What is GDPR and CCPA and how does it impact blockchain?

Sept. 16, 2019

Image via iStock.com

By Scott W. Pink, special counsel, O'Melveny & Myers Llp.

This is part two of a series analyzing how blockchain fits into the privacy law landscape. Click here to read part one.

Many privacy professionals view the European Union's General Data Protection Regulation as a watershed moment in the evolution of data privacy law. 

While there had been data privacy laws on the books for over a decade, many were very general in nature or specific to certain regulated industries, such as healthcare or financial services.  GDPR created a broadly applicable set of data privacy principles and introduced a number of obligations and data subject rights with which companies and other processors of data must comply. Since GDPR took effect in May of 2018, it has been followed by the adoption of very similar laws in Brazil, Thailand and most recently in California, with the California Consumer Privacy Act, which takes effect in January 2020.  For the purpose of this article, we will focus on the core provisions of GDPR and CCPA and their potential application to blockchains and distributed ledgers.

The following are the key principles mandated by GDPR and CCPA:

Controller and processors

GDPR defines two types of entities that process personal data: controllers, who determine the purpose and means of processing personal data; and processors, who process data on behalf of a controller.  Controllers have most of the obligations under GDPR, including the obligations of notice, responding to data subject requests, notification of data security breaches, and ensuring their processors comply with certain requirements.

The California law does not differentiate between controllers and processors; instead, the obligations apply to a business that that collects a consumer’s (i.e., a California resident) personal information. The term "collects" is defined broadly to mean "buying, renting, gathering, obtaining, receiving or accessing any personal information pertaining to a consumer by any means." (Cal. Civ. Code §1798.140(e). This indicates both the controllers and their processors are subject to the California law provisions.

Legal bases and data minimization

GDPR introduced the concept that a controller must have a lawful basis for collecting personal data.  Controllers can no longer collect personal data for an unnecessary reason; they must have a valid, legal basis as specified in Article 6 of GDPR, and they should only collect the data necessary for that purposes (data minimization). CCPA does not expressly require a legal basis or data minimization, but it does require businesses to disclose the business and commercial purpose for which personal data is collected. Cal. Civ. Code §1798.110.

Notice

The requirement to provide a privacy notice has been in place for over a decade, starting in the EU with the Data Protection Directive in 1995 and in the United States with the California Online Privacy Protection Act in 2003. Both GDPR and CCPA impose more stringent and detailed requirements for such notices, including a requirement that notice be provided at the point of collection. In addition, regulators such as the Federal Trade Commission have become increasingly aggressive in pursuing companies for failing to provide adequate notice of their data collection activities.

Consent requirements

GDPR introduces new requirements for obtaining consent.  Consent must be freely given, specific, informed, and unambiguous(GDPR, Art. 4, §11.) In order to obtain freely given consent, it must be given on a voluntary basis. It cannot be required as part of a contract in most cases or buried in a privacy policy. As noted below, obtaining consent can be a challenge in a dynamic transactional framework such as a distributed ledger.

Data subject rights

GDPR introduced a number of rights that can be exercised by a data subject, including the right to access to personal data, the right to rectify personal data, the right to object to certain kinds of processing (such as automated processing), the right to data portability, and the right to delete personal data. CCPA implements a more limited but similar set of rights, including the right of access, the right to know, the right to delete and the right to say no to the sale of personal information. 

Data security and data breaches

GDPR requires data controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which can include the pseudonymization and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. GDPR, Art. 32, §1. 

In the U.S., very specific security requirements are prescribed for certain regulated entities, such as health care provider under HIPAA and financial institutions under Gramm-Leach-Bliley. State laws tend to be more general, requiring only "reasonable security," without necessarily defining what that entails.

Security breach disclosure laws exist in all 50 states and require notification to individuals and in some cases government entities; the trigger is typically unauthorized access or disclosure of a subject’s name plus certain identifying information such as social security number or driver's license number. GDPR also requires controllers to notify data protection authorities and individuals of security breaches; the requirement is not limited to certain sets of data, but rather examines the type of data, severity of breach, and risk of harm in determining whether disclosure is required.

The next part will look at the challenge of applying the data privacy regime to blockchain.