Blockchains are touted as next generation databases that promise to facilitate secure and efficient transactions between unknown parties. However, one of the primary pillars of a blockchain’s security is the fact that people with access to the blockchain can see the entire history of transactions executed on the blockchain – the result being that each party has an equal opportunity to verify the accuracy of information stored. But if all the information stored on the blockchain can be viewed by anyone with access to the blockchain, what happens when that information qualifies as “personal information” under Canadian privacy laws? Organizations that collect use or disclose “personal information” are subject to a variety of compliance obligations, which as we set out below, can be difficult to reconcile with certain blockchain fundamentals.
What is personal information?
In Gordon v Canada, the Federal Court explained that personal information is information that can be used to identify an individual if the information “permits” or “leads” to the possible identification of the individual, whether on the basis of that information alone, or when the information is combined with other information from other available sources.1 Accordingly, a company that merely “de-identifies” or “pseudonymizes” data may still be subject to Canadian privacy law requirements because there is a possibility that such data can be “re-identified”. This poses a unique challenge to the developers of blockchain infrastructure, and the businesses that operate atop blockchain infrastructure, when the metadata that is necessarily ingrained in blockchain transactions may be re-identifiable. Such metadata may constitute personal information when it reveals where transactions are sent from, who they are sent to (not necessarily the name of the recipient, but the address of the recipient), how much money was sent, and at what time.
Take decentralized applications (DApps) for example, which are built from software deployed on the blockchain (e.g., smart contracts) that are typically designed to execute business operations for companies.2 The operations of the smart contracts that effectively facilitate the functionality of the DApps are often made publicly available to every node in the blockchain network as “bytecode”, which can be reverse engineered to reveal the same transactional information as metadata in peer-to-peer transactions.
So, what does it mean if such data, stored and processed on public blockchain networks, qualifies as personal information? The result is somewhat of a paradox.
The blockchain – privacy paradox
Immutability
Records published to a blockchain cannot be deleted, but most modern privacy legislation grant individuals a “right to be forgotten”. How can an individual or data subject exercise their right to be forgotten when the information recorded on a blockchain’s ledger is permanent?
Continue reading: https://www.dentons.com/en/insights/articles/2022/june/9/the-privacy-paradox-in-blockchain-best-practices-for-data-management-in-crypto
What is personal information?
In Gordon v Canada, the Federal Court explained that personal information is information that can be used to identify an individual if the information “permits” or “leads” to the possible identification of the individual, whether on the basis of that information alone, or when the information is combined with other information from other available sources.1 Accordingly, a company that merely “de-identifies” or “pseudonymizes” data may still be subject to Canadian privacy law requirements because there is a possibility that such data can be “re-identified”. This poses a unique challenge to the developers of blockchain infrastructure, and the businesses that operate atop blockchain infrastructure, when the metadata that is necessarily ingrained in blockchain transactions may be re-identifiable. Such metadata may constitute personal information when it reveals where transactions are sent from, who they are sent to (not necessarily the name of the recipient, but the address of the recipient), how much money was sent, and at what time.
Take decentralized applications (DApps) for example, which are built from software deployed on the blockchain (e.g., smart contracts) that are typically designed to execute business operations for companies.2 The operations of the smart contracts that effectively facilitate the functionality of the DApps are often made publicly available to every node in the blockchain network as “bytecode”, which can be reverse engineered to reveal the same transactional information as metadata in peer-to-peer transactions.
So, what does it mean if such data, stored and processed on public blockchain networks, qualifies as personal information? The result is somewhat of a paradox.
The blockchain – privacy paradox
Immutability
Records published to a blockchain cannot be deleted, but most modern privacy legislation grant individuals a “right to be forgotten”. How can an individual or data subject exercise their right to be forgotten when the information recorded on a blockchain’s ledger is permanent?
Continue reading: https://www.dentons.com/en/insights/articles/2022/june/9/the-privacy-paradox-in-blockchain-best-practices-for-data-management-in-crypto
