To print this article, all you need is to be registered or login on Mondaq.com.
A. Introduction
As a sequel to the first paper of Blockchain & Law article
series titled ‘A New Digital Order – Unveiling the
Interplay of Law & Blockchain Technology‘, this paper
explores the inter-operability of India’s data privacy regime
and blockchain technology. In this regard, recording of a webinar
conducted on ‘Blockchain & Data Privacy: An India
Perspective’ by the AKS Partners can be viewed on YouTube
here.
B. Data privacy in India
Constitution of India
Article 21 of the Indian Constitution is a comprehensive,
all-encompassing provision that inheres within itself basic,
fundamental rights that are absolutely essential to the existence
of a human being with dignity and personal liberty. In the judgment
of K.S. Puttaswamy v. Union of
India,1 a nine-judge bench of the
Honourable Supreme Court of India held that the right to privacy
falls within the contours of Article 21 and is incidental to life
and personal liberty. This right to privacy includes the right to
data protection and privacy.
Information Technology Act, 2000
In India, data privacy is governed by the Information Technology
Act, 2000 (“IT Act“) and the Information
Technology (Reasonable security practices and procedures and
sensitive personal data or information) Rules, 2011
(“SPDI Rules“). Sections 43A
(Compensation for failure to protect data) of the IT Act
provides a statutory right to a data provider to claim compensation
for unapproved disclosure of information (including in breach of a
contract). Under Section 72A (Punishment for disclosure of
information in breach of lawful contract) of the IT Act,
wherever any person including an intermediary discloses information
obtained under a lawful contract without consent shall be punished
with imprisonment or with fine or both.
SPDI Rules
The SPDI Rules constitute a set of basic obligations to be
adhered to in circumstances where sensitive data is being
collected. It may be noted that the SPDI Rules apply only to
‘Sensitive Personal Data or Information’.2 The
SPDI Rules lay down guidelines for collection (Rule 5) and
transfer of information (Rule 7) and also mandatorily
require body corporates to adopt and implement a policy for privacy
and disclosure of information (Rule 4).
On 24 August 2011, the Ministry of Electronics and Information
Technology issued a clarification to the SPDI Rules
(“Regulatory Clarification“). The
Regulatory Clarification states that the SPDI Rules are applicable
only to body corporates or persons located within India. Also,
where a body corporate deals in data of any legal entity located
within or outside India under a contractual arrangement, the SPDI
Rules pertaining to collection (Rule 5) and disclosure of
information (Rule 6) would not apply. It was also
clarified that requirement to obtain written consent under Rule
5(1) of the SPDI Rules includes electronic consent as well.
The Personal Data Protection Bill, 2019 (“Bill”)
The Bill is inspired from and is in many ways a replica of the
European Union’s General Data Protection Regulations
(“GDPR“). The Bill lays down several
provisions including in relation to crossborder transfer of data,
sandboxing, privacy by design and introduces a more robust set of
obligations for entities handling sensitive personal data. The Bill
is currently pending before a Joint Parliamentary Committee. The
Bill applies to and categorises data into ‘Personal Data’,
‘Sensitive Personal Data’ and ‘Critical Personal
Data’.
Sectoral regulations
Regulated sectors such as telecom and financial services have
separate obligations of confidentiality which restricts disclosure
and transfer of customer personal information and mandates use of
such information only in the manner agreed with the customer.
Certain sectoral regulators (like Reserve Bank of India) also
mandate data localisation.
C. Blockchain technology and data privacy
For details on the working of a blockchain network, please refer
to our previous paper here.
Coverage
The Bill defines ‘Personal Data’) as ‘data about or
relating to a natural person who is directly or indirectly
identifiable’. This means where the origins of the data cannot
be traced down to a natural person, the data would cease to be
‘Personal Data’. Resultantly, storing the data in a manner
where it cannot be traced to a natural person (including by
introducing and implementing robust methods to address
re-identification risks) may prove beneficial in reducing a
blockchain network’s interaction with data privacy regulations
(such as by encryption or anonymisation of Personal Data).
Public v. Private Blockchain
Private blockchain which restricts and regulates network
participation appears to be a more preferable fit when it comes to
ensuring compliance with data privacy laws. Public blockchains with
permissionless borders pose greater difficulty in procuring every
participant to agree on and comply with relevant rules on
protection of personal data.
Stakeholders
The Bill identifies three categories of stakeholders (similar to
GDPR) viz. Data Principals, Data Fiduciary and Data
Processor. The SPDI Rules only provides for data provider and body
corporate or person collecting data. The term ‘Processing’
has been defined to include collection, storage, retrieval,
adaptation, disclosure etc. (Section 3(31)). Accordingly,
any data stored or transmitted on blockchain will amount to
processing.
