Blockchain and Personal Data Protection: The PDPC Guide
Businesses and organisations throughout the globe are beginning to implement Distributed Ledger Technologies (DLTs), such as blockchains, for a variety of finance and supply chain management applications. Some of these applications may begin to store personal information in blockchain networks.
Due to the differences in how blockchains store and transfer data in comparison to centralised systems, companies may be uncertain as to how blockchain applications might be structured to comply with personal data protection obligations under the Personal Data Protection Act (PDPA).
This Guide intends to facilitate blockchain adoption by providing guidance on how to comply with the PDPA when implementing blockchain applications that process personal data. It offers recommendations on Data Protection by Design (DPbD) aspects for more accountable customer data management.
What is a blockchain?
The term “blockchain” refers to a specific type of “distributed ledger with confirmed blocks organised in an append-only, sequential chain using cryptographic links.”
The main use of the blockchain is as a decentralised, unchangeable database that can be used as a single, indisputable source of truth without the need for a trusted, centralised middleman. This has made it possible to build applications on top of blockchain networks for things like verifying documents, storing and moving digital assets, and keeping track of the supply chain.
Permissionless vs. Permissioned Networks
For the purposes of this Guide, we classify blockchain networks based on whether they contain a permissions layer that allows an entity or consortium of entities to set technical and contractual controls on:
- Who can join and participate in the network; and
- What those entities can do on the network (e.g., what data they can write, use or disclose on that network).
Networks without such a permissions layer are known as permissionless networks, while those with such a permissions layer are known as permissioned networks. Both permissionless and permissioned networks have their own benefits, drawbacks, and applicable use cases, and this Guide does not recommend the use of one over the other.
Organisation’s roles in a blockchain network
In a blockchain network, an organisation can play more than one role. There are four main types of people who take part in blockchain:
- Blockchain operators are an organisation or a group of organisations that are in charge of designing, governing, configuring, and running a permissioned blockchain network, application, and service for other organisations that are part of the blockchain. The blockchain operator can also be a company that is part of the network and uses its services or runs its own app on the network (i.e., serving as an application service provider).
- Node operators are in charge of running blockchain nodes, which store copies of all the data in the blockchain and are responsible for validating and syncing the information. In a permissionless network, anyone can run a node, but the blockchain operator decides who can run nodes in a permissioned network. Nodes can be run by organisations that are part of the blockchain or by vendors hired by a blockchain operator.
- Application service providers (ASPs) are companies that run an app on top of a blockchain network.
- Participating organisations are organizations that use the services and features of a permissionless or permissioned blockchain network.
Personal data protection risks and considerations that might arise with blockchains
There are two main ways in which blockchain networks are different from regular databases:
Data is kept in a Decentralised Fashion. In a blockchain network, there are multiple nodes that host copies of the ledger. These nodes are often in different countries. When new information is added to the chain, it must be checked and accepted by the majority of network nodes (consensus). Then, the new information will be added to all copies of the ledger in the network.
The data that is stored can’t be changed. The blockchain is set up so that records can only be added to it. This means that once a record is on the chain, it can’t be changed or taken off. This makes it harder to change blockchains and makes each transaction final.
Because of these two things, there is a lot of trust in the data on-chain. But when personal data is written on a blockchain (either a permissionless or a permissioned network), the fact that it is decentralised and hard to change makes it hard to meet the requirements of the PDPA for accountability and immutability.
Since data on the blockchain is spread across multiple nodes, it can be hard to figure out who is responsible for any distributed personal data and make it work. This is called “Data Controllership.”
To follow the PDPA, organisations need to limit who can access and use the personal information they have or control. But this might be hard to do if the personal information is stored on the blockchain, and the controls depend on how much control the organisations have over the blockchain participants and node operators:
In a blockchain that doesn’t need permission, it’s almost impossible to control who can see personal information on the chain since any organisation, known or unknown, can be a node operator and join the network.
