Co-Author Roman Aus der Au
Distributed Ledger technology enables – especially in the form of blockchains – effective data protection. This statement astonishes at first sight and is of course not correct in this absoluteness. In their essay in the trade journal Sic! (09/2018) Cornelia Stengel and Roman Aus der Au deal with the question of the relationship between Distributed Ledger Technologies (DLT) and data protection.
For this purpose, the authors have presented the central elements of DLT and the principles of data protection together and have pointed out possible solutions which result from the data protection laws (Switzerland and EU) themselves or from technological developments. They come to the conclusion that DLT and data protection are not mutually exclusive, even that blockchains can be built in such a way that they enable effective data protection.
Only personal data is subject to the rules of data protection laws. The authors analyse which data in DLT is to be qualified as personal data in the sense of the data protection laws. It is also important not to lose sight of the actual goals of data protection. It is about the protection of the personality and fundamental rights of the persons about whom data is processed, their intellectual integrity, privacy and informational selfdetermination.
Some of the central principles of data protection are transparency and purpose limitation, data minimization and economy, right to deletion or “being forgotten” as well as correctness of the data or right to correction. The authors compare these and other principles with the central elements of DLT, namely decentralisation, transparency, immutability and the use of cryptography and hash functions (whereby the different systems may also differ in these central points).
Particularly in the area of application of the GDPR, which relies more than the Swiss Data Protection Act on central roles, so-called “responsible persons”, the authors point out friction areas and application problems, but also legal (principle of generally accessible data or consent) and technological solutions. Depending on the application, technical elements such as chameleon hash functions, zero-knowledge protocols or off-chain solutions may be used to address data protection problems in a targeted manner.
The final statement is important: The actual goal of data protection laws, the protection of the personality and the fundamental rights of the persons about whom data is processed, is ultimately not achieved with legally prescribed documentation and administration. Rather, it must be ensured, for example, that data is actually processed as it is appropriate and “promised”. In the context of DLT, this “promise” is replaced by a prescribed protocol, compliance with which can be checked and validated by the participants in the network. It is essential to keep the rules of data protection in mind when designing such a system.