Blockchain network is a decentralised system with each node /
miner (i.e. network participant) spread all over the
world. There is no clear demarcation between a Data Principal and a
Data Fiduciary or a Data Processor over a blockchain network. The
way the network functions, no single person can be said to be
in-charge of the network thereby making it all the more problematic
for regulators to fix the compliance burden on a party.
Accordingly, the question of determining the identity status and
fixing liability of various participants attains significance and
complexity over a distributed ledger network like blockchain.
Each node over the network functions as a Data Processor on
account of participation in the verification of the data. At the
same time one or more of such nodes may also be acting as a Data
Principal. With respect to mining over the network while it is a
single miner who is able to formulate a valid hash, all the other
miners also participate in the mining activity when they attempt to
arrive at the winning lottery number. Thus making such miner also a
Data Processor. While fixing liability on a private blockchain
network that restricts the number of network participants is
comparatively less complex, the same would be quite challenging on
a public blockchain network, such as Bitcoin. With regard to
identifying the status and roles, the guidance issued by French
data protection authority (“CNIL
Guidance“)3 in the context of GDPR is
useful. The CNIL Guidance categorises blockchain actors into the
following groups: (a) participants with full read and write access
to the data; (b) participants with read only access; and (c) miners
that validate the transactions.
Participants falling in category (a) above are Data Controllers
(equivalent to a Data Fiduciary under the Bill) while categories
(b) and (c) are not.
Collection and processing of data over a blockchain
network
The Bill sets out a number of obligations that have to be
performed by the Data Fiduciaries, some key compliances being,
obtaining consent of the data principals, retaining the data only
till absolutely necessary (Storage Limitation), providing notice to
the Data Principals, ensuring data is used only for the purpose
(which has to be specific, clear and lawful) for which it has been
taken (Purpose Limitation). Rule 5 of the SPDI Rules also lays down
similar obligations for collection of data. Key concerns that the
inherent and intrinsic nature of the blockchain technology raises
are as under:
Firstly, with respect to the Storage Limitation
principle, the immutable nature of the technology prevents the data
from being deleted once the purpose has been fulfilled.
Secondly, given the decentralised nature of blockchain,
it becomes challenging to determine the exact purpose for which
data is collected over such a widespread network and who is to keep
a check that the data so collected is used only for such predefined
purposes.
Thirdly, it is commonly argued that the network
participants over a blockchain impliedly consent while sharing
their data. This may not however fulfil the requirements under the
Bill which requires consent to be clear, through an affirmative
action. This gives birth to concomitant regulatory issues over a
decentralised system as to who shall oblige with these compliances
under the law and who should be made responsible / liable for any
lapses in compliance.
Lastly, the Bill also proposes certain additional
requirements such as transparent and fair processing and the
Purpose Limitation. The blurred distinction in the status of
identities in blockchain makes determining purpose and manner of
processing challenging.
A detailed governance framework setting out roles and
responsibilities, off-chain and on-chain personal data, may provide
useful guidance towards addressing the aforementioned concerns.
Key rights of Data Principals
Right to Confirmation and Access
The Bill entitles the Data Principals to seek information
regarding the types and nature of personal data stored with the
Data Fiduciaries, or to ascertain the nature of processing
activities that has been undertaken on his/her data, or seek a
brief summary of processing activities undertaken. While
enforcement of this right may not be technically difficult,
however, blockchain networks may establish a proper governance
framework that delineates a specific authority to pass over the
requisite data to the data principal as and when asked for. The
network may also consider laying out methods of searching and
accessing the necessary information which may be de-encrypted with
the use of the private key.
Right to Correction
Section 18 of the Bill and Rule 5 of the SPDI Rules provides the
right to rectify or correct the data. Given the immutable nature of
the decentralised ledger maintained on a blockchain, exercising
this right may not be compatible. To accomplish
alteration/correction of data would be a burdensome task since it
will require a majority of nodes to come together to identify the
data, alter and re-hash not just the concerned block but also all
previous blocks as well. Alternatively, a new block with corrected
information may be added once verified through the consensus
mechanism.
