Cooley LLP's Randy Sabett: Blockchain technology may not be the best solution for GDPR compliance
Despite facing attacks from Chinese regulators and even Jamie Dimon , Bitcoin has never a hotter topic. Part of the cryptocurrency’s appeal can be traced to its use of blockchain, a decentralized ledger technology that anonymizes person-to-person transactions and updates client transactions and balances without going through a bank or other centralized authority. This helps ensure that transactions are not only anonymous, but difficult to taint or tamper.
Many companies—including those in the financial industry—are exploring new ways to incorporate this into day-to-day business activities. Companies such as NASDAQ, Bank of America, and Goldman Sachs, for example, have already filed patents that apply blockchain technology towards day-to-day financial tasks. Some of these patents, for example, apply blockchain principles to creating audit-friendly backup databases for financial documents, streamlining securities settlements, and creating buyer & seller aliases to anonymize person-to-person payments.
Can companies also use blockchain technology to meet the strict guidelines outlined by the upcoming GDPR and other data security standards? They can, but it’s not a fail-proof solution, and could instead come at a cost to customers and clients. I’ll let Cooley LLP’s Randy V. Sabett, CISSP, explain why. Before he became an attorney, Randy started as a crypto engineer with the NSA and recently served as commissioner of the for the Commission on Enhancing National Cybersecurity for the Obama administration. He currently serves as vice chairperson of Cooley LLP’s privacy and data protection group.
Eric Pesale: What role, if any, can blockchain play for helping businesses bolster their cybersecurity safeguards and meet these international and domestic data security standards? Would you say at this point is it even feasible?
Randy Sabett: The interesting thing about blockchain technology is that, from some of the schemes that I’ve seen, it’s focused on identity and protection of identity vis-à-vis the data that’s associated with it. And really if you think about it, it’s a rather elegant way of substantiating in technology what they’re driving at with GDPR, and what really actually had its genesis in the EU’s data protection directive that preceded GDPR. So if you think about the US & the EU and their approaches, the US is bottom up and the EU is top-down. One theory I had is actually playing out, and it’s the following: those two—the top-down and bottom-up approaches—are kind of meeting in the middle.
Pesale: Can you elaborate on the difference between these approaches, and how exactly they’re meeting in the middle?
Sabett: I’ll put it this way. In the U.S., at the state level, California started out with passing the first data breach notification law, so when I say “bottom-up,” I’m saying that we started at a very granular level. In other words, if you had a data breach, you—which under the EU’s language would make you a “data controller”—would have to tell people about it. It wasn’t necessarily an attempt to shame people into complying, but rather to help people protect their data once you know you’ve been exposed. The EU, on the other hand, started out using an approach that’s completely different, almost on a philosophical level. Under it, you as the data subject own your data, and you own your data all the way down through the various entities you pass your data on to. So if I passed my data on to ACME corporation, and then ACME passed it to XYZ Corp, and XYZ later passed it to ABC Corp., here in the US I’ve lost control of the data once it’s handed off to ACME. Under the EU’s top-down approach, the law gives me rights to that data all the way down the chain, all the way down that sequence of companies and how it’s been passed. That’s obviously been carried through with GDPR.
Pesale: How, if at all, can blockchain technology factor into this, or impact how these approaches are carried out?
Sabett: Start with the premise that data subjects always own their data, and now mix in this decentralized technology—the blockchain. The basic idea is that that data subject is able to use the blockchain protocols and is able to control his or her own data. So now if the data subject wants Acme Corporation to perform some services to Acme as a service provider, they want Acme to provide some input to them, the owner could pass on the rights to the data, pass on a token, or handle the exchange a number of different ways that could be done. But basically the subject could say “Acme, you have access to my data in a limited way. I, the data subject, control the access to my data, and I can give you access to my data only for these purposes, only for this amount of time, and only in this way. And if you want to pass this data to anyone else because they’re your sub-processors or sub-service providers, then come to me first.” So, spinning all the way back to your question, I think there is promise for blockchain to be usable to support the various laws that are out there.
Pesale: In what specific ways can blockchain technology be applied to secure personally-identifiable information and related information?
Sabett: I can see how there might be other applications, but I think one of the most promising is in protection of identity and in protection of the information that is attached to that identity—the “personal data” in EU parlance. I think it can be used in a way that takes advantage of this sort of decentralized structure. There was an interesting article I came across that discussed a concept called sovereignty. The notion of sovereigns is that they’re at the top of the heap, and they control everything below that in a governmental sense. This process would be self-sovereign in a sense that the data subject themselves have sovereign control over their personal information. It very much supports GDPR and, again, some of the other ones.
Pesale: How would the adoption of blockchain impact how customers and clients interact with companies online?
Sabett: Here’s where I think—and I don’t know this for a fact and I haven’t seen anything about this—but I think the user experience is not going to be good. It has the potential to perhaps be less attractive than what people are used to today. Most people today are used to things happening pretty seamlessly with their devices. Every now and then you get a pop-up that is really annoying, or every now and then I’ll see a situation happen where an entity that I don’t think should have my data somehow does. But now flip that around. Think about a world where every single time you’re going to be hit pretty frequently—at least when the systems first roll out—with requests to use your data. Or maybe just the first time instead, and then you grant companies permissions on a going forward basis. It’s likely going to require data subjects to become more sophisticated than they are today about their personal information.
How exactly will customers and clients need to be more sophisticated? What other downsides are there to using blockchain, especially from a compliance perspective? Stay tuned for Part II of our interview with Randy.
Author's Note: This article was originally featured on the CSO Online column Jailbreaking the Law. You can visit the original article at https://bit.ly/2rEu1tT