Oct 232018

EU Parliament Adopts Blockchain Resolution

Lauren Cuyvers and Wim Nauwelaerts
, , , , ,

On October 3, 2018, the European Parliament passed its long awaited resolution on distributed ledger technologies and blockchains (the “Blockchain Resolution”). The Blockchain Resolution was adopted to protect and empower EU citizens and businesses with respect to the specific issues that arise in relation to the blockchain or “distributed ledger” technology, one of which being the tension with data protection rights and the GDPR in general.

Blockchain technology can best be described as a decentralized database containing transaction logs linked together on a network, with the most widespread example being Bitcoin. A transaction can only proceed if the link is validated in the network. A bitcoin transaction, for instance, involves logging account numbers, the sender and recipient’s (pseudonymized) identity and bitcoin amount in a block. This block is then shared with the network, which validates the block. Only after validation (which in bitcoin’s case requires a specific “signature”) the block is included in the chain and the transaction is executed. Note that each member in a network – which can be public or private – is in principle able to validate the information in the blocks. This is the exact strength and core functioning of blockchain. Interrelated peer-to-peer validation mechanisms make blockchain technology considered to be highly secure and accessible. Blockchain excludes the need for intermediaries (such as banks), and facilitates secure transactions by the public.

The EU Parliament’s Blockchain Resolution recognizes the importance of blockchain technology’s compliance with the GDPR, and emphasizes specific risks related to privacy and data protection. It stresses that the data logged in blocks is pseudonymized, and not anonymized, data.  Although direct identification of individual members in a network is not possible, indirect identification is possible (through identifiers linked to the data). Pseudonymized data is in scope of the GDPR.  Accordingly, blockchain needs to take GDPR principles into account.

Although the GDPR is meant to be “technologically neutral”, and the GDPR’s principles are meant to be applied to data processing independent of the processing techniques used, the application of the GDPR’s principles to blockchain proves highly challenging. The GDPR’s “right to be forgotten”, for instance, appears difficult to reconcile with blockchain objectives.  Specifically, the success of blockchain relies on the logging and storing of data chains. Deletion of data would disrupt the chain and undermine blockchain rationale.

Earlier this year, the European Commission launched the EU Blockchain Observatory and Forum, with the purpose of mapping key initiatives and monitoring developments in the industry. On October 16, 2018, the Forum issued a report on Blockchain and the GDPR (the “Report”) which identifies additional areas of concern. The controller/processor distinction and identification – essential for allocating responsibility under the GDPR – proves difficult to translate into a blockchain context. Actors “submitting” a transaction to a network may be considered data controllers for the personal data they submit through the transaction when they do this in a business context, but will likely benefit from the household exemption when they submit data for their own personal use (for instance, to purchase bitcoins for their private bitcoin wallet). Actors “validating” a transaction in a network, are also unlikely to qualify as controllers, as they only run software and process the transaction to ensure validation. The uncertainty around data controllership in blockchain applications makes it difficult to assess parties’ responsibilities under the GDPR, and further regulatory guidance in this respect is urgently needed. The Report also stresses the importance of the data minimization principle of the GDPR, and recommends analyzing to what extent blockchain effectively requires storage and processing of personal data, and if so, whether private networks could be created for blockchains that contain personal data (for instance, when using blockchain in a highly regulated sector such as the financial sector).

A resolution from the European Parliament does not have legally binding effect. A resolution merely sets out the Parliament’s political position, with a view to prompt other European Union institutions to take legislative action. With this Resolution however, the European Parliament clearly expresses its position to support blockchain. Its call for “open-minded, progressive and innovation-friendly regulation” could pave the way for further EU policy and legislative development in this area of cutting-edge technology.

Lauren Cuyvers

Brussels

lcuyvers@sidley.com

Wim Nauwelaerts

wnauwelaerts@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.