by Peter Trelenberg

On September 28, 2018, the largest data breach in Facebook’s 14-year history occurred. This breach exposed 50 million users’ personal data and demonstrates the evolving danger of social media and a more data-focused, integrated world. This incidence and others, including Facebook’s infamous Cambridge Analytica scandal and Equifax’s 2017 data breach, have prompted reactionary legislative action from lawmakers in Europe through the General Data Protection Regulation (GDPR) and, more recently, California’s Consumer Production Act (CCPA).

The GDPR went into effect on May 25, 2018, representing the most extensive and far-reaching individual data protection legislation to date and affecting approximately 52% of American businesses.[1] The EU legislation’s treatment of personal data and definitive establishment of individual’s data privacy as a fundamental right was unprecedented. The legislation also had broad extraterritorial implications for companies that control or process any EU residents’ personal data.[2] The CCPA, now enacted but enforcement is expected to begin in January 2020, has similar data constraints and rights attached to it. Conversely, it adopts an opt-out mentality instead of the GDPR’s opt-in mindset. Both laws will drastically affect businesses by determining application through data users’ place of residence, challenging traditional jurisdictional legal norms and limiting extraterritorial scope. Additionally, companies are required to update company-wide privacy and data protection security, data recording systems, and procedural and technological measures to notify and share control of individuals’ data. Penalties for not instituting the measures are robust, with fines up to €20 million or 4% of total worldwide annual turnover for the GDPR,[3] and $7,500 per violation under the CCPA.[4] These new regulations may disproportionately impact small companies that cannot afford adherence.

Although these new requirements will be expensive to introduce and maintain, they may inspire investments in new data protection systems and technology. Specifically, blockchain suits the needs of companies seeking to give users greater control of their personal data, the right to be forgotten[5] (erasure in the GDPR), and data-use disclosure. Blockchain’s innovative technological advancement relies on a distributed ledger to protect and authenticate information. For application of blockchain like cryptocurrencies, this limits the prospect of counterfeiting and strengthens trust in the currency or product. To utilize blockchain to fulfill the new regulatory obligations, a verification system could be implemented that allows individuals to control their data, receive updates on how the data is used, and automatically recall or limit use. Blockchain’s advantages include inherent built-in security protocols and improved data provenance, encryption, and control. These characteristics improve consumer trust and legislative compliance while limiting additional security investment costs. Silicon Valley is privately exploring blockchain, an initiative bolstered by Governor Jerry Brown’s recent creation of a blockchain technology working group.[6]

Streamr, a Swiss-based company, built a blockchain platform on the Ethereum network in response to the GDPR’s to implement some of the previously discussed applications. Streamr’s goal is to create a real-time, decentralized platform and marketplace to allow data collection, monetization, and delivery. Data subjects will have decision-making powers and the ability to sell their information for DATA tokens. Although Streamr’s use is currently limited, a similar platform could be used to streamline collection, share control, and protect data within minimum mandatory standards. An alternative solution could involve creating a central data depository where companies securely rent personal information using blockchain technology. Alternatively, a blockchain system could be implemented that verifies users’ identity and other credentials, assigns them a token, and permits anonymous participation. More directly applicable to the legal field, blockchain or distributed ledger technology could also be used to economically and efficiently increase protection for client or firm information.

Works Cited:

[1] Compuserve, New Survey Shows U.S. Companies Face Major Challenges Complying with EU GDPR (Sept. 13, 2016, 5:00 ET), https://globenewswire.com/news-release/2016/09/13/871395/0/en/New-Survey-Shows-U-S-Companies-Face-Major-Challenges-Complying-with-EU-General-Data-Protection-Regulations-GDPR.html.

[2] EU resident is defined as any person who is located or resides within EU territories.

[3] GDPR Art. 83(5).

[4] CCPA, AB-375 § 1798.155(b).

[5] CCPA, AB-375 § 1798.105(a).

[6] California Blockchain Working Group, AB-2658 (defining blockchain and exploring potential uses, risks, and benefits for California-based businesses).