The right to data protection is a fundamental right that is constituted by over 100 countries around the world. Data protection is inextricably associated with the fundamental right of privacy which in itself makes it unequivocally clear that personal information pertinent to any individual just cannot be up for grabs.
Blockchain technology in its very essence is acclaimed for the transparency, security and privacy that it promises to its users by means of its decentralized digital data structure maintained by a consensus algorithm. However, does this stand guaranteed in the eyes of the Malaysian data protection laws? How compatible is blockchain technology with data protection laws in Malaysia?
Data Protection Laws in Malaysia
The Personal Data Protection Act 2010 (PDPA) was enforced in Malaysia on November 15, 2013. Given the fact that Malaysia never had explicitly recognized privacy as an independent right, this was a revolutionary step undertaken by the PDPA to strengthen the provisions of data protection laws, thereby propelling data sovereignty to a greater degree.
Having been relatively modelled over the EU General Data Protection Regulation (GDPR) regime, provisions of the PDPA doesn’t seem to wholly be aligned with that of the GDPR. Even so, both regulations strive to achieve a common objective which is to oversee laws on data protection and privacy for all individuals. Moreover with the blockchain ecosystem holding a myriad of digital data being processed on a wide-reaching scale, there comes a need for data governing regulatory bodies such as PDPA and the GDPR to reform the legal landscape so as to make data protection laws compatible with the blockchain. So far, there has been no official statement issued on the governance of personal data in blockchain. How can provisions of the GDPR and PDPA be reviewed, revised and reinforced to make it compatible with the convoluted blockchain infrastructure?
What Constitutes as Personal Data in Blockchain?
To understand the need for protection of personal data in blockchain we first need to probe into what constitutes itself as personal data in the domain of blockchain. ‘Personal data’ refers to any information that is either directly or indirectly associated with any individual, which identifies them or makes them identifiable. That being said, only such information that qualifies as personally identifiable information can be subject to the rules of data protection laws.
While the PDPA and the GDPR have proclaimed their own individual definitions of ‘Personal Data’ both definitions converge to elucidate that it is – Identifiable information attributable to a data subject.
In blockchain there are two sets of data that qualify as ‘personal data’:
- Transactional Data – Transaction data such as price, asset, and ownership, are recorded and stored across several nodes across the system
- Public Keys – An encrypted string of letters and numbers that enables the pseudonymous identification of a person.
The true substance of regarding data as identifiable does not lie in the nature of two sets of data, but rather in the technique of concealment of such personal data, which are pseudonymisation and anonymization. The former attempts to substitute the identifiable elements of the data subject in such a way that additional information is required to re-identify the data subject using pseudonyms, whereas the latter irreversibly prevents the identification of the data subject.
Since blockchain operates on the principles of hashing and encryption which are both techniques of pseudonymisation, data stored on blockchain can be regarded as “personal data” both in the eyes of the PDPA and the GDPR.
However, the conundrums of questing a middle ground between the views of the PDPA and blockchain doesn’t end here. There is again the problem of jurisdiction and applicable national law. Since blockchain operates on a nodal network of interconnected computers across territories, it becomes difficult to apply jurisdictional laws around the world. Hence legal assessment outside jurisdictions in case of data breaches will turn out to be an arduous task for the PDPA. Moreover, with multiple parties acting as controllers and processors it becomes difficult for the PDPA to maintain accountability in case of compliance issues relevant to personal data.
On Course for Building Technical Solutions
The daunting dichotomy that privacy laws and blockchain technology evince doesn’t really mean that we are on a wild goose chase to find resolutions. Technology fiends from around the world are working against the clock to decipher technical solutions as a remediation to concoct a holistic plan to address the grey areas of this incompatibility. To mention a few:
- Gatekeepers – According to this solution, trusted intermediaries known as “Gatekeepers”, serve as controllers who are commissioned to modify or erase data, and also will grant permission to nodes for access. However, the demerit of such a concept is that it defeats the sole purpose of blockchain – Transparency and immutability.
- Zero Knowledge Proofs (ZKP) – This is a cryptographic technique where the data is generated in the form of a binary true/false answer, not revealing the source and details of the transaction. This is an anonymisation technique, which can duck the provisions of data protection laws.
- Off-Chain – This solution aims to store personally identifiable data in a separate secondary storage database which will be managed by a third party controller. This will ensure that no identifiable data is stored on the blockchain.
Although technical solutions to the issues of identification, control and jurisdiction in blockchain are plentiful, there is still a great level of research and experimentation that has to go in, to fix to these gaping discrepancies. The Malaysian data protection laws have to be reinforced insofar as finding the most befitting technical solution to close the legal loopholes with respect to blockchain. The quest to find out where Malaysia will stand in reinforcing clear-cut provisions to manifest a more secure and private blockchain is still in the air. Until then, we can only envisage a phenomenal antidote that brings about a congruence between blockchain and data protection laws.