EU Data Protection Regulation
New EU legislation will mean tougher, more complex laws and more severe penalties. Blockchain, smart contracts and cryptographic keys could be crucial in abiding by these new privacy rules.
Four years in the making, the European Union's General Data Protection Regulation (GDPR) obtained its final legislative approval on April 14. It will be enforced after a two-year transition, beginning on May 25, 2018, replacing the national laws and regulations based on the venerable 1995 EU Data Protection Directive and reaching companies that target EU consumers from the outside.
Crucially, this will impact U.S. companies that target EU consumers. Not only should companies be looking ahead to the new compliance landscape in their product design, operational planning, privacy policies, security systems and contracts, but the trend for increased regulatory engagement could see some major, broader implications.
As the sector matures, blockchain, smart contracts and cryptographic keys could become crucial in abiding by these new privacy rules. Solutions such as MadHive 's focus on securing data sets for ad tech targeting and Digital Asset Holdings ' goals of bringing trade and settlement industries into the 21st century are some of those to keep an eye on as privacy rules unfold.
What Is Data Protection vs. Data Security?
Data privacy governs how personal data is used, shared and retained. Data security, however, relates to initiatives geared towards restricting access to sensitive data and protecting it from being viewed during its collection, storage and transmission.
Data protection regulations typically begin with identifying the data controller and data subject. According to the EU, the data controller is a natural or legal person, public authority, agency or any other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. The data subject is the person to which a set of personal data applies.
The Foundation for Current Data Protection Laws
There are no globally-administered data protection laws. The closest thing to a set of standards that exists today is the Organisation for Economic Cooperation and Development's privacy principles , established in 1980. The guidelines, which have influenced the shape of regulations around the world, established eight principles, in short prescribing that companies collect information necessary for a given purpose, be transparent about data processing, appropriately safeguard information and allow people to see and correct data that has been obtained from them.
The EU, home to the first data protection law in the world, is the standard-bearer for the "comprehensive approach," wherein one law and data-protection authority governs all sectors and data processing within a given economy.
The EU has indicated its undeniable interest in protecting the personal data of its member countries' citizens by recently passing one of the strongest personal data protection regulations in the world designed to complement the EU's existing code of online rights .
On April 27, 2016, the EU adopted, as part of the data protection reform package, the General Data Protection Regulation (GDPR) with the intent of giving citizens control over their personal data and simplifying the regulatory environment for international business through uniform regulations. The GDPR takes effect on May 25, 2018 and replaces the current Data Protection Directive (DPD). A regulation is more forceful than a directive, as it does not need to be adopted separately by each member nation. Instead, on its effective date, a regulation is immediately applicable and enforceable as law in all member states simultaneously.
The Bottom Line
At this point in time, companies are clearly entering a period of unprecedented regulatory scrutiny and penalties, beyond the impact of the EU. Across all sectors, enterprises are now required to have much greater awareness of their data inventory, be transparent with how they collect and use it and include additional consumer protections throughout their operations.
This is where the blockchain, smart data and smart contracts come into play.
This confluence of regulatory attention and changing customer preferences creates a perfect storm for the growth of a blockchain-based economy. Blockchains, smart contracts and intelligent data can all be used to add granularity to personal data and to encode permissions, conditions and regulatory restrictions. In short, they can build accountability into a firm's data-management procedures. The technology offers an absolute advantage from a security perspective, in that it eliminates the threat of a single point of failure. Furthermore, company information can be hashed on to the blockchain in order to create immutable and time-stamped records for company information, assisting with auditing or continuity procedures.
Blockchain technology can better address the privacy concerns to which the GDPR and EU regulators are responding.
For example, the paper " Decentralizing Privacy: Using Blockchain to Protect Personal Data " calls directly into question the current centralized model of protecting personal data through trusted third parties. The author describes a more secure, decentralized peer-to-peer personal data management system that would give users themselves power over their data profiles using delegated permissions.
Blockchain for Intermediation
A blockchain-based infrastructure for the passage of data throughout the advertising ecosystem could also be powerful mechanism to protect sensitive user data. According to MadHive CEO Adam Helfgott, blockchain could wedge a cryptographic layer of intermediation between people's private information and their associated targeting data for advertisers, shielding them from the worst of a cyber attack.
"The actual identity doesn't matter so much. We don't actually need to know who these people are," said Helfgott. "A decentralized system where everyone has an ID of sorts and encrypted metadata around their ID, based upon who captured that metadata, that can be unlocked on a case-by-case basis for each campaign, allowing new types of targeting."
He proposed that a blockchain solution would not only reduce the potential for human error and meddling, but could create efficiencies through some of distributed ledger technology's key attributes.
Through laws and regulatory actions, the EU has taken the lead in making sure that large companies that have access to personal data are neither predatory nor abusive. In the future, the widespread adoption of blockchain technology can remove the need for large companies to maintain this data and provide individuals with full control over their personal data.
The minor lag for regulators addressing these options presents an opportunity for key players in the space to establish and promote industry-specific best practices for safe, transparent, ethical and, most importantly, equitable business operations. This process, known as "technological regulation," would see responsible trade groups come together and create sets of standards and principles to which they pledge to adhere, and possibly establish mechanisms for self-oversight. TRUSTe and the International Advertising Bureau offer a proven model for the way forward.
At the end of the day, each company and individual will have to identify solutions that work best for them and conduct rigorous due diligence based on their specific business operations and jurisdictions. Additionally, the optimal solution continues to be a moving target as regulations change. However, these steps are worth it because blockchain-based applications and systems offer an intriguing way to address more complex laws with more severe penalties.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.