In a permissioned blockchain, access to the chain can be controlled because the participants and node operators are usually chosen by the blockchain operator and are known to him or her.
So, organisations may be better able to control access to and use of personal data in a permissioned blockchain than in a permissionless blockchain through technical controls, like encryption or off-chain implementations with access control, or contractual controls like terms and conditions of use and access to participants.
Transfer Limitation Obligation
The Transfer Limitation Obligation. If an organisation puts personal information on a blockchain with nodes in more than one country, it will have to make sure that these countries have similar privacy protections in order to follow the TLO.
Consent and Purpose Limitation
In general, the PDPA provides that organisations can’t collect, use, or share a person’s personal information unless the person gives or is thought to have given consent for the collection, use, or disclosure of his or her personal information for a specific purpose. This is a problem in a permissionless blockchain, where all participants (like node operators, ASPs, and participating organisations) can see the data that is written on the chain. This makes it hard for organisations to control how another participant collects, uses, or shares the data.
The fact that data on the blockchain can’t be changed (i.e., it can’t be tampered with) could lead to the following problems:
Protection Obligation. An organisation can make reasonable plans to protect personal data, such as using encryption to keep personal data from being shared without permission. But suppose encrypted personal data is stored on a blockchain that doesn’t require permission. In that case, these kinds of protections are likely to become less effective over time as the methods and computing power that threat actors use to break these protections get better.
Retention Limitation Obligation. In general, an organisation should get rid of data once it has served the purpose for which it was collected and there are no more business or legal reasons to keep it. It can do this either by erasing the data in a safe way or by removing any personal information from the data. But the data that is put on the blockchain cannot be changed or erased because it is permanent. So, for effective disposal, data would have to be added to the chain in a way that makes it impossible for anyone who can access the data to read it after disposal (e.g., via encryption and disposal of the decryption key).
Whether a blockchain application is hosted on a permissionless network or a permissioned network changes how much accountability and immutability are a problem for those who use it.
Considerations and recommendations for personal data on permissionless blockchain networks
Permissionless blockchain networks usually let anyone (the public) host nodes and read or write data on the network without revealing their identity. So, data that is written on-chain can be stored on multiple nodes in different countries, and any entity that is part of the permissionless network can access it. Because of this, organisations on a permissionless blockchain network are more likely to break the PDPA because of problems with accountability and immutability.
Accountability Issues on Permissionless Networks
In a network that doesn’t ask for permission, it’s not possible or practical to hold any entities in the network accountable for the following reasons:
- Every node in the network has a copy of any personal information that is put on the chain. This means that anyone in the public who is part of the permissionless network can access and use the data.
- Since there is no operator in charge of a permissionless network, it is not possible to claim data ownership or make participants protect personal information written on-chain.
- You also can’t control or even know where the nodes of a permissionless network are located. This makes it hard for any responsible organisation to figure out how well personal data written on-chain is protected.
With this, the PDPC would think that any personal information that was made public on a blockchain that didn’t require permission would be a form of public disclosure. Personal information should only be put on a permissionless blockchain if the people whose information is being shared have given their permission or if the information is already available to the public.
Immutability Issues on Permissionless Networks
Due to the immutable nature of blockchain networks, data stored on-chain is immutable for as long as the blockchain network exists.
Due to the permanence of on-chain data, organisations cannot assume that any anonymized or encrypted data on permissionless blockchains, which are inherently open and public, will remain anonymized or encrypted over time. As long as there are operational nodes, threat actors will have access to the publicly available data to:
- Conduct re-identification attacks in which anonymized datasets are analysed to determine the identity of the associated data subjects; or
- Decrypt encrypted data uploaded to the blockchain using brute-force attacks or emerging methods such as quantum decryption.
Considerations and recommendations for personal data on permissioned blockchain network
Permissioned blockchain networks, in contrast to permissionless networks, often contain blockchain operators who can restrict network participation to known and authorised players. Participants in a permissioned blockchain are typically required to sign a consortium agreement, which adds a layer of contractual constraints to the technical controls. Thus, through technical and contractual controls, the operator mitigates some of the accountability and immutability risks inherent to permissionless networks.
