Steve Ehrlich is an associate and the lead analyst for emerging technologies at Spitzberg Partners, a boutique consulting firm headquartered in New York that advises innovative technology companies.
In this opinion piece, Ehrlich discusses blockchain technology from the perspective of regulators tasked with ensuring consumer data protection and privacy.
I do not envy data protection authorities (DPAs).
Although virtually everyone from the top leadership to the rank and file of these organizations is knowledgeable and driven by a sense of purpose, the pace of innovation makes it seem as if their feet are perpetually stuck in digital quicksand or on an escalator going the wrong direction.
What specifically is keeping them so busy these days?
It begins with keeping tabs on US technology titans such as Google, Facebook, Amazon, Uber and AirBnB. But another major challenge comes from tracking emerging trends in the use of tech and data. While watchdogs struggle to chase the latest developments in search, social media and cloud computing, new technologies are constantly coming across their desks.
Part of a regulator’s remit is to stay abreast of these innovations and understand their implications for data protection. Over the past few years, more resources have been diverted to study and respond to drones, connected devices, the use of technology in law enforcement, genetic testing, biometrics, etc.
It would be an understatement to call the load a full plate, and it is understandable why each of these technologies is receiving attention. Many already play a role in our lives, such as the Nest thermostat or Apple Touch ID.
Beyond a growing prominence in the marketplace, these innovations also have one common factor that makes them a concern for regulators – They generate oceans of user data, destined to be warehoused in a “cloud” and mined for lucrative insights. Armed with new Big Data analytic techniques, these technologies give companies the means to increase their informational dominance over customers.
By contrast, blockchain does not fit easily into this mold and is still a ways off from affecting the average consumer.
As a less developed technology, regulators tend to give it lower priority, or no attention at all.
So how do you get blockchain on their agendas?
Start by highlighting blockchain’s future potential. To get regulators out of their comfort zone, it is important to underscore that blockchain technologies offer a categorical upgrade over existing solutions and tools in the marketplace today.
Therefore, it is important to embrace the opportunity blockchain presents to fundamentally turn the tables on the personal data economy. Or put another way – restore an individual’s ownership of their data.
Regulators around the world are constantly working on initiatives to ensure data controllers and companies have the legitimate rights to collect data; user consent for processing it; and measures in place to ensure that individuals are able to take back their data and give it to a competitor (a rival bank, for instance) if they so choose.
Blockchain-based identity solutions can flip the script, relying on cryptography, multi-signature technology and distributed computing power to restore an individual’s “digital independence.”
Next, it’s best to tie the technology to today’s landscape.
This requires a multi-prong approach: First linking the concept to core data protection principles and then a comparing blockchain technology to analogous marketplace solutions, such as cloud computing.
Regulations today are primarily based on eight principles laid out by the OECD in 1980: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation and accountability.
Blockchain-based technologies offer measurable advantages over existing technologies in the market on these criteria. For example, the use of new encryption-based authentication protocols will make identity theft significantly more difficult.
Additionally, future products built on blockchain can also provide a transparent means of ensuring companies are scrupulous with the manner in which they use and treat customer data.
Today, it is expected that every company has in place a plain language “privacy policy” that details what personal data they will collect, how it will be used, how long it will be held, the ways in which people can obtain this data and other aspects of the data lifecycle.
After consenting to the policy, customers are typically left to simply trust that the vendor will keep to its promise. However, through the use of blockchain and smart contracts these protocols can be encoded into business processes, which can be standardized through the use of certification schemes, programmatically ensuring that companies will live up to their word.
Blockchain technology can also offer new solutions for maintaining company records, a task that will only grow in significance as businesses learn to capture more of their customers’ data. Companies around the world are increasingly being required to maintain a full accounting of their data processing and storage activities for auditing and compliance purposes.
In most cases, part of fulfilling these requirements entails tracking employee access to company data. This is a use-case tailor-made for a blockchain-based solution for managing, verifying and safeguarding company data.
To illustrate the strengths blockchain holds in these core data principles, it is important to draw a contrast between blockchain and existing products on the market.
When speaking with regulators regarding blockchain technology, I often spend time highlighting the difference between permissioned blockchains and open blockchains and ledgers. As the conversation gets a bit more involved, analogies are drawn between these types of blockchains and public, private and hybrid cloud solutions.
Governments are struggling to deal with the implications of cloud technologies from a regulatory point of view. Key concerns from their point of view include properly safeguarding data and ensuring that it is not misappropriated and remains confidential.
Additionally, the stakes are rising.
Given the growing popularity of cloud-based solutions, providers are starting to face increased scrutiny and penalties from regulators, even if they are merely a client or sub-contractor to the firm who uses their data-storage capabilities.
Taking into account an appreciation for the specific use cases for a blockchain vs non-blockchain based solutions, it is easy to make the case that distributed ledger solutions and smart contracts offer advantages from the perspectives of transparency, security and purpose limitation.
Given that primary use cases are still centered on bitcoin and the financial industry, many DPAs will let financial regulators manage blockchain’s regulatory landscape.
Therefore, it is unlikely that there will be any major developments, regulation or guidance from data protection authorities related to blockchain in the immediate future.
However, regulators across the globe, such as the Federal Trade Commission (FTC), Article 29 Working Party in Europe and the Office of the Privacy Commissioner in Canada, issue comments or guidance with insight into how they see new technologies fitting into existing regulations and some of their primary concerns from a consumer protection point of view.
As blockchain technology continues to develop, I expect them to eventually start putting out discussion pieces as a prelude to formal guidance.
When DPAs issue calls for information, it would also be well-worth industry members’ time to participate and submit comments.
At the same time, there are things that can be done right away. Developers and programmers in the space should learn about the OECD principles and relevant regulations as they build new products.
Additionally, regulators encourage certification schemes as a means of showing goodwill and alleviating their burden. For example, the upcoming European General Data Protection Regulation, which will replace the EU law enacted in 1995, encourages the use of certification regimes as a means of complying with regulations.
Creating such a program would be a great start for blockchain’s regulatory engagement in the data protection world.
Radar image via Shutterstock