Blockchain and data protection

Event report

This session discussed the conclusions of a seminar held at the University of Geneva where several experts discussed blockchain in regard to the General Data Protection Regulation (GDPR).

The moderator, Mr Jörn Erbguth (Consultant on Blockchain & GDPR; Lecturer at the University of Geneva and Geneva School of Diplomacy) began the session with a brief talk on data protection, specifically regarding blockchain technology. He said that blockchain can enable privacy, but can also be a threat to privacy if not used correctly, so there needs to be a discussion on how we can use this technology for enhancing privacy. Threats to privacy such as Facebook, the National Security Agency (NSA), and hacks that exposed millions of data records all have one thing in common – the centralisation of huge amounts of data collection which are vulnerable to data abuse and manipulation. Blockchain presents a possible solution to these issues since its main feature is the decentralisation of data.

The first panellist, Ms Katrin Kirchert, (Lawyer, Privacy Law, Data Protection and Labour Law) summarised some of the many points covered during the intensive seminar at the University of Geneva. There is much information about the financial regulation of blockchain, however, there are few regulations regarding data protection. More sophisticated encryption techniques and/or regulation changes may be used to make personal data anonymous and may prove to be necessary in ensuring privacy. The blockchain system was not intended to be GDPR-compliant so new principles of governance are essential in making lawful use of smart contracts. She suggested that we should keep on working on inventing something new within the blockchain that would allow all areas to be GDPR-compliant. In concluding her presentation, Kirchert said that it is important to avoid putting personal data on blockchain, to allow users to put their own data on blockchain if they please, to build a specialised blockchain that is able to erase data after some time, and to use privacy-enhancing technology to ensure that no personal data can be retrieved from the blockchain. Users need to be informed about what can happen with personal data, but since there is no controller, users are insecure.

The next panellist, Mr Martin Adolph (Study Group Advisor, International Telecommunication Union (ITU)), spoke on the standards and organisations that address blockchain and privacy issues. There are ITU-T focus groups that are open to non-ITU members like Application of Distributed Ledger Technology (DLT), Digital Fiat Currency, and Data Processing and Management that support IoT and Smart Cities & Communities. However, ITU-T study groups are open only to ITU members, some groups include SG13, SG16, SG17, and SG20. Adolph then addressed the regulatory framework of the focus group Application of DLT, which includes interoperability rules, regulation in different sectors and countries, data protection laws, data integrity, and confidentiality.

Ms Anja Grafenauer (Co-Founder, privacyblockchainbydesign.com) presented the DIN SPEC 4997. DIN SPEC 4997 is a common language between the law and IT that reduces legal uncertainty for blockchain, and provides guidelines and a foundation for further standards and regulation. It is set to be published in December of this year. They are trying to get away from the theoretical use of blockchain by creating standards to achieve regulation.

By Jainee Feliz-Cabrera