The Right to Privacy in the Digital Age: Win by Technical Knockout?
At the beginning of 2018, the world stopped for a moment. The date of the enactment of the General Data Protection Regulation was set, and everyone had to be ready and compliant when the GDPR sun rose on 25 May 2018.
We have always been aware that the right to privacy is one of the most crucial human rights that society has been struggling to defend for a long time. Article 8 of the European Convention on Human Rights taught us that everyone has the right to privacy, and that there shall be no interference by a public authority with the exercise of this right except in particular prescribed cases. The rise of the digital age made it harder for us to protect our right to privacy.
That’s when the GDPR jumped right in. The mighty set of data protection rules that everyone feared months before its enactment came to the rescue by imposing large fines on anyone who misuses personal data. Accompanied by the Cookie Law, the right to privacy in Europe has restored its strength. Other countries have been keeping up with legal novelties in the area of data protection, and because of these initiatives, most countries in the world now have a set of data privacy rules.
Therefore, privacy was recognised as a crucial right and society had to do right by it. ‘Data is the new oil’- a catchy headline we have been seeing over and over.
Then came the blockchain and NFTs. The groundbreaking tech came with a number of promises for a better tomorrow in relation to data protection. Namely, NFTs have the potential to become the common ground for divergent types of essential transactions. Transactions can be made directly between the buyer and the seller without the meddling of an intermediary as has been done in centralised systems. In other words, these tokens do not rely on centralised intermediaries in order to store sensitive personal data.
Furthermore, it is not likely that NFT transactions will include the disclosure of sensitive personal data. The entire process of these transactions encompasses the value of transparency, yet metadata and media data can be compliant with privacy requirements.
Here at Cradles, we are creating an entirely decentralised game; our servers run and data is stored in a decentralised network. The decentralised system of data storage has been considered a stable and an improvement on past iterations. Now it really seems that privacy regulations and NFTs are a match made in heaven. Yet, there is a tiny matter that comes in between.
Do NFTs Have Enough Fire to Burn the GDPR Bridge?
The tiny matter that comes in between these two being a match made in heaven is stuck in particular norms of the GDPR. There are a few obstacles that should be discussed.
Firstly, blockchain is associated with decentralisation and multiple layers. On the contrary, the GDPR provides a ‘one-on-one’ fiction, namely that there is at least one data controller that lays down the objectives and manners of data processing. However, this may be just a minor bump on the road. The issue in question makes the allocation of responsibilities within the blockchain more troubling, yet not impossible to solve eventually.
The second bump is much bigger. As most of us probably know, the GDPR provides certain rights to data subjects. Section 3 laid down these rights and let’s imagine it as the beating heart of the Regulation. In other words, we cannot ignore it. On the other hand, blockchain tech is a shared and immutable ledger. If we look at Article 17 of the GDPR, we will see the notorious ‘right to be forgotten’. The data subject shall have the right to obtain from the data controller the erasure of personal data concerning him or her. The data stored in blockchain is made permanent and unalterable. This doesn’t sound much like good news at first, right?
However, if we scratch beneath the surface of Article 17, we are going to find out that this is not an absolute right. Apart from the fact that there are special circumstances under which the ‘right to be forgotten’ can be applicable, there has been an ongoing debate about whether an account name is considered to be personal data and to what extent. Under the GDPR, personal data is considered to be any information that relates to an identified or identifiable natural person. Back to special circumstances, the Regulation lists six reasons for data processing, and the legitimate interests ground may lend a helping hand in this situation. That is to say, the technical continuation of blockchain based on immutability would be at stake, and data erasure could be denied on the ground of legitimate interests. There’s always a way around it, and we might just cross that bridge instead of burning it.
The last big bump on the road is the GDPR’s privacy by design. Plainly, data controllers are required to implement suitable safeguards at the time of the determination of the means of processing and at the time of processing. Article 25 is considered the most controversial article related to blockchain. There may still be a need for proof of mathematical validation that off-chain data linkage using hashing might have a slight possibility of being compromised by brute force attacks. Moreover, some hashing and consensus algorithm techniques might be addressed as well; for instance, those that permit the owner of a smart contract transaction to validate it without revealing personal data.
This all may seem troubling at first glance but we should keep in mind that blockchain has been recognised in many aspects as an innovative tech that can improve data protection and security in the long run. In this game of catch, the law has to keep up with technology once again. As single players in the aspects of blockchain regulation, we’re powerless in determining how and when the authorities are going to issue further guidance.
But make a mental note; here at Cradles, we will stay devoted to our users and their guaranteed rights every step of the way.
Join the conversation and get the latest updates!
Website: http://www.cradles.io/
Cradles Official Forum: https://forum.cradles.io/
Twitter: https://twitter.com/cradlesio
Discord:https://discord.com/invite/cradles
Telegram Group: https://t.me/cradles_official_group
Telegram Channel: https://t.me/cradles_official
Instagram: https://www.instagram.com/cradles_official/
