Lawmakers Finally Took Data Privacy Seriously — 2019 Regulatory Roundup

The year 2019 was rich with major privacy developments, but 2020 may rock regulatory landscape even more.

Data privacy has long been seen as one of the major non-monetary usages of blockchain technology. Many governments and corporations are already running recordkeeping systems based on distributed ledgers to securely store internal data.

Tech enthusiasts believe that blockchain has the potential to revolutionize personal data and identity management for private citizens as well, yet these hopes remain largely aspirational so far. One of the reasons for that is regulatory uncertainty: Lawmakers around the globe are having a hard time catching up with data security challenges that the sprawling online economy poses.

In 2019, the regulators accelerated their efforts to reinforce and standardize data security policies amid the growing realization of the economic value of data in several key jurisdictions. The field of privacy-enhancing technology continued to bear new solutions that will shape the industry as the new decade kicks off.

GDPR effect

Virtually all observers agree that the European Union’s General Data Protection Regulation coming into effect has been a major influence on the global privacy landscape this past year. Although the process formally began in 2018, it was last year that saw the bulk of compliance and enforcement effort pick up real steam.

British Airways and Marriott became the first corporations to face multi-million fines under the statute’s provisions. The legislation’s global aftermath included many other jurisdictions seeking to attain a GDPR-compliant status to enable cross-border data exchange. Dean Steinbeck, General Counsel at cryptocurrency project Horizen, told Cointelegraph:

“As expected, many non-EU countries are following the EU’s lead and implementing rules similar to GDPR in their jurisdictions. For example, Argentina, Australia and Brazil have all moved to implement data privacy laws that closely resemble GDPR.”

Over in the U.S., legislators have been fiercely debating matters of data usage as well. A November hearing on the issue held by the Congressional Task Force on Financial Technologies revealed that neither Democratic nor Republican members were content with the state of the nation’s laws governing financial data practices. It appears, however, that federal-level regulation is unlikely to come along before the takeaways from the California experiment are in.

The Golden State moved to become the first to adopt its own regulatory framework, the California’s Consumer Privacy Act (CCPA), which Steinbeck calls the most comprehensive data privacy law in the U.S to date. The law came into effect at the start of 2020, with CCPA-related notices pouring into compliance officers’ inboxes immediately.

Several state legislatures — Massachusetts, New York and New Jersey among them — have already moved or announced plans to consider their own privacy regulations. This has sparked concerns that data privacy landscape in the United States can soon become a patchwork of disparate laws, each one posing its own compliance requirements, said Yarno Vanto, a partner in the Privacy & Cybersecurity Group of the law firm Crowell & Moring.

Vanto doesn’t believe in adoption of a unified federal regulation as early as in 2020, as it will take time for California’s groundbreaking regulation to become operational before it can yield lessons for federal regulators to heed. He noted that CCPA seems to be off to a rather rocky start, too:

“A federal personal information protection bill is unlikely in 2020. The California State Attorney General did not finalize the implementing regulations relating to CCPA by the end of 2019 year, leaving companies seeking to comply with CCPA with some uncomfortable choices during the spring of 2020, particularly as the Attorney General has communicated that while enforcement will not begin until mid-2020, activities that have taken place during the first half of 2020 could also be subject to enforcement action.”

GDPR has also set a model in terms of the severity of fines. By instituting a hefty price for allowing data breaches and mishandling user data, regulators signal that they treat privacy seriously. For their part, corporations realize that the alternative to massive compliance costs is a comparably sized penalty charge. Michael Loewy, co-founder of privacy-focused protocol Tide, told Cointelegraph:

“The CCPA carries fines of $2,500 - $7,500 per record / breach which means embracing privacy is now mission critical for businesses in California specifically and more generally in the U.S. The projected CCPA compliance costs of $55B reflects this. We're seeing enterprise businesses going through privacy-open-heart-surgery, investing heavily to reduce the liability of handling sensitive consumer data.”

Cryptography on the rise

As stakeholders come to attach increased significance to data security, various subfields of cryptography — blockchain being just one of the technologies that make use of it — are seeing explosive growth of enterprise-oriented applications. Practitioners in the space expect the coming decade to be a boon to the industry.

Lilin Sun, the founder and CEO of cryptographic computing network PlatON, observed to Cointelegraph that cutting-edge technologies such as big data, artificial intelligence, the internet of things, cloud computing and blockchain ensure that data is being reorganized, and thus, more data scandals will emerge in the near future:

“Privacy-preserving computation, with its profound potentials, will reach a breakthrough in this new decade. Secure Multi-Party Computation (MPC), Homomorphic Encryption (HE), zero-knowledge proof (ZKP) and other subfields of cryptography, provide the provable security guarantee for data privacy.”

