Companies will move towards private blockchains as GDPR gains ground

The law lags behind technology, which has allowed 'crypto-anarchy' to reign - but that is changing

Who actually owns a cryptocurrency? Can blockchains be GDPR compliant? How can London secure its place as a digital hub after Brexit? The answers to these questions are, not surprisingly, still unclear.

Dave Michels, a researcher at Queen Mary University and the Cloud Legal Project (funded by Microsoft) is one of the experts working to find answers. For the past year and a half, the Project has focused on examining the legal implications of blockchain technology - which is a lot more complex than people might think, when the very definition of ‘blockchain' is still vague.

"Blockchain raises some difficult legal questions, and unfortunately these won't have clear-cut answers," Michels told delegates at a Binary District event last week. "Instead, they'll require a creative approach to thinking about how the law will apply, and designing products and services accordingly."

Cryptocurrencies are the most well-known use of blockchain, and naturally come up in any conversation on the topic. Under existing legislation, the actual owner of a cryptocurrency is hard to define, said Michels. Although the law is well-established when it comes to physical items, and even some intangible ones like debts and shares, it is lacking when it comes to completely virtual assets.

Disruptive technologies are a challenge for both the markets that they affect and lawmakers. Although changes are naturally slow to make their way through the legal process, the free market develops new solutions quickly. Justin King, former CEO of Sainsbury's, recently told us that the law "inevitably ends up looking slightly behind the times...because in the years it's needed to go through the legislative process, technology has already moved to a place where much of what it talks about seems highly irrelevant."

The result is that the law always lags behind where technology currently is. See London's decision to regulate Uber, which took six years.

When it comes to cryptocurrencies, that means that its position as property is currently very much a grey area. It's not a physical item, but it's not a debt or a share. Is it theft if someone takes ‘your' Bitcoin? Can you sue that person to recover ‘your' property? "For now, it's a puzzle under the law," Michels told delegates.

Data protection on a blockchain

With the GDPR now in effect, all companies have to comply, including those using blockchain for personal data - but it's easier said than done. For all of its strengths, blockchain technology throws up some significant challenges under the GDPR.

The general consensus appears to be that blockchain is fundamentally incompatible with the GDPR, but Michels thinks that that definition is too simple - and depends on how you define ‘blockchain'.

If you are storing personal data on a blockchain, compliance will depend on how you process it, as well as the kind of blockchain you have set up. There must also be adherence to the two principles of the GDPR: accountability (there must be data controllers and processors) and data protection rights (people must be able to request that their data be deleted).

Here's a practical example:

A company wants to launch a bike rental scheme, which they've set up through an initial coin offering (ICO). Someone that wants to rent a bike registers an account, gets a private key, goes to an exchange and buys some coins. They then take the token (coins) to a bicycle, checks in with the private key and ride off. After returning the bike, the payment is processed through a Smart Contract. All of these transactions are processed on a blockchain ledger

There are two ways that this transaction information, which includes personal data, could be stored. The first is an open, public blockchain, like Bitcoin's. In this case anyone can download the software and run it on their machine(s); they might be paid for doing so.

In this case, who is accountable? The rental company wrote the software, but doesn't touch any personal data - it is neither a processor or a controller, under the law. The people running nodes haven't got any control over the system, and so they don't fall neatly into either category.

The customer can ask for their data to be removed, but that is very difficult on a public blockchain - which might be stored in a ledger on thousands or millions of machines. "What are going to do?" asked Michels. "Go round and speak to all these thousands of people and tell them to remove data from their system? Want if they don't want to? It's going to be very hard to respect [the] request."

A private blockchain is the other possibility, and this is much more suitable. Instead of thousands of uncontrolled nodes, a private chain can be limited to a specific, controlled number. Michels' example used three: one in his house, one in the cloud and one stored with a third party auditor to vouch for the integrity of the system in case of disputes.

In terms of accountability, the person who set up the blockchain (and has a node stored in his house) is "probably" the controller, while the cloud provider and third party are processors. Additionally, data subject rights are simplified with a limited number of nodes, although a fork (a new version of the chain) is still required to remove personal data.

A different type of chain?

Based on Cloud Legal Project research, Michels expects a move away from public blockchains for business: "We might see more of a development towards private, closed, controlled blockchains and away from the ‘crypto-anarchy' of the early days," he said.

All sorts of other questions about blockchain remain unanswered, though. Is an ICO a sale of securities (regulators would probably argue that it is)? Do investors have any rights? In the example, is the Smart Contract legally binding? What are the terms, are who are the parties?

"How are we going to find solutions to these problems?" asked Michels. "I've got two answers… The first is: ‘Gradually'. We'll find solutions as and when problems arise… Rather than getting ahead of ourselves and implementing a bunch of specific legislation, let's see how blockchain is actually used and what kind of problems it creates. This is what the UK government has done, and I think it's a smart approach.

"The other answer is ‘Together'. If you're a company thinking about doing an ICO, thinking about processing personal data on a blockchain, talk to a lawyer - preferably at the start of your project. If it's really sensitive, consider contacting your regulator. They might be able to advise, and they might have a sandbox programme you can get involved in.

"That way, together, we can go about ensuring that London has the legal framework that allows us to benefit from these disruptive new technologies."

The Cloud Legal Project's research articles are available for free on the Social Science Research Network.