This article was originally published on Fintechpolicy.org
State legislatures have recently taken up the mantle of consumer privacy rights. The recently enacted California Consumer Privacy Act (“CCPA”), the yet-to-be enacted New Jersey’s Assembly Bill 4902 (“NJ Bill”), New York’s Senate Bill 224 (“NY Bill”), and Washington’s Senate Bill 5376 (“WA Bill”) have been drafted to give state residents more control over their own data.
At the same time, a number of blockchain projects claim their technology will do the same thing—give individuals control and ownership over personal data. By their account, if an individual can control who has access to their data, that same individual could prevent social media platforms and data brokers from losing, sharing or selling their data. Blockchain has been touted as an evolved solution to the problem of catastrophic data breaches. However, as databases that are both extremely difficult and wildly expensive to amend, blockchains may present irreversible problems under these new laws when data gets stored on-chain.
A blockchain can become “poisoned” if its immutable ledger includes data deemed offensive, protected, private, or prohibited by law. Depending on the type of data stored, the location of the nodes, and the individual’s location, the blockchain’s ledger could facilitate the violation of numerous laws around the world. For instance, laws regarding possession of illegal content (i.e., child pornography), copyright violations, disclosure of state secrets, or disclosure of personal or sensitive data could all be implicated.
To get more specific, privacy poisoning occurs when a blockchain contains data protected by a jurisdiction’s privacy regulations and the blockchain’s records cannot be edited or erased without tremendous computing power. Picture a scenario where an employee accidentally publishes a consumer’s name and social security number on a public blockchain by appending that data (instead of a hash of that data) to a transaction. Now picture another scenario where an employee maliciously publishes the passwords, names, addresses, birthdates, and credit card numbers of thousands of consumers on a public blockchain.
In these “poisoning” scenarios, it is nearly impossible to remove data from blockchains where copies of the data have been distributed and replicated network-wide and no central operator or controller of the blockchain exists.
Why is this an issue?
Businesses cannot hail blockchains as a solution to privacy problems when their use may put personal information at permanent risk. Further, some blockchain businesses may not be able to comply with new privacy laws that provide individuals with new rights over their personal information. These risks are magnified when considering that certain types of encryption may be cracked or vulnerable to quantum computing in a matter of years.
Beginning January 1, 2020, California consumers will have the right to erasure under the California Consumer Privacy Act (“CCPA”). If a business fails to comply with a request for erasure within the allowed time frame, the business may be subject to a civil penalty of up to $7,500 per violation to be imposed by the California Attorney General (“AG”). California consumers will also have a private right of action against a business where a consumer’s non-encrypted and non-redacted personal information is subject to a data breach as a result of the business’s violation of its duty to implement and maintain reasonable security procedures and practices (“Privacy Practices Duty”).
What does this mean for blockchain businesses in California?
First, businesses would be wise to not store personal information of consumers on a blockchain. This may lead them into territory where they may not be able to comply with a valid erasure request from a CA resident. Businesses might in these instances be in irreversible and continuous violation of the CCPA, subject to the mercy of the AG’s power to impose fines.
Second, where an employee maliciously publishes a consumer’s personal information on a blockchain, and the information has been subject to an “unauthorized access and exfiltration, theft or disclosure,” the CCPA would grant California consumers a new private right of action against the business. The consumer would have to prove the breach was a result of the business’s violation of its Privacy Practice Duty. If the private cause of action proceeds, because any data on the blockchain is stored and retained permanently and the law allows relief on a “per incident” basis, the amount of damages could scale indefinitely as the number of incidents grows over time.
Businesses might comply with the right to erasure by storing personal information on an off-chain database and only storing links to that off-chain database on the blockchain. Furthermore, businesses may prevent information from falling under the CCPA’s protections by de-identifying or anonymizing the data before publishing it on-chain.
When faced with a request for erasure, businesses do not always have to obey the request. They may refuse to act on a California resident’s request in some cases, including where requests are manifestly unfounded or excessive.
If the business has published personal information onto or is running a private blockchain, and the blockchain has been “poisoned” with personal information, the business could consider the following solutions to avoid being in violation of the CCPA or being subject to a private right of action:
• Force all participating nodes to participate in a hard fork in order to erase the offending data;
• Force all participating nodes to stop running the nodes for the blockchain; or
• Destroy all copies of private keys in order to render the encrypted data permanently inaccessible.
If the business has published personal information onto a public blockchain, things get complicated. The business might have to spend hundreds of millions of dollars to rent enough mining equipment to conduct a 51% attack on the network, or to orchestrate a hard fork by convincing a majority of the nodes to move to a new chain that does not contain the offending data. Even if successful, that does not guarantee that the old chain will not continue to operate with the offending data.
In any event, until the California AG opines on the implication of the new privacy law on blockchain businesses, any proposed compliance solution is theoretical.
Businesses that operate on, or store personal information on a blockchain, run the risk of admitting protected private data onto a permanent database. Despite the benefits blockchain technology may bring to businesses, the consequences of error would be tremendous for both the business and the consumer whose personal information will be available online, forever.
With these risks in mind, blockchain-enabled businesses will need to consider the adequacy of security procedures for private information and whether they are likely to be held to a higher standard in light of the risk of an eternal violation. In the meantime, businesses may also want to consider approaching the California AG collectively for industry guidance, especially as the CCPA rulemaking process is still ongoing.