The Shape of Regulation: The Right to be Forgotten and Blockchain Technology

By Bhavna Jha

The right to be forgotten guaranteed by India’s proposed Personal Data Protection law could have an unprecedented adverse impact on blockchain technology. Whereas blockchains inherently safeguard privacy, transparency, and security of personal data, it is my opinion that other requirements and rights created by the data protection regulation might fall foul of its proposed framework. To understand this claim, I must relate something about why blockchain technology is different and why umbrella legislation which is meant to apply to the conventional internet will run into contradictions with blockchain technology, which could frustrate the widespread adoption of the technology.

Blockchains are Changing the Information Sharing Paradigm

Blockchain technology applies the principle of distributed networks to information storage and adds to it the advantages of total transparency, securing identity and securing privacy of the participants on a network. This is a paradigm shift in information technology, since, so far, transparency and privacy of information have been technologically at odds with each other. Blockchains have emerged as an answer to the problem of trust on the internet by using a proof-of work solution along with the use of an open record of exchanges within a network. Moreover, it provides a mechanism for accountability unmatched by existing technology because information recorded in blockchains is practically impossible to tamper with. The basic architecture of blockchains requires a simple majority consensus for making any modification to the record of information on that blockchain network.

This wonderful feature of immutability has made it an excellent medium for the transfer of virtual currency, the original being Bitcoins, has many potential applications beyond cryptocurrency in fields ranging from medicine to law to government. Unfortunately, the difficulty in modifying blockchains is likely to collide headfirst against the ‘right to be forgotten’ aspect of the personal data protection norms.

Blockchains will fly into the face of the ‘Right to be Forgotten’

The concept of the right to be forgotten derives from French jurisprudence, droit à l’oubli. It emanates from the understanding that redemption is not possible where the retention of a person’s past transgressions prevents their reintegration into civil society. The era of the internet has added another dimension to this by retaining in perpetual memory all that is fed into it. Victor Meyer-Schonberger proposes one simple way to resolve this problem by advocating for a regulation that would by default require all data to be deleted after a specified interval of time. The right to be forgotten is a variation of this solution, and it found utterance in Article 12 of the EU Data Protection Directive of 1995 under the Data Subject’s Right of Access to Data. In the Google Spain v AEPD and Mario Costeja Gonzales case, the “right to be forgotten” captured public imagination. The right found its way into the European General Data Protection Regulation (GDPR) which came into force in May, 2018.

Art 17 GDPR: Right to Erasure/ ‘right to be forgotten’

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

Whispers of this “right to be forgotten” reached the Indian Judiciary as well, and it started cropping up, in judicial decisions about “reportability” of judgments in online repositories, and regarding the redaction of names from the online reportage of judgments. Last December, the Justice Sri Krishna Committee’s White Paper on Data Protection also sought opinions for inducting a right to be forgotten into the Indian jurisdiction, and sure enough it manifested in the draft Personal Data Protection Bill released in August 2018. Neither of these documents seems to have contemplated the application of the Data Protection Regulation on blockchain technology based services as the spirit of the right to be forgotten in the proposed Indian law is akin to that in the GDPR.

Section 27. Right to Be Forgotten. —

(1) The data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary related to the data principal where such disclosure—

(a) has served the purpose for which it was made or is no longer necessary;

(b) was made on the basis of consent under section 12 and such consent has since been withdrawn; or

(c) was made contrary to the provisions of this Act or any other law made by Parliament or any State Legislature.

A plain reading of the definition of Controller under the GDPR and that of Data Fiduciary under the proposed Indian law will show that neither of them preclude the members of a blockchain network from the scope of their applications.

Whereas the GDPR imagines that the Controller can be a

“natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (emphasis supplied)

The Draft Personal Data Protection Bill says much the same thing while defining a Data Fiduciary as

“any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data” (emphasis supplied).

Blockchain networks use built-in consensus protocols to arrive at decisions regarding the information stored on their network, which qualifies as determining the purpose and means of processing of data. Nothing in the language describing data controllers or fiduciaries excludes the idea of members of a blockchain network having to erase, restrict or prevent continuing disclosure of personal data stored in blockchains in that network. Nothing in the language of the right to erasure or right to be forgotten creates an exemption for technological unfeasibility.

So, what does the future hold for blockchain-based applications? What happens when a member of a blockchain network wishes to exercise their ‘right to be forgotten’ and have personal data about them be erased from or removed from the collective, shared memory of the members of that blockchain network? We could compromise on the structural integrity of blockchain networks by decreasing the degree of decentralisation in a network to ease consensus building in order to make feasible the modifying of data stored in blockchains. Or, we could carve out exceptions to personal data stored in blockchains, shielding them from compliance with the right to be forgotten, thereby compromising a person’s control over their personal data. There seems to be a fork in the road ahead, unless a solution is found to this conundrum. Clearer dialogue between stakeholders, technologists, lawyers, human rights advocates and more clearly appreciating all the interests at stake is vital for the survival of blockchain technology, as much as for the acceptance of and adherence to the newly proposed data protection norms.

Bhavna Jha teaches at Indian law school NUSRL, Ranchi, and is pursuing a doctorate in law, specializing in privacy in cyberspace. She has a Masters in Law from NLU Delhi and a B.A./ LL.B from WBNUJS, Kolkata. She has multidisciplinary interests and, despite her law degree, hopes to do good in the world.

Leave a Reply