by Ashling Costello, Blockchain and Privacy Lawyer
Privacy is increasingly recognised as a key requirement in AI, IoT and blockchain technologies. It is one of the differentials employed by users to compare product and service providers: entities which can claim to be privacy compliant have a significant competitive advantage over non-privacy-aware competitors.
Once considered incompatible with blockchain technology, solutions to facilitate and enable data privacy and compliance are increasingly being developed and launched. The challenge now is to track these products and to incorporate the correct privacy solution for your technology and your industry.
A boutique firm of Privacy Consultants and lawyers GDPR Designers in conjunction with the Global Blockchain Organisation and the Blockchain Chamber of Commerce and a firm of Blockchain consultants Aylward Costello are currently conducting a survey on this point. The survey remains open and participation is still welcome at: Survey Address
Detailed results and analysis will be shared with participants once the survey is published.
One of the questions asked was about the type of privacy solutions respondents were employing within their blockchain technologies. The graph below illustrates the responses to date.
“Hashing” and “encryption” are clearly popular: each is utilised by 48% of respondents. “Hashing” is a procedure which applies a mathematical formula to a large amount of data to generate a condensed and unique string of text. “Hashing” is not always privacy compliant as the hash can be vulnerable to brute-force attacks and the release of the underlying ‘hashed’ information. It is vital to ensure the hash is complex and long enough to withstand attack by numerous hackers, as well as the likely developments in technology over the coming years. “Encryption” is a way of encoding data, which can be undone by use of an encryption key.
“Private-permissioned” networks are also widespread. They are used by 39% of survey respondents, followed by “anonymization” at 30% and “pseudonymisation” at 26%. “Private Permissioned” networks are like company intranets; the participants on the blockchain are all invited, and the network is strictly controlled. “Anonymization” techniques render the personal data entirely confidential by using techniques which cannot be reversed. “Pseudonymization” gives an alias or unique identifier to individuals or owners of personal data. “Encryption” and “pseudonymization” can be undone with encryption keys or with other reverse engineering, which mean that they fall short of GDPR’s requirement that personal data cannot be discovered.
Some new technologies are still too new to have made a showing in the survey such as the insertion of a “trap-door”’ within the blockchain’s algorithm. This new technology is building code into algorithms to allow data to later be amended or deleted. This cannot be applied to existing algorithms in existing blockchains, it is only available to algorithms in development.
The key data-privacy and protection legislation within Europe is called the “General Data Protection Regulation”, or GDPR. Being subject to GDPR is not the end of the world: it just means that the entity must comply or risk fines of up to the higher of 4% of the group’s global turnover of the previous year, or EUR20million. Compliance requires treating personal data in particular ways, for example it must be capable of being deleted or amended and it should not be published, shared or sold. In the USA, California’s privacy law has come into effect – the California Consumer Privacy Act. Fifteen more American States are also about to launch their own privacy legislation, each with different requirements. This wave of privacy legislation is washing over the international marketplace, making privacy a significant compliance burden for organizations and a heavy liability risk globally. It is therefore becoming increasingly urgent to incorporate privacy solutions into blockchains, IOT and AI.
On the plus side, as privacy laws only apply to personal data, if an entity can ‘cloak’ the data by using a solution to render it irreversibly anonymous, GDPR, CCPA and the other privacy laws no longer apply. The cost of implementing privacy solutions that can achieve full and irreversible anonymity outweigh both the potential fine and the costs of compliance. It is therefore crucial to ensure that your privacy solution delivers what it says on the tin.
Another purpose of the survey was to examine the extent of perceived compliance by participants within the industry, ie, they have incorporated a privacy solution, but it does not achieve the degree of anonymity required by privacy regulators. We examine this challenge in the next article.
We would appreciate your participation in the survey: