While hoteliers might be interested in working with blockchain—the technology that powers cryptocurrencies such as Bitcoin—they need to keep in mind some legal hurdles, particularly in relation to GDPR.
REPORT FROM THE U.S.—Two of the biggest hot-button issues in data and technology over the past few years have been the European Union’s General Data Protection Regulation and the emergence of blockchain technology. And no one quite knows yet how—or even if—the two might work together.
Speaking during a recent webinar hosted by HTNG, Richard Sheinis, a partner with Hall Booth Smith, said there’s still a lack of clarity between the emerging technology and the regulatory environment.
“The use of blockchain is not yet mature enough to provide with specifics,” he said. “None of the legislative bodies—whether it’s the European Commission or the supervisory authorities in individual states in the EU—have commented on blockchain or provided guidance on how it can be used under privacy and security laws.”
But here are some takeaways on what is currently known about how blockchain fits under existing laws.
No laws were created with blockchain in mind
GDPR is now viewed as the gold standard for data privacy laws across the globe, and even though it only went into effect in 2018, Sheinis said the “law always lags behind technology” and indeed it and other similar laws fail to specifically account for the ins and outs of blockchain.
“Really getting into the everyday uses of blockchain, whether in hospitality, (financial technology) or so forth, wasn’t on anyone’s radar (when GDPR was created),” he said. “So what we’re left with is a set of laws that do not address or consider blockchain. So we have to determine if blockchain can still be used in a way that meets GDPR or other data and security regulations.”
He noted it can be particularly difficult to sort through the rights afforded to individuals under GDPR with the distributed nature of how data is stored—potentially scattered around the globe—via blockchain.
Similar laws to GDPR are also in places like Brazil, Argentina and Japan, Sheinis said. He noted it is unclear how the U.K.’s pending exit from the EU will impact that country’s data regulations.
It’s also still unclear how the California Consumer Privacy Act, which is structured in similar ways to GDPR but has key differences, will ultimately impact technologies like blockchain, he added. The CCPA was passed in 2018 but will not go into effect until 2020, and the California legislature has the ability to change it before then.
How can data be forgotten if blockchain is forever?
One of the biggest conflicts between GDPR and blockchain technologies might be the so-called “right to be forgotten,” where in the subjects of data can insist on data holders wiping their information from their systems.
“If a blockchain is immutable and supposedly forever, then how do you erase all of that data when someone exercises their right to be forgotten?” he asked.
The permanence of data storage is a strength of blockchain, Sheinis noted, because that’s what makes it “less susceptible to being changed through hackers taking advantage of it,” but it can be problematic in relation to regulation.
“The question is, how are blockchain developers going to handle a request to delete or rectify data?” he said.
The permanence of blockchain can also be problematic when it comes to consent issues. Many types of data handling require consumer consent, which may be withdrawn at a later date. It’s unclear how withdrawing consent will work in a blockchain environment.
“Can you make sure none of the nodes do anything further with that data?” Sheinis asked.
Geography creates problems
As blockchain ledgers can be in place across the globe, blockchain might run into issues with GDPR and similar regulations that require specific things be in place to allow for the transfer of data between different countries, Sheinis said.
There are also countries such as Russia with so-called “data-localization” laws that require the original data on citizens to be stored within their borders, although copies can be housed overseas. This can be problematic given the nature of blockchain. The definition of what’s the original and what’s the copy can be hard to sort through, he said.
“When we have distributed nodes, does each node have an ‘original?’” he asked. “Does each node have what’s considered a copy? I’m not 100% sure of the answer of that, but I do know it’s something we’d want to address before jumping into blockchain.”
How do the roles apply?
The GDPR sets out specific roles in the chain of dealing with data, including a “data controller,” which includes whoever essentially owns or holds the data, and a “data processor,” which includes whoever deals with data on the controller’s behalf. GDPR requires specific contracts to be set up between controllers and processors, but those roles can be muddied when it comes to deploying blockchain technology.
“The question with blockchain and distributed nodes that all have access to the data is ‘Are each of these nodes a data processor?’” Sheinis asked. “If they are, then you need an Article 28 contract … with each node. Is that really feasible? Will each node be able to fairly and truthfully represent that it will be compliant with GDPR?”
Private vs public
Sheinis said blockchains can be structured to either be public (“permission-less”), which is used for prominent cryptocurrencies, or be private (“permissioned”). Use of the technology in the hospitality industry is more likely to be the latter, he said. It can be a complicating factor for regulations like GDPR, which require access to their data.
How do you create records?
GDPR requires records to be kept of when and how data is processed. It’s unclear what those records would even be in relation to the distributed ledger/nodes used in blockchain, Sheinis said.
“Even within a private blockchain, are (the nodes) the processors? Even if they aren’t, if the data is still in these nodes, what can be said about how you record a record of that data, that processing,” he said.
Companies are also required to tell consumers who they share data with, which again can be complicated, he said.
“How do we describe (the distributed nodes)? How do we account for that? How do we let the data subject know in the interest of being transparent?” Sheinis asked.