Data Protection Concerns & the Emergence of Blockchain Technology
INTRODUCTION TO THE NEW TECH WAVE AND DATA PROTECTION LAW
Blockchain technology has come into prominence in recent years, primarily due to the boom of digital currencies (cryptocurrencies) such as Bitcoin and Ethereum. Potential use of blockchain technology has increased across various domains such as cryptocurrency, maintenance of public records and financial services owing to its nature of being immutable, transparent and decentralised. In India, the financial services industry is a sector where blockchain technology has gained a lot of traction in terms of its application and due to its potential to minimise fraud and maximise efficiency, security and transparency.
Banks and financial institutions have started using blockchain technology in commercial banking, trade finance and payment systems. Bajaj Finserv, a leading Indian non-banking financial company, has started using blockchain technology for services like travel insurance. BankChain which is a consortium of 37 banks and partners and includes State Bank of India, HDFC Bank, ICICI Bank, Deutsche Bank and UAE Exchange, has created ‘Clear-Chain’ which is a permissioned blockchain for integrating and sharing ‘know your customer’ (KYC) data and investigation reports. Further, 11 banks in India have formed a consortium called Blockchain Infrastructure Company, to launch blockchain-linked funding for small and medium enterprises.
On the other hand, every major economy is enacting strict data protection laws to protect the data of the individuals. Currently in India, data protection with respect to information technology is governed by Information Technology Act, 2000 and Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. In December 2019, the Government of India introduced ‘The Personal Data Protection Bill, 2019’ (“Bill”) in the parliament, with an aim to protect the privacy rights of the natural persons (“Data Principal”) whose personal data is collected and processed by various entities. One of the main objects of the Bill is to provide for a framework for technical and organisational measures which should be taken by entities for collecting, storing and processing the data of a Data Principal.
UNDERSTANDING THE BLOCKCHAIN TECHNOLOGY
Blockchain technology works on a distributed ledger network where each block stores and transmits data and these blocks are connected to each other in a digital chain. Each of the blocks are allotted a unique code, ‘hash’, which differentiates one block from another in a network. The systems which store a copy of the block of information in a network and participate in the validation and addition of new blocks are called ‘nodes’.
There are different types of blockchains such as; (i) public blockchain, which is open to all and is completely decentralised and no one node / participant has the sole control over the blockchain. Any addition of any of the block would require consent of all the other existing nodes / participants in the blockchain. The blockchain for Bitcoin and Ethereum are examples of public blockchains; (ii) private blockchain, which is a permission based blockchain network, where participants can only join upon being invited by the existing participants of the blockchain network. This blockchain is more centralised and controlled than a public blockchain. Hyperledger (which offers the framework to build open source blockchain and related applications) is an example of a private / permissioned blockchain; and (iii) consortium / hybrid blockchain, which are blockchain networks where some nodes are private while others are public, meaning while some nodes will be allowed to participate in the transaction other nodes will be able to control the consensus process. Xinfin (a blockchain network for facilitating peer to peer financing) is an example of a hybrid blockchain.
COMPATIBILITY OF THE BILL WITH THE BLOCKCHAIN TECHNOLOGY
Since technology and legal developments are taking place simultaneously, it becomes imperative to understand whether the use of blockchain technology is compatible with the Bill. The Bill provides certain rights to the Data Principal whose data is being collected for various purposes. The two critical rights of a Data Principal under the Bill are: (i) Right to correction & erasure which gives the right to a Data Principal to correct any inaccuracy in his / her personal data and remove his / her personal data which is no longer necessary for the purpose for which it was processed; and (ii) Right to be forgotten which gives the right to a Data Principal to restrict or prevent the continuing disclosure of his / her personal data if such disclosure has either served the purpose for which it was collected or it is no longer necessary for the purpose; or if the consent is subsequently withdrawn; or if the data was taken in contravention to the provisions of law.
Blockchain technology at its core is immutable because of which the abovementioned rights are critical in terms of use of blockchain technology. Immutable nature of a blockchain makes any deletion / modification of data from a blockchain network cumbersome, especially in case of public blockchain which are designed to restrict unilateral modification of the data by a single node / participant.
Further, the other two important aspects under the Bill are ‘Data Fiduciary’ and ‘Data Processor’. A ‘Data Fiduciary’ means “any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data” and a ‘Data Processor’ means “any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary”. From the perspective of the Bill it is important to identify the Data Fiduciary and the Data Processor in the context of a blockchain network to establish the obligations laid down under the Bill such as: requirement of providing notice for collection or processing of personal data and implementation and review of security safeguards of the systems, etc.
In a public blockchain network it may be difficult to ascertain a Data Fiduciary and Data Processor as the control is decentralised. In a private blockchain network generally there is a determined entity / participant which determines the means and purpose of processing of data and in such a case entity / participant may be treated as a Data Fiduciary or a Data Processor. However, there could be a case where there is more than one entity / participant in a private blockchain network which is processing the data and in such a case both the entities / participants may be Data Fiduciary or Data Processor and it may be difficult to identify any one entity / participant responsible for complying with the provisions of the Bill.
It seems that Data Fiduciaries and Data Processors can comply with their obligations and Data Principals can exercise their rights as per the provisions of the Bill to some extent on a private / permission based blockchain or a hybrid blockchain network. However, the same may not be feasible on a public blockchain as there is no central authority and the data stored is immutable.
This may lead to incompatibility between blockchain technology and the Bill. These issues have also been raised and debated vis-à-vis EU General Data Protection Regulation which came into force on 25 May 2018. Currently, there is no clarity on how the issue on compatibility between blockchain networks and data protection law will be resolved and it will have to be tested on a case to case basis.
CONCLUSION
Since, in India blockchain as a means to conduct business including financial transactions and data storage is gaining momentum, it is recommended that a balance is established which enables data protection as well as further growth of blockchain technology and usage, which results in India emerging as a leading destination in the global blockchain industry.