_edited.png)
INTRODUCTION
Initiatives are being taken, both globally and nationally, for facilitating the adoption of blockchain technologies (also called distributed ledger technology). In India, blockchain has witnessed substantial traction across several industries over the last couple of decades. Further, as per the 2021 Global Crypto Adoption Index by the crypto-analysis platform Chainalysis[1], India ranks second among 20 countries for its crypto adoption rate.
Despite the accelerating adoption of blockchain technologies worldwide, there has been a recurring debate that this technology, by virtue of its very nature, poses a potential risk of conflicting with the European Data Protection law. In the context of India, the draft Personal Data Protection Bill 2019 (hereinafter referred to as ‘the draft PDP Bill’) portrays a significant amount of convergence with the European General Data Protection Regulation (hereinafter referred to as ‘GDPR’). Moreover, most of the recommendations of the Joint Parliamentary Committee Report on the PDP Bill align with the global standard of data protection. Therefore, in this article, I analyze and highlight the tension between blockchain technologies and the draft PDP Bill, which is likely to be implemented in the forthcoming days.
BLOCKCHAIN TECHNOLOGY
As discussed above, blockchains are a class of decentralized technology operated through a consensus algorithm to store and process a wide range of data and information. These data are stored on multiple nodes (units storing local versions of distributed ledger), resulting in the involvement of several parties for maintaining the databases. Blockchain primarily aims at establishing a peer-to-peer network, with each node serving as a different peer.[2] Each of these nodes stores an integral copy of the ledger in form of multiple transactions which then gets added to the existing chain of blocks. This mechanism is known as hashing process wherein the blocks are linked by way of a hash function. A hash function is a one-way cryptographic execution that makes it highly insurmountable to revert, thereby qualifying it as an append-only digital structure.[3] Therefore, under certain circumstances, modification or erasure of data cannot be forthrightly implemented.
In blockchain technology, resilience is achieved by way of replication. In simpler terms, the data stored on multiple modes are resilient because it is parallelly stored on several nodes, as such even if one or more nodes malfunction, the data stored remains unaffected. Therefore, the risk of failure or attack at the central point does not arise. The replicated data is then synchronized through a consensus mechanism, which warrants the distributed network to decide on the status of the ledger. This arrangement dictates the way new blocks get added to the existing chain of blocks. Through this process, the information is arranged in a sequential manner which makes it implausible to be altered without affecting the subsequent blocks.
DRAFT PDP BILL
Even though the Indian Constitution does not mention the right to privacy explicitly in the text, the Indian Courts through judicial pronouncements have bought the right to privacy under the umbrella of fundamental rights by way of interpreting Art. 19 and 21 of the Constitution.[4] Therefore, to secure the right to privacy guaranteed to its citizens, several initiates and attempts were undertaken by the government to formulate a data protection law in India. As a result, in December 2019, the draft Personal Data Protection Bill was tabled before Lok Sabha by the Ministry of Electronics and Information Technology. The draft PDP Bill establishes a legal framework for protecting the rights of data-owners and contemplates data usage through a consent mechanism for the benefit of the parties at both ends of the spectrum.
The right to privacy which is a fundamental right also includes the right to be forgotten.[5] In the context of two judgments passed by the Hon’ble High Court of Orissa and the Hon’ble High Court of Karnataka[6], the right to be forgotten forms an integral part of the right to privacy. Even though the Hon’ble High Court of Orissa could not pass an order directing deletion of the videos in a case wherein rape video of the victim was posted on Facebook, in the absence of codified law, it held that “allowing such objectionable photos and videos to remain on a social media platform, without the consent of a woman, is a direct affront on a woman’s modesty and, more importantly, her right to privacy”[7].
The right to be forgotten has also been recognized and even effect to, by the draft PDP Bill under the provisions about an individual’s right to privacy. As per Clause 20 of Chapter V which provides for ‘Rights of Data Subject’, “data subject (the person to whom the data is related) shall have the right to restrict or prevent the continuing disclosure of his data by a data fiduciary”[8]. It further contemplates various circumstances under which the data subject can restrict, limit and alter their personal information available with the data fiduciaries.
POTENTIAL CONFLICT BETWEEN DRAFT PDP BILL AND BLOCKCHAI
Over the last few years, the compatibility of blockchain technologies with the global standards of data security and protection has increasingly become a topic of discussion. The reasons behind the tension between blockchain technology and the draft PDP Bill can be majorly attributed to two factors.
First, the draft PDP Bill is formulated under the basic supposition that behind every data or information collected, there is a legal entity responsible for collecting and processing such data known as data fiduciaries. Under the draft Bill, a data subject can address the enforcement of its rights under the Bill and hold data fiduciaries in the event of any breach of data.[9] Blockchain, on the contrary, seeks to decentralize the process by eliminating a unitary player with multiple actors. This makes the process of assigning accountability and responsibility to a single entity cumbersome and devoid of legal certainty.