Jonathan Rouach, CEO and co-founder at blockchain firm QEDIT, also sees that the rise of Privacy-Enhancing Technology (PET) and a zero-knowledge proof will be of a huge significance following the events of 2019:

“Regulatory shifts have taken place alongside significant developments within the Privacy-Enhancing Technology (PET) space – as acknowledged by a recent World Economic Forum report – with a groundswell of momentum powering the ascent of Zero-Knowledge Proof (ZKP) cryptography among the enterprise community.”

Blockchain proponents believe that solutions based on the technology are ripe for solving the most pressing issues of data security while maintaining the balance between strong protection and providing third parties, such as law enforcement, with a measure of access, if necessary. Tide’s Loewy shared his sanguine outlook:

“Blockchain technology presents a significant opportunity to provide a killer application to address civil-rights / humanitarian protection aspects such as privacy, by providing ‘trustless’ handling of sensitive data. For the first time, there’s a technology that removes much of the risk surrounding the access and storage of sensitive data, including the human element, while remaining transparent and auditable to prevent abuse of power.”

Rouach offered another interesting spin on the relationship between blockchain and privacy. He suggested that DLT-based solutions might not only be seen as privacy-enhancing tools; in fact, some of them could use improved data security for their own sake. Rouach argued that insufficient privacy protections have historically impeded blockchain adoption:

“For example, without an added privacy layer, it is not practical for a supply chain consortium to deploy a blockchain for asset tracking along a supply route. From a competitive perspective, manufacturers in the consortiums cannot broadcast sensitive transactional details that reveal confidential information about their sales volume, pricing or trade partners.“

Challenges, old and new

Certain features inherent to blockchain technology do not align well with some foundational principles of data privacy central to the new personal information protection laws. The most conspicuous points of contention are blockchains’ immutability, meaning that sensitive, or “bad,” data that makes it to a distributed ledger cannot be removed if necessary. The second is the decentralized nature of true blockchains that makes it difficult to identify a party responsible for a violation. Crowell & Moring’s Vanto told Cointelegraph:

“Immutability prevents deletion, and lack of an identifiable “controller” (GDPR) or “business” (CCPA) is challenging, if not impossible. Solutions presented by regulators and various working groups such as the encryption of all data in a blockchain, or keeping all personal information outside the blockchain, are often technically challenging and difficult to implement in practice, and whether such solutions actually offer compliance is uncertain. This legal uncertainty creates a complex environment in particular for blockchain startups.”

There is, however, an ever deeper question lurking from behind these particular collisions with the law: Can a decentralized blockchain protocol be, say, GDPR-compliant at all? Or should it be? Paul Schmitzer, director of marketing strategy at privacy-focused Particl Project, believes that the answer is no. Schmitzer argues that pure blockchains are open-source and are not controlled by any particular entity. Therefore, they should not be required to follow GDPR or other similar regulations:

“There is no authority which can force regulations to be integrated into open code if the majority of node operators disagree with the changes. Truly decentralized blockchains really are at the edge of what's been done in the past and it's going to be a huge challenge for regulators to properly determine how to regulate these open protocols.”

Schmitzer also noted that blockchain projects vary widely in the level of decentralization, some of them being structured more like traditional, top-down financial service businesses. Regulators, such as the Securities and Exchange Commission, should apply their own judgement to determine the degree of centralization that characterizes a particular project on a case-by-case basis.

New frontiers

What are some big-picture takeaways that the 2019 privacy regulations trends hold for the blockchain industry? On its face, the general turn toward better protection of private data should be empowering for the space. Horizen’s Steinbeck shares this sentiment:

“I’m seeing renewed regulatory acceptance of encryption and a deeper understanding that privacy is important. I think the current trend of increased consumer data privacy protection bodes well for blockchain and projects that enable privacy.”

Privacy lawyer Vanto remains concerned about the tensions between blockchain projects’ essential affordances and the universal requirements of the emerging regulatory frameworks. Yet, he believes that there are ways for regulators to mitigate the adverse effects of this collision:

“Since virtually all of the information privacy laws that have been adopted or are now in the process of being adopted are to varying degrees incompatible with blockchain, we will likely see regulators adopting ‘safe harbors’ where blockchains that meet certain requirements such as encryption of personal information, will not be subject to enforcement action. Industry will play a significant role in ensuring that these safe harbors are compatible with technical developments surrounding blockchain.”

At any rate, given the current pace, at which encryption technologies develop, as well as major regulators’ newfound commitment to ensuring sufficient levels of personal data protection, 2020 is certainly poised to be an exciting year to watch regulatory developments in the privacy space.