While there is a level of alignment across data protection regimes in many major centers, this is still an area of law with important distinctions between jurisdictions.

Some key issues and differences include:
Europe and the UK: The right to be forgotten
The right to be forgotten, now embedded in EU law under Article 17 of the new General Data Protection Regulation, presents a particular challenge for open blockchain technologies. Article 17 confers a “right of erasure” of personal data, subject to certain conditions and limitations

Where a data controller (eg, a node in a public blockchain) has made personal data public, exercise of the right will also place an obligation upon a node to take reasonable steps, including technical measures, to inform other controllers of the erasure request. In complying with this obligation, controllers must take into account the available technology and the cost of implementation.

However, because permissioned DLT systems involve known and trusted parties, historical entries can be amended provided the required number of parties agrees to an erasure. For example, a similar process has been carried out by participants of the Ethereum network to reinstate the funds lost in the infamous “DAO hack.” Accordingly, DLT systems may be designed to allow personal data to be deleted if a sufficient majority of parties to the system (or an authority appointed by the parties for the purpose) agree.
Rather than containing any specific areas of particular difficulty, a key feature of privacy law in Singapore is its nascence. The Personal Data Protection Act was only implemented in 2013, meaning that Singapore does not yet have as much history or precedent of data protection law as do some other jurisdictions such as those in Europe.

In the context of new and evolving technologies such as blockchain and DLT implementations, this means that difficult questions, such as the treatment of anonymous and pseudonymous data, and questions around the de-identification and re-identification of data, may be uncertain. Of course, these types of concerns are not limited to Singapore, with much of the law of data protection in the rest of the Asia Pacific region also having undergone rapid development in the last 5 to 10 years.
A key feature of Australian privacy law since a major round of legislative updates in 2014 is the increased focus on cross-border transfer of personal information.

The current law, under the Australian Privacy Act, provides a path for the offshoring of data, but requires the transferring entity to ensure that the recipient of the data holds it in accordance with the principles of Australian privacy law. This is commonly achieved through contracts that require recipients to maintain such standards, but this is unlikely to be possible in a public blockchain context. An important consequence under Australian law is that the entity transferring the data out of Australia remains responsible for any breaches by or on behalf of the recipient entity or entities, meaning significant potential liability for any Australian node in a public blockchain under current rules.
Perhaps the defining feature of US privacy and data protection law is its fragmentation. There is, in effect, no overarching law regulating data protection; instead, collectors must contend with a range of state and federal laws, many of which cover specific data sets in particular industry sectors. In addition to healthcare, the financial services industry is one of the most highly regulated in the US, meaning that public blockchains with US nodes will need to consider and meet the requirements of a broad spectrum of regulation.

A key example of multiplicity of laws in the US is the state-by-state regulation of data breach notification: each state has its own rules governing the circumstances in which entities must notify regulators and individuals of actual or potential data breaches, and the processes for such notifications.
Singapore: An evolving law
Australia: Responsibility for offshored data
US: Fragmentation and multiple sources of rules
© 2019 Baker McKenzie
Visit bakermckenzie.com