', which requires deletion of data and an overturning of blockchain's inherent structure – this is hardly possible in day-to-day business. Blockchain’s current architecture also questions whether its features can be balanced against the GDPR’s data minimization and 'Privacy by Design' principles.

Yet, hope remains as technologies develop ways to strengthen blockchain privacy and to mitigate regulatory risks. Solutions include making user tracking harder – by adding some 'noise' to blockchain data so that transactions are mixed up for example, or by combining on-chain and off-chain storage (especially for sensitive data, not suitable for distribution). Furthermore, blockchain can also be used in a controlled environment with limited participants (a ‘private’ blockchain as opposed to a ‘public’ blockchain). This may be interesting for a consortium of financial institutions that are looking to set higher security standards, for example. In this type of setting, it may be easier to meet privacy needs by coordinating users and designing a blockchain accordingly.

Blockchain presents challenges to the technological neutrality of privacy laws. It remains to be seen whether the EU GDPR and other jurisdictions embrace this development in a meaningful way. In any case, blockchain investors and users should not take privacy and legal privacy compliance for granted.

Matthias Berberich
Counsel at Hengeler Mueller in Germany. He specialises in dispute resolution, intellectual property, mergers & acquisitions, and infrastructure.