Right to be Forgotten
The Bill introduces ‘Right to be Forgotten’
(“RTF“). RTF entitles data principals to
request the removal of his/her personal data, without undue delay,
from any business’s storage. RTF has been in loggerheads with
the inherent immutability of blockchain technology. Across
jurisdictions the term ‘forgotten’ has been pegged with
erasure and is construed in various senses in different
jurisdictions, ranging from data anonymisation,4
destruction of hardware,5 putting data beyond
use.6
Given the distinction within the types of blockchain, the modes
for exercising RTF are uniform by and large. A widely discussed
solution is the destruction of the private key, thereby rendering
the data encrypted by a public key inaccessible.7 Owing
to the setup of blockchain, a Data Principal may reach out to any
entity in the chain that qualifies as a Data Fiduciary to enforce
their rights. Similar
to the Google-Spain case,8 wherein data
subject’s action against Google remained unaffected by the fact
that the data could have been removed by the newspaper’s
website itself.9 However, the nature of a public
blockchain network that does not identify a central authority might
prove somewhat problematic where the data principal seeks to
enforce his/her right.
As countries are yet to formulate policies with respect to
regulation of blockchains, some other alternatives for exercising
RTF can be programming chameleon hashes, zero knowledge proofs or a
censorable blockchain, as the same would be
‘forgetful’.10
Cross-Border Transfer of Data
Chapter VII of the Bill, which deals with restrictions on
cross-border transfer of data, requires a copy of the Sensitive
Personal Data to be stored domestically while Critical Personal
Data must exclusively be processed and stored in India. However,
these clear demarcations blur when applied to a blockchain
ecosystem where storage and processing of data can be universal.
Transfer of Sensitive Personal Data, requires explicit consent and
the transfer must be under a contract or an intra-group scheme
approved by the data protection authority (envisaged to be
established under the Bill). While both of these requirements may
get fulfilled over a private blockchain easily, a public blockchain
due to undefined groups and lack of a central entity / authority
may find it more challenging to implement adequate safeguards on
restricting such transfer. Over a private blockchain the central
body may enter into e-contracts with any number of participants and
also obtain their explicit consent.
Under the present regime, Rule 7 of the SPDI Rules provides that
a transfer outside India may only be allowed where the country
offers the same level of protection to the data. Again, enforcing
this may be challenging over a public blockchain network comprising
of thousands of nodes across borders. An in-built cross-border
transfer consent clause in the governance framework or otherwise
may also provide the needed legitimacy from the perspective of data
privacy.
D. Jurisdictional Issues
The present uncertainty in law (including lack of adequate legal
provisions) has resulted in jurisdictional issues concerning the
domestic and transnational presence of the blockchain network.
While Section 1(2) read with Section 75 of the IT Act accords
limited extra-territorial applicability to the Act, the SPDI Rules,
as mentioned in the Regulatory Clarification are applicable only to
body corporates or persons located in India. Consequently,
blockchain technology may need to comply with the IT Act to a
certain extent, while, the mandate under the SPDI Rules will bind
only the nodes/miners operating from India. As a result, the
network participants operating outside India on the same blockchain
will not be required to comply with the SPDI Rules or IT Act.
Section 2 of the Bill affords extra-territorial application but
only in certain limited circumstances viz. where the
processing which takes place outside India is in connection with
any business in India, or which involves the profiling of
individuals within India. This will result in a subjective
assessment of blockchains and its purposes in order to ascertain
the applicability of the provisions of the Bill.
The Civil-Commercial Courts in India, have applied the test as
to whether a website is an ‘interactive
website’11 for determination of jurisdiction, in
relation to websites that do not have a physical place of business
in a jurisdiction.12 In other words, wherever a website
facilitates or even intends to facilitate active trade / commercial
transactions in jurisdictions where it does not have a physical
place of business, in such cases cause of action, if any, arises in
all such jurisdictions where the website operates interactively.
However, applying such a test on a blockchain network may not be so
straightforward. The intrinsic nature of the blockchain technology
allows for processing and storage of data at multiple domestic and
international jurisdictions simultaneously. Resultantly, in both
domestic as well as international, identification of the place of
cause of action becomes complex. The complexity increases as
identification of the individuals processing and storing data
(nodes) would require de-anonymisation.
The determination of applicable laws will also depend on the
nature of a blockchain network. It is practically more difficult to
regulate a public blockchain network than a private blockchain
network. In a private blockchain the architect/controlling entity
may determine the governing laws or the governance framework may
provide for a governing law.
In light of the foregoing, it may come as a mammoth task for
governments to enforce their respective data protection and
cyber-security legislations against such transnational networks
without consensus on a multi-national treaty suggesting a model law
to regulate the use of blockchain networks. In the alternative,
laws may promote self-regulation by merely identifying basic tenets
of regulations like governing law, data privacy, certification etc.
Non-compliance may include compulsory suspension/termination of
participation rights of nodes or blocking access to blockchains
which do not provide for adequate self-regulation.