Second, as has been previously mentioned, the draft PDP Bill guarantees to all data subjects the right to be forgotten. Therefore, the draft Bill is necessarily based on the presupposition that the data collected by the data fiduciaries are subject to modification and erasure.[10] Most of the blockchain technologies have been deliberately designed to make the modification or deletion of such data implausible, which in turn, poses a significant challenge in terms of its compliance with the data protection requirements. Further, the append-only structure of blockchain also renders implementation of provisions pertaining to data minimization and purpose limitation onerous.
This analysis has led to two conclusions. First, the intricacies and complexities of blockchain technology can render it difficult to reconcile with the data protection laws. Therefore, the players in the field of blockchain are required to be aware of this roadblock and accordingly design the blockchain protocol. Second, the uncertainly around blockchain in light of the draft PDP Bill cannot be solely attributable to the specific features of the technology. In the absence of defined regulatory guidelines, there is a huge gap as to how the concepts under the draft PDP Bill are to be implemented to this technology.
CONCLUSION AND POLICY RECOMMENDATIONS
Through this article, I have highlighted the potential conflict that might come into the picture on the codification of the draft PDP Bill and the difficulties in reconciling blockchain technology with the data protection requirements. While this paper has broadly focused on the tension between data protection laws and blockchain technology in general, the compatibility between the two can only be assessed on a case-by-case basis due to the technical diversity of the technology. Keeping that into consideration, the following suggestions are recommended.
Recommendation 1: Regulatory Guidance & Code of Conduct
Even though the draft PDP Bill has been revised and updated multiple times, the Bill is silent on its applicability in the context of blockchain. Further, it is has been discussed in this article that the very nature of blockchain technology challenges some of the core assumptions of the draft PDP Bill. The draft law so formulated is ideally supposed to be technologically neutral so that it is not rendered obsolete in a pacing economy. Therefore, there is a pressing need for crafting regulatory guidance on the mechanism to be adopted by players in the blockchain space to have legal certainty.
Further, the European GDPR contemplates certain mechanisms such as code of conduct and certification mechanism to ensure that the principles of data protection laws are upheld while processing specific cases of personal data.[11] Taking similar examples, the draft PDP Bill should also specifically mention tools and mechanisms that are aimed at making blockchain technology legally complaint.
Recommendation 2: Research Funding
Even though regulatory guidance and code of conduct will help substantially to increase legal certainty in terms of how the provisions of the PDP Bill ought to be implemented, it may not always be sufficient. As it has already been highlighted above, in certain specific cases, there are indeed technological limitations to complying with the legal requirements. Alternate arrangements could be devised by way of promoting interdisciplinary research in terms of technicality and governance so as to design blockchain protocols that are legally compliant by design.
FOOTNOTES
[1] Chainalysis Team, 'The 2021 Global Crypto Adoption Index: Worldwide Adoption Jumps Over 880% With P2P Platforms Driving Cryptocurrency Usage In Emerging Markets - Chainalysis' (Chainalysis, 2022) <https://blog.chainalysis.com/reports/2021-global-crypto-adoption-index/>.
[2](www2.deloitte.com,2022<https://www2.deloitte.com/content/dam/Deloitte/in/Documents/strategy/in-strategy-innovation-blockchain-technology-india-opportunities-challenges-noexp.pdf>.
[3] 'What Is Blockchain Technology? - IBM Blockchain | IBM' (Ibm.com, 2022) <https://www.ibm.com/topics/what-is-blockchain> 2.
[4] Devika Sharma, 'Personal Data Protection Bill, 2019 –Examined Through The Prism Of Fundamental Right To Privacy – A Critical Study | SCC Blog' (SCC Blog, 2022) <https://www.scconline.com/blog/post/2020/05/22/personal-data-protection-bill-2019-examined-through-the-prism-of-fundamental-right-to-privacy-a-critical-study/>.
[5] 'Data Protection Bill Has Provisions For ‘Right To Be Forgotten’, Centre Tells HC' (Thehindu.com, 2022) <https://www.thehindu.com/news/cities/Delhi/data-protection-bill-has-provisions-for-right-to-be-forgotten-centre-tells-hc/article37973230.ece>.
[6] Sri Vasunathan v. Registrar General & Ors, Writ Petition No. 62038 of 2016 decided on January 23, 2017.
[7] Subhranshu Rout v. State of Odisha, BLAPL No. 4592 of 2020.
[8] (2022) <https://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf>.
[9] The Personal Data Protection Bill 2019, Clause 10.
[10] The Personal Data Protection Bill 2019, Clause 20.
[11] 'GDPR & Blockchain: At The Intersection Of Data Privacy And Technology' (Bdpinternational.com, 2022) <https://www.bdpinternational.com/blog/gdpr-blockchain-at-the-intersection-of-data-privacy-and-technology>.