Accountability issues on permissioned networks
While a permissioned blockchain network is only available to authorised organisations, all other participants that host or manage nodes will have access to any cleartext personal data stored on the blockchain. This means that all node operators have access to the data, increasing the regulatory burden on them accidentally.
Therefore, operators of permissioned blockchain networks should guarantee that personal data is adequately protected and is only accessible to or revealed to authorised blockchain participants who have a legitimate business need to access the data. This will impose personal data protection duties on organisations only with regard to the data they are authorised to access. The following are examples of measures that blockchain operators can implement:
A. Limiting network membership to just authorised organisations and putting enforceable requirements on them through the consortium agreement. Such binding constraints could include restrictions on the types of data that can be written to the network (additionally supported by technical controls) and restrictions on participant conduct (e.g., prohibiting attempts to decrypt ciphertext).
B. To comply with the TLO, permit participation by organisations who can provide effective protection for personal data across all of their nodes, data centers, and sub-processors to whom the data is transported and stored. This compliance can be verified by the following methods:
- Admitting participants only from jurisdictions with comparable standards of protection;
- Ensuring binding contractual obligations for comparable protection through consortium agreements between the operator and participants; or
- Requiring participants to obtain specified certification such as the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) or Privacy Recognition for Processors (PRP).
C. Requiring participants to encrypt or anonymize personal data on-chain utilising industry-standard methods or practises, such that only authorised participants can access the data with the decryption keys or identity matching tables provided via off-chain channels.
D. Monitoring and enforcing against any perpetrators of data breaches involving personal information on the network.
When applicable, operators may rely on various consent exceptions under the PDPA, such as business improvement, deemed consent by contractual necessity, and legitimate interests, as a legal basis for allowing participants to collect, use, and share personal data without the consent of the individuals.
The blockchain operator can also lessen the compliance burden for ASPs and node operators via contracts that designate their processing of on-chain data as being for the operator’s benefit, so making the latter data intermediaries over that data.
Immutability issues on permissioned networks
As participation can be curated and controlled, the risk of an unknown threat actor decrypting encrypted data or re-identifying anonymised data on-chain is more manageable on permissioned blockchains than on permissionless blockchains. Besides protecting the data, protection mechanisms such as encryption also help overcome immutability issues.
Blockchain operators and participants can comply with rectification and retention limits requirements by:
- Inserting new entries with encrypted, revised data; and
- Requiring the secure disposal of decryption keys for obsolete data by other participants, rendering the data unreadable.
In addition, it is advisable to meticulously document the process of identifying and erasing all copies of decryption keys, so that participants can withstand independent inspection. Keeping track of the quantity of copies and location of decryption keys is a best practise that can provide credibility to this procedure.
Using off-chain approaches to further mitigate personal data protection risks on permissionless or permissioned networks
In order to profit from the decentralised and tamper-resistant characteristics of blockchain networks, organisations who seek to process personal data as part of a blockchain application need not necessarily write personal data on-chain. They can instead examine off-chain alternatives that keep personal data in centralised data repositories while writing just representations of the personal data to the blockchain.
Under this strategy, the regulatory treatment of personal data is identical to that of conventional databases, as the data is totally held off-chain. Participants in a blockchain can therefore utilise typical industry-standard protection controls, rules, and processes to ensure that the off-chain data is protected and that similar data protection is in place when sharing data with organisations in different jurisdictions.
Thus, this off-chain method can be utilised to satisfy personal data protection requirements in both permissionless and permissioned networks.
Organisations can also opt to hire professionals for their blockchain development needs and maintenance to ensure that there will be no instance of any data leaks that could prompt the PDPC to investigate. Privacy Ninja offers both blockchain development and smart contract audit, a formidable combo to uphold good cybersecurity and data protection.