Blockchains are touted as subsequent technology databases that promise to facilitate safe and environment friendly transactions between unknown events. Nevertheless, one of many main pillars of a blockchain’s safety is the truth that individuals with entry to the blockchain can see the whole historical past of transactions executed on the blockchain – the consequence being that every occasion has an equal alternative to confirm the accuracy of knowledge saved. But when all the knowledge saved on the blockchain may be seen by anybody with entry to the blockchain, what occurs when that info qualifies as “private info” below Canadian privateness legal guidelines? Organizations that acquire use or disclose “private info” are topic to a wide range of compliance obligations, which as we set out under, may be tough to reconcile with sure blockchain fundamentals.
What’s private info?
In Gordon v Canada, the Federal Court docket defined that non-public info is info that can be utilized to establish a person if the knowledge “permits” or “leads” to the attainable identification of the person, whether or not on the premise of that info alone, or when the knowledge is mixed with different info from different out there sources.1 Accordingly, an organization that merely “de-identifies” or “pseudonymizes” knowledge should be topic to Canadian privateness legislation necessities as a result of there’s a chance that such knowledge may be “re-identified”. This poses a novel problem to the builders of blockchain infrastructure, and the companies that function atop blockchain infrastructure, when the metadata that’s essentially ingrained in blockchain transactions could also be re-identifiable. Such metadata could represent private info when it reveals the place transactions are despatched from, who they’re despatched to (not essentially the identify of the recipient, however the handle of the recipient), how a lot cash was despatched, and at what time.
Take decentralized functions (DApps) for instance, that are constructed from software program deployed on the blockchain (e.g., good contracts) which might be sometimes designed to execute enterprise operations for corporations.2 The operations of the good contracts that successfully facilitate the performance of the DApps are sometimes made publicly out there to each node within the blockchain community as “bytecode”, which may be reverse engineered to disclose the identical transactional info as metadata in peer-to-peer transactions.
So, what does it imply if such knowledge, saved and processed on public blockchain networks, qualifies as private info? The result’s considerably of a paradox.
The blockchain – privateness paradox
Data revealed to a blockchain can’t be deleted, however most fashionable privateness laws grant people a “proper to be forgotten”. How can a person or knowledge topic train their proper to be forgotten when the knowledge recorded on a blockchain’s ledger is everlasting?
The very foundation of belief in decentralized networks outcomes from the transparency of the ledger. All members in public blockchain networks belief within the sanctity of the knowledge as a result of they will all see and analyze that info equally and in actual time. But when all the knowledge is clear, it turns into accessible to anybody and should, theoretically, be utilized by unknown actors for unknown functions. Accordingly, how can an entity that leverages blockchain expertise to execute transactions and/or retailer info present the suitable protections for knowledge topics round how their info could also be used or disclosed?
Public blockchains are deliberately decentralized so that there’s not one accountable entity. Furthermore, the networks composed by means of public blockchains typically span jurisdictions, and should include tons of, 1000’s, or thousands and thousands of people that all technically have the power to tell updates to the blockchain (a capability akin to managerial resolution making). Below these circumstances, how can a regulator implement actions towards the supporters of a public blockchain, when duties round maintenance, administration, and ongoing growth are unfold throughout a group of unassociated people?
Greatest practices for managing private info within the blockchain context
No official suggestions or interpretations of learn how to course of private knowledge on public or non-public blockchains have been revealed in Canada. Nevertheless, a broad interpretation of non-public info, which is customary below Canadian legal guidelines, may deter blockchain stakeholders from processing private knowledge on public blockchains, as a result of knowledge on a blockchain is accessible by anybody with entry to that blockchain, and distributed/saved amongst all nodes within the public blockchain community.
Within the non-public blockchain context, administration of particular person rights over private info is feasible as a result of there are designated and accountable entities that management the variety of stakeholders with entry to the blockchain. Below such circumstances, stakeholders could require compliance with privateness laws as a way of accessing the non-public blockchain and its related software(s). Stakeholders may be faraway from the community for failures to conform, and a sufficiently centralized non-public blockchain could also be overwritten by members by means of collaboration to reply to sure privateness infringing incidents.
The stakeholders behind DApps in both public or non-public blockchain contexts even have the power to proactively mitigate privateness legislation dangers by designing acceptable privateness insurance policies and implementing greatest practices that contain:
- Combining on-chain and off-chain knowledge
The blockchain software ought to keep away from storing private knowledge as a payload on the blockchain (i.e., together with figuring out info within the message accompanying the cost itself), and as a substitute have blockchain transactions function mere pointers or an entry management mechanism to extra readily managed storage options off-chain.
- Using privateness centric applied sciences and cryptographic strategies
Encryption strategies at present being utilized by privacy-centric chains embody ZK-SNARKS, Ring Confidential Transactions, and mixing strategies, all of that are supposed to masks the identification of the sender or recipient and/or enable members to verify transactional legitimacy by cryptographically proving that they know one thing with out revealing the character and identification of the knowledge.
- Conducting knowledge transformations
Different privateness enhancing encryption and destruction strategies could also be used to guard a person’s privateness rights, akin to hashing knowledge or making use of different knowledge transformation strategies to non-public info, and revocation of entry rights to a blockchain software (or complete blockchain in a non-public blockchain community). Nevertheless, Canadian regulators haven’t addressed whether or not such measures are ample to fulfill the calls for of Canadian privateness laws.
Organizations leveraging blockchain expertise to gather, use or disclose private info should take care to stay knowledgeable and compliant to necessities below Canadian privateness legal guidelines.