[This article builds upon "Blockchain and privacy – is encryption the solution?" published on CIO and the Russell McVeagh Insights page in January 2019.]
More work is needed by organisations and Government to ensure Blockchain-powered platforms can be leveraged to their full extent.
With Blockchain-powered platforms becoming more commonplace, organisations will increasingly look to use these to store information. However, very little of our law has been designed with Blockchain in mind. Legislative requirements relating to privacy, publication of certain types of content, and destruction of records are likely to create issues for organisations interested in implementing Blockchain-powered solutions.
Nature of the technology
Blockchains are usually described as 'immutable', meaning information stored on the Blockchain cannot be changed or deleted. This promotes trust in the information stored on the chain. The distributed nodes ensure there is no central control over the Blockchain, which increases the transparency of the system and security of the information.
Blockchains can be either public or private. A private chain, also known as a permissioned chain, is only shared with certain people rather than with the public at large and allows for different access rights. This type of chain is likely more suited to commercial use, however, it does not have some of the principled benefits of Blockchain technology.
Public chains are free for anyone to access and add to, and are the truly decentralised form of Blockchain.
The Problem: Legislative Requirements
The Privacy Act 1993
A Blockchain without capacity to correct or destroy personal information may not be practical for real-world uses in circumstances where data pertaining to individuals will be stored because it will not comply with principles of the Privacy Act relating to the correction, retention, and destruction of personal information.
Films, Videos and Publications Classification Act 1993
There has been a significant recent global movement to restrict the nature of content that can be shared on social media. Publications declared "objectionable" (such declaration having retrospective effect), pursuant to this Act, cannot be distributed or published. It may be difficult to delete that content if it is stored using Blockchain technology, which creates a risk of liability relating to that publication.
Anti-Money Laundering (AML) Law
Organisations undertaking client due diligence to comply with New Zealand's AML law must take all practicable steps to delete information relating to a client once that information is no longer required. Again, if that information is stored using Blockchain technology, fulfilling this statutory requirement would be difficult.
The situations described above outline some of the issues arising from our existing legislation, and similar issues could arise from contractual relationships and regulatory requirements (including under the listing rules of a stock exchange).
Possible solutions
"Chameleon" hash mechanisms
Blockchain could allow for the use of these, which change the information on a block without altering that block's hash and ensuring the chain is not broken or forked. Chameleon hashes are only possible with permissioned or private Blockchains, so this solution is inconsistent with a truly decentralised ledger and only appropriate in some applications.
Encryption
Effective encryption may be a possible way to ensure the security of the information. Risks to this method include the possibility of new technologies developing the ability to decrypt information by brute force or the access key could become public following a hack. The encryption method is also not useful if information is initially put onto the Blockchain unencrypted (as would likely be the case with content declared objectionable after it has already been published), as to retrospectively encrypt information would require something similar to the Chameleon hash function.
It is clear that current laws are not well suited to the use of Blockchain-powered platforms by New Zealand organisations in a number of circumstances and until attention is given to these issues by Government, the implementation of such platforms may be constrained, and potentially carry heightened risk. Ultimately, organisations will need to ensure that any implementation of Blockchain technologies has mechanisms built in to allow them to comply with legislative requirements.
* * *
Angus Hancock, Law Clerk
Russell McVeagh