The developers of blockchain networks may consider incorporating
dispute resolution and regulatory mechanisms as integral parts of
the networks. The developers may also consider coding networks with
peer-to-peer decentralized courts such as ‘kleros’ or
‘codelegit’ as part of a network’s dispute resolution
process.
E. Way forward
Blockchain technology carries the potential of disrupting
business operations right from supply, manufacturing, logistics and
final consumption especially in a post Covid-19 era. Please refer
to our previous article on use cases of blockchain here.
Accordingly, it is crucial that data privacy laws (with adequate
concessions, where necessary) be treated as an enabler and not
inhibitor to continued adoption of blockchain technology. Certain
additional rights like data portability and right to withdraw
consent adds to the complexity of having a compliant blockchain
network. Certain obligations like mandatory registration may also
be problematic if the government notifies certain blockchain
network as a significant data fiduciaries.
Set out below are few indicative measures towards harmonious
application of data privacy laws and blockchain technology:
1) Every blockchain network must provide a detailed governance
framework that is in alignment with the basic requirements under
data privacy regulations. Such a framework would have to be binding
on all participants over a blockchain network, stating all rights,
obligations and duties of parties, including a detailed mechanism
for communication, security measures, cross-border data transfer,
and grievance redressal and may even set out applicable laws
etc.
2) Such a self-governance framework could also include a privacy
by design policy and provisions for Data Protection Impact
Assessment (as set out in Chapter VI of the Bill).
3) ‘Pruning’ is used for situations where historical
blocks of data beyond a certain timeline are deleted. Similarly,
where data has to be altered or rectified, the same may be done by
‘forking’ where data is altered or deleted, the hash
changed and a new fork is created. However, over a public
blockchain Pruning and Forking can be challenging and may require a
huge amount of computing consensus.
4) To ensure the safeguarding of right to privacy a Memory
Optimized and Flexible Blockchain (MOF-BC) can be considered as an
effective measure. It enables the IoT (Internet of Things) users
and service providers to edit their transactions, thereby altering
the details of data entry.13
Footnotes
1 K.S. Puttaswamy v. Union of India, (2017) 10 SCC
1.
2 SPDI Rules, R. 3 defines ‘Sensitive Personal Data
of Information’ to include personal information comprising of
password, financial information, health conditions etc.
3 Commission Nationale de l’informatique et des
Libertés, Solutions for a responsible use of the
blockchain in the context of personal data, https://www.cnil.fr/sites/default/files/atoms/files/blockchain_en.pdf.
4 Austrian Data Protection Authority,
DSB-D123.270/0009-DSB/2018 (05 December, 2018),
https://www.ris.bka.gv.at/Dokumente/Dsk/DSBT_20181205_DSB_D123_270_0009_DSB_2018_00/DSBT_2018
1205_DSB _D123_270_0009_DSB_2018_00.html.
5 Article 29, Working Party, Opinion 05/2012 on Cloud
Computing (WP 196) 01037/12/EN, https://www.technethics.com/assets/Opinion-05-2012-on-Cloud-Computing.pdf.
6 Individual Rights, INFORMATION
COMMISSIONER’S OFFICE, https://ico.org.uk/for-organisations/guide-to-dataprotection/guide-to-the-general-data-protection-regulationgdpr/individual-rights/right-to-erasure/.
7 Commission Nationale Informatique et
Libertés, (September 2018), https://www.cnil.fr/sites/default/files/atoms/files/la_blockchain.pdf.
8 Case C-131/12 Google Spain and Google Inc. v
Agencia Española de Protección de Datos (AEPD) and
Mario Costeja González (2014) EU:C:2014:317, para 80.
The Court emphasised that search engines made it easier for
internet users to find the relevant data and played an important
role in its dissemination which was ‘liable to constitute a
more significant interference with the data subject’s
fundamental right to privacy than the publication on the web
page’.
9 Finck, M. (2019). Blockchain and the General Data
Protection Regulation. Tech. rep., Panel for the Future of Science
and Technology at European Parliament
10 Ateniese G, ‘Redactable Blockchain – or
– Rewriting History in Bitcoin and Friends‘, EURO
S&P (2017), https://eprint.iacr.org/2016/757.pdf.
11 An interactive website comprises of internet pages
that allows active participation of users. For example, online
retail websites or social networking websites can be categorized as
interactive websites.
12 World Wrestling Entertainment Inc. v. M/s Reshma
Collection, 2013 SCC OnLine Del 3987.
13 Ali Dorri, MOF-BC: A memory optimized and flexible
blockchain for large scale networks, 92 Future Generation
Computer Systems 357-373 (2019).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.