When thinking about the application of data protection laws to distributed ledger technologies, the first point to understand is that there is no such thing as global data protection law. Although overarching principles such as Article 12 of the Universal Declaration of Human Rights and the OECD Privacy Principles developed in the 1980s provide a common source for many data protection regimes, there is significant variation around the world.

Mapping such varied and sometimes even conflicting regimes onto global distributed ledger implementations poses obvious difficulties, particularly where logical relationships between nodes bear no necessary connection to the physical jurisdictions in which they are located. However, this is not a new issue for global networks — the question of which law or laws apply to distributed digital activity has been a central concern for the application of laws online for the last 20 years, if not longer.

What this does mean, however, is that compliance with data protection laws in the context of distributed ledgers is a matter of some significant complexity, and requires consideration of each of the laws where legal entities, headquarters, nodes, and, ultimately, consumers are located. The days of arguing that communications or interactions that cross borders can somehow escape regulation are gone.
Key data protection concerns
Despite this complexity, there are some key themes that are likely to arise in most if not all jurisdictions when it comes to compliance with privacy and data protection requirements in the context of blockchain and distributed ledger implementations.
A threshold question is whether the particular data sets are regulated at all — for example, whether the data is considered “personal data” in Europe or “personally identifiable information” in the US. Data can, for example, be confidential without being personal to an individual — sensitive corporate data might well fall into that category.

In most jurisdictions, if data does not relate to a particular individual in some way, then privacy and data protection regimes will not apply.

Of course, other important legal rules might apply to impose restrictions on the way data might be able to be used and shared. This would include, for example, the confidentiality and secrecy obligations a bank has to its corporate and private wealth customers in respect of certain data sets.
The treatment of anonymous or pseudonymous data is an even more difficult question under many data protection regimes. In many cases, data that relates to an individual who is not identified will not be within the scope of data protection laws.

However, many jurisdictions contemplate that anonymous or pseudonymous data that can be subjected to re-identification processes, or can be combined with other data sets to identify the individual in question, must be treated as personal data.
Is the data regulated by privacy laws at all?
Can data sharing occur anonymously?
Some jurisdictions, particularly in the EU, make a clear distinction between data “controllers” (generally, the primary collectors of personal data from end users) and data “processors” (generally, secondary holders of personal data who act on behalf of data controllers, including, for example, outsourced service providers). However, many other countries do not make such a distinction in their data protection laws, but rather treat each collector of personal data as a primary actor, requiring full compliance in each case.

The implications of these distinctions will vary depending on the nature of the DLT implementation and the level of autonomy of each participant. However, one feature of most public blockchains is that each node deals with the data it receives as a fully autonomous operator rather than on a shared basis with any other node, meaning that each participant is likely to be required to comply as an independent controller of the personal data it receives.
Are all participants equally responsible for compliance?
One important effect of the controller/ processor distinction relates to how collectors of personal data need to interface with the end users (in EU data protection law, the “data subjects”)

Most data protection regimes focus on the relationship between collector and data subject as a key point in the compliance cycle. Typically, such compliance involves the provision of various notifications to the data subject (in documents such as privacy policies, collection notices or other disclosures) and the collection of certain consents from the data subject. The key to compliance here is that the collector of the personal data clearly sets out for the data subject how the collector proposes to treat data subject’s personal data, including what personal data will be collected, how it will be used, to whom it will be transferred and how it will be secured.

A clear challenge in DLT implementations is how these compliance requirements can be achieved by each participant, given that although each (or at least many) of them may end up holding personal data, in many instances only one of them will have the opportunity to directly interface with the data subject. This is likely to be a far more thorny issue in a public blockchain implementation, where there is no necessary relationship between each of the nodes, as it is in a private implementation, where contractual arrangements between participants can facilitate data protection compliance across the board. In a point-to-point DLT implementation where there is no global data broadcast, this issue is an entirely familiar one: the data being shared between nodes in such a context is effectively the same data that is shared in traditional confirmations between banks today.
How are end users made aware of their rights?
In addition to the difficulties caused by the multiplicity of privacy regimes that may apply in a DLT context, many data protection regimes also regulate the circumstances in which personal data collected from data subjects can be transferred outside the jurisdiction. Typically, data protection regimes will seek to restrict the transfer of personal data to countries where the strength of data protection that will apply in that country is not “adequate” (ie, not up to the standards imposed in-country).

This has been the context for a very high profile battle between the EU and the US on privacy matters. Essentially, the EU views the underlying US privacy laws as not meeting EU adequacy requirements, and has expressed concerns relating to the transfer of personal data from EU data subjects to the US. Various attempts have been made to deal with this issue to facilitate data flows from the EU to the US (originally, the “safe harbor” for qualifying US entities, and now the new “privacy shield”).

However, this issue is not limited to the EU. It will be important for any DLT implementation to consider the transnational data flows that will be generated, and to establish processes to enable compliance with all relevant crossborder transfer requirements. Again, this is likely to be more problematic in a public blockchain implementation than in a private DLT, given the ability in the latter to establish clear contractual obligations and rules between each of the participants.
How are cross-border transfers of data to be treated?
© 2019 Baker McKenzie
Visit bakermckenzie.com