Blockchain and privacy: Transparency and innovation pose challenges for data protection
A blockchain is a peer network of nodes that use a distributed ledger that can be used to track transactions involving value including money, votes, property, etc. The most well–known application of blockchain technology is bitcoin. Transactions on a blockchain are not regulated by any central counterparty: the individuals involved in a given transaction provide their information (including personal information), a record is created that can be verified by nodes in the network. In this sense, the users forming the community act as their own regulators.
In its openness, blockchain technology is full of new opportunities to transact in different ways. However, in the case of a public blockchain, in order to allow security and certainty, every transaction is recorded on a publicly available ledger and the disclosed transaction information is unalterable. This latter rule is one of the most fundamental in the functioning of blockchain. Indeed, data can only be added to blockchain, rather than removed (as each node contains a replication of the blockchain). If a change is applied to a node, such change would be rejected by the other nodes in the network. It provides a great certainty over the time within the chain of transactions. Altering a node would be like activating a time machine: it is impossible not to change the present if you alter the past, the entire chain of information is thus modified.
Although the above is justifiable from a technological standpoint (an can even facilitate anti-money laundering measures), blockchain’s inalterability can raise issues for individuals who wish to protect their privacy (including as regards the nascent and evolving “right to be forgotten”, which is recognized in some jurisdictions). For example, what is an individual supposed to do if the publicly disclosed information she provided in order to complete a transaction becomes inaccurate or if the publicity of her information one day creates an important risk to her safety? Changes in people’s lives could trigger this individual need for an alteration of the information stored in blockchain ledgers, such as insolvency, criminal records, change of name, change of gender, etc. As such, given the decentralized nature of blockchain, how could a court order a change in blockchain the same way it would order a web page to disappear from Google search results?
In this regard, a distinction should be made between anonymity and privacy. Some have argued that bitcoin, even though not private, is anonymous. Indeed, the email address provided when registering for a Bitcoin transaction may be any email address and as such, the link to personal information of the user, such as his name or birth date, may be avoided. However, bitcoin is more accurately described as as pseudo-anonymous. As the Office of the Privacy Commissioner explained in one of its few publications on the topic of digital payments and privacy:
…some people suggest virtual currencies can be used to make purchases anonymously. This isn’t necessarily true because the digital trail associated with these currencies can still be tied to an individual, although the trail usually consists only of transaction records rather than personal information. To set up an account in order to use these virtual currencies, however, you may be required to provide some personal information, such as your name, credit card information, banking information, driver’s licence, utility bill or even passport information. While the anonymity of digital currencies may limit the exposure of details related to your payment information, retailers can still combine your purchase information with other information they have such as your name, email address, purchase history or rewards/loyalty points you have with the store.
Even though some technological solutions are under consideration to address privacy challenges with respect to the use of blockchains and to design blockchains that are protective of privacy—such as data encryption or the use of timestamps for information held elsewhere, there could still be a potential benefit to regulatory guidance on privacy matters relating to blockchain technology.
Regulatory developments in respect of digital currencies in Canada have to date mostly been limited to anti-money laundering and taxation matters. However, there is a growing interest in blockchain technology in Canada by various industries including major financial institutions and the Bank of Canada, which is running experiments on interbank payment systems “to build a proof of concept wholesale interbank payment system using a distributed ledger”, as stated by Deputy Governor Carolyn Wilkins.
In addition, certain securities regulators (such as the OSC and the AMF) are in the process of forming committees to consider Fintech matters. In this context, ensuring data protection in connection with the use of blockchain technology could become an important regulatory consideration going forward.