Re-Centralizing Blockchain: EU Data Privacy in Light of 5AMLD

By:

By The Opte Project – Originally from the English Wikipedia; description page is/was here., CC BY 2.5, https://commons.wikimedia.org/w/index.php?curid=1538544

While once relegated to law schools and boardrooms, information privacy law has moved to the forefront of public interest in recent years. Current events, such as the Cambridge Analytica scandal, have left data subjects reeling from the realization of how their personal data is being misused.[1] Moreover, the pervasive impact of the Internet of Things (IoT), and the massive amounts of data these devices store, pose tremendous data privacy concerns. [2]  Smart devices permeate our homes, from smart TVs to smart speakers.[3] IoT devices are even affixed to our bodies as smart watches, or embedded under the skin with small microchips.[4] Even for those choosing not to let Alexa into their homes, the Internet of Things is unavoidable. Smart cities, such as the project underway in Las Vegas, now make it possible to record micro changes in the environment and track inhabitants’ movements.[5]  An increasingly interconnected world necessitates a comprehensive reworking of outdated data privacy protections.[6]

Data privacy anxieties stem from a lack of trust regarding the intermediaries who store and process individual’s data. Facebook users are happy to share updates with their friends and loved ones, but were scandalized by the use of this data to affect the democratic process. In response to this concern, two solutions have simultaneously arisen. Both address the same end goal: to put data back in the hands of individuals. The first solution is legal in nature. The EU’s recent data protection regulation, the GDPR, authorizes massive fines of up to $ 21 million, and requires complete transparency and consent from citizens regarding data uses. This regulation applies not only to EU businesses, but any businesses processing or attempting to process EU citizens data. Under Article 2 of the GDPR, the EU’s data privacy laws expand well beyond the territorial scope of the EU, essentially becoming a global regulation.[7]

The second solution is more technical in nature. Blockchain, or Distributed Ledger Technology (DLT), allows data subjects to control their data by placing it in a completely transparent and effectively unalterable ledger. DLT allows data subjects to trust how their data is used because the record is immutable. As data is stored across thousands of nodes, each with a fully intact copy of the chain, interacting parties are guaranteed in the quality of their data and its uses. Two users may interact with each other with full and equal knowledge, effectively removing the need for a centralized intermediary.[8] Furthermore, the use of public and private keys afford individuals a one-way encrypted device for unlocking their personal data. These one-way encryptions allow individuals to encrypt their identity, while tracking their data and signifying their presence to others using a digital signature.[9]

While both solutions attempt to restore trust in intermediaries—one through increased oversight and the other through effective removal—the two are fundamentally opposed. Conflicts abound between the GDPR and DTL, one of the most widely recognized being the GDPR’s mandate that data be erasable.[10]  In a Blockchain, personal data cannot be altered or removed without dismantling and re-linking the entire chain. However, the GDPR requires that upon request by the data subject, their data be returned and subsequently removed. Experts generally agree that the GDPR prohibits individuals from choosing to store personal data in an immutable distributed ledger.[11]

No formal action has yet been taken to enforce the GDPR on Blockchains. However, the EU’s enforcement on Cryptocurrency, or Virtual Currency (VC), evidences that this peaceful coexistence will not last. The Fifth Anti-Money Laundering Directive explicitly extends the Directive to VC exchanges and/or wallet providers.[12] These entities act as the gatekeepers to virtual currencies operated on public DTL platforms, such as Bitcoin and Etherium. Implemented in July of 2018, the Anti-Money Laundering Directive requires that these intermediaries verify the identities of the participants in accordance with Article 11.[13]  Furthermore, it mandates these entities establish centralized mechanisms to identify holders of payment,[14] including the identities of the holders of private keys.[15]

Some welcome the directive as imposing necessary constraints to foster further investment and innovation.[16] Indeed, regulatory certainty decreases risks posed by uncertain legislative action as well as fraud and illicit activities.[17]  However, by regulating the VC market, the EU has also negated DTLs’ most critical feature—the lack of a centralized intermediary. Considering the precedent set by the latest Anti-Money Laundering Directive, it appears that the EU is willing to centralize the storage of personal data in order to effectuate legal obligations. Paradoxically, enforcement of the GDPR may defeat its own purpose by effectively reinstating exclusive rights to personal data back under the control of fallible and vulnerable intermediaries.

 

Haley Flora is a 2L at Columbia Law School with a background in the sciences. She is interesest in international law and technology. She was a semi-finalist in the European Law Moot Court, worked in Mexico City last summer, and will be working in Palo Alto on tech transactions this coming May.

 

Haley Flora is a 2L at Columbia Law School with a background in the sciences. She is interested in international law and technology. She was a semi-finalist in the European Law Moot Court, worked in Mexico City in Summer 2018, and will be working in Palo Alto on tech transactions in May 2019.

 

[1] https://www.nytimes.com/2018/10/06/opinion/sunday/facebook-privacy-breach-zuckerberg.html

[2] https://www.zdnet.com/article/what-is-the-internet-of-things-everything-you-need-to-know-about-the-iot-right-now/ (“Analyst Gartner calculates that around 8.4 billion IoT devices were in use in 2017, up 31 percent from 2016, and this will likely reach 20.4 billion by 2020. Total spending on IoT endpoints and services will reach almost $2tn in 2017, with two-thirds of those devices found in China, North America and Western Europe”)

[3] https://www.peerbits.com/blog/google-io-2018-new-era-iot-devices-google-assistant.html

[4] https://readwrite.com/2018/06/18/the-growing-importance-of-data-security-for-iot/

[5] https://www.zdnet.com/article/las-vegas-announces-smart-city-plans-with-cisco/

[6] https://readwrite.com/2018/06/18/the-growing-importance-of-data-security-for-iot/

[7] https://www.wileyrein.com/newsroom-newsletters-item-May_2017_PIF-The_GDPRs_Reach-Material_and_Territorial_Scope_Under_Articles_2_and_3.html

[8] http://peerproduction.net/wp-content/uploads/2016/08/blockchain-technologies-draft.pdf

[9] https://www.comodo.com/resources/small-business/digital-certificates2.php

[10] https://www.insideprivacy.com/financial-institutions/the-cnil-publishes-report-on-blockchain-and-the-gdpr/

[11] https://medium.com/wearetheledger/the-blockchain-gdpr-paradox-fc51e663d047

[12] https://medium.com/@nejcnovaklaw/eu-introduces-crypto-anti-money-laundering-regulation-d6ab0ddedd3

[13] http://www.lspartner.de/en/2018/09/17/the-end-of-anonymity-for-bitcoin-et-al-the-regulation-of-cryptocurrency-under-the-fifth-eu-anti-money-laundering-directive/

[14] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018L0843&from=EN

[15] https://medium.com/@nejcnovaklaw/eu-introduces-crypto-anti-money-laundering-regulation-d6ab0ddedd3

[16] https://medium.com/@nejcnovaklaw/eu-introduces-crypto-anti-money-laundering-regulation-d6ab0ddedd3

[17] https://www.cryptoglobe.com/latest/2019/02/localbitcoins-to-comply-with-european-union-s-new-anti-money-laundering-laws/