The internet has morphed from a unidirectional portal allowing users access to various platforms, into a world where we knowingly—and sometimes unknowingly—create online profiles rife with our personal information, habits and preferences.

The current design and use of the internet results in the daily generation of terabytes of personal data. As such, it is essential that a potential user consider whether a platform’s design is intended to benefit or exploit consumers.

Companies have focused on acquiring vast amounts of such data, and as such, privacy-focused legislation, like the European Union’s General Data Protection Regulation (GDPR), have attempted to protect and empower individual users and reshape the way organizations approach data privacy.

Unfortunately, security events such as the Equifax hack and the unsolicited harvesting of personal data via Facebook have proved that it is a matter of when, not if, centrally stored data will be compromised. (Read also: 6 Free Ways to Take Control of Your Internet Privacy.)

In case of personal data breaches, the GDPR authorizes the EU data protection authorities to impose fines of up to EUR 20 million or 4 percent of the business’s total annual worldwide turnover, whichever is greater.

The authorities regularly exercise their sanctioning power. For example, in July 2020, the Romanian data protection authority fined an airline company because it failed to include adequate technical and organizational measures to secure data processing, thus enabling the unauthorized disclosure of personal data of five passengers. In the same month, the authority also sanctioned a company that failed to take adequate technical and organizational measures to ensure data security, which led to the publication on Facebook of a document allowing unauthorized access to personal data of 436 individuals.

Blockchain Enters the Equation

An important advantage of blockchain networks is that they drastically improve security for the underlying data, which, in turn, may help companies avoid breaches of data protection laws.

Furthermore, blockchain technology represents the opportunity for a paradigm shift regarding the storage and use of your personal data, one that is able to remove central points of failure and empower individuals to control and monetize their own data.

Google, Facebook, and other major companies that engaged in business activities relying predominantly on personal data are heavily criticized for unfairly benefiting from the personal data of their users. Points of criticism include, but are not limited to:

  • Insufficient control their users have over personal information.
  • Risk of re-identification of anonymous personal data.
  • Lack of valid consent given by their users.

By preventing any single entity from controlling users’ personal information, blockchain removes the ability of these entities to sell or monetize your personal data.

Instead, transaction data could be encrypted using a unique digital signature of the user (a private key), opening up the potential for users to monetize by decrypting parts of their own transaction history and personal data for advertisers or brands.

There are a number of reasons for businesses to incorporate blockchain technology into their offerings, including lower costs, added security, and its unique ability to leverage crypto-economics to incentivize customer behavior.

The design of new blockchain platforms and their accompanying ecosystems will likely govern the interpretation of property rights on a blockchain. The use of blockchain can allow for a user to decide how and when their data is utilized and to be compensated for such use.

While such compensation likely will not be life-changing, Facebook was earning on average $20.21 per user in 2017, ownership of our own data, and the ability to police its use is no small matter.

The tokenization of ecosystems created atop a public blockchain allows for incentivization mechanisms to be built in, allowing for compensation for the release of personal data, released with your permission.

In such ecosystems, individuals would have ownership of their personal data until they grant a third party access, at a price. (Read also: An Introduction to Blockchain Technology.)

It should be noted that blockchain companies allowing users to control and benefit from their personal data already exist. One such platform is digi.me. Julian Ranger, one of the developers of the platform, described digi.me as follows:

“We are building a worldwide decentralized personal data grid owned by the individuals themselves. We are not building services on that data – we are the librarian for the individual, and their postman when sharing data.”

Jurisdictional Issues of Blockchain-based Applications

However, blockchain-based applications could potentially face jurisdictional issues if care is not taken in the design of said applications. The computers, or nodes, validating transactions on a blockchain can conceivably be (and arguably should be) in a variety of jurisdictions, many of which have differing legislation governing title and rights.

As each node is playing a role in validating a transaction, it is conceivable that every transaction could be governed by each jurisdiction which hosts a node. Regulatory authorities have, for the most part, not yet ruled on these jurisdictional issues, but it is easy to envision a contentious or highly litigious scenario.

It may be wise for the creators of blockchain-based applications to consider the inclusion of a governing law and jurisdiction clause in smart contracts and public-facing documents to provide certainty as to the legislation to apply when governing the rights of the parties to an agreement.

Blockchain-based applications that are supported by initial coin offerings (ICOs) can cause particularly severe jurisdictional issues as many jurisdictions started regulating ICOs. Such jurisdictions usually require all companies engaged in the promotion or the launch of ICOs to obtain relevant licenses.

The mass regulation of ICOs began in 2018 and was a logical consequence of the growing importance of ICOs around the world. From January-November 2018, about USD 21,7 billion was raised through ICOs.

The violation of the laws governing ICOs may lead to severe sanctions. For example, the Maltese Virtual Financial Assets Act, (a law governing the launch of ICOs and the associated whitepapers,) imposes fines and imprisonment on violators of the law.

Accountability Issues

In most cases, a person or company is solely responsible for the data stored on centralized servers. For example, the Court of Justice of the European Union ruled in the case of Google Spain v AEPD that a search engine can be held accountable for the protection of personal data on websites accessible through its service.

However, it is not clear who is responsible for the data stored on decentralized public blockchain networks. The data stored on such networks is usually stored on thousands of computers and, therefore, no single person can be held accountable for it.

Privacy Issues

Many privacy experts claim that blockchain technologies are unable to comply with various privacy laws, including the GDPR. This is because privacy laws usually require data controllers and data processors to take responsibility for the data collected and processed by them. (Read also: US Data Protection and Privacy in 2020.)

However, in the context of blockchain applications, it is not clear who the data processors and the data controllers are. The term “data controller” refers to a legal or natural person responsible for determining the purpose for which certain personal information will be processed, whereas the term “data processor” refers to a person who processes personal data on behalf of the data processor.

Many blockchain networks are operated and supported by all their users which can mean that every user of a blockchain application is a data controller or a data processor. More specifically, while users submitting personal data to blockchain systems will be regarded as data controllers, users processing personal data will be regarded as data processors.

Another privacy drawback of blockchain technologies is that they transfer data between nodes located in a large number of countries. Under the GDPR and other privacy laws, data transferred outside the European Union should be subject to certain data protection safeguards.

Such safeguards include, but are not limited to, the conclusion of data processing agreements and privacy shields certifications. Since public blockchain networks are fully decentralized, the implementation of such safeguards is virtually impossible.

Blockchain technologies have privacy benefits as well. Because such technologies rely on a decentralized ledger, there is no single point of failure that can be used by cyber attackers. The alteration of each blockchain node will require a huge amount of computing power.

Thus, the decentralized nature of blockchain networks offers excellent protection of personal information. Another privacy benefit of blockchain is the possibility of using cryptography to secure personal data.

Risk of cyber-attacks

Although no single point of failure can make a blockchain network nonoperational, blockchain systems are susceptible to distributed denial-of-service (DDoS) attacks. Such attacks have the potential to make blockchain applications and associated data unusable.

DDoS attacks aim to make a computer system unavailable to its users by overwhelming it with internet traffic. The risk of DDoS attacks is particularly high in cases when ledgers are concentrated on a few-high performing nodes.

Bitcoin exchanges are particularly vulnerable to DDoS Attacks. In 2020, two large Bitcoin exchanges (Bitfinex and Okex) stopped workingdue to a sophisticated attack relying on 400 gigabytes per second traffic.

In 2017, various DDoS attacks on crypto exchanges decreased the value of the cryptocurrency market by USD 53 billion.

In 2018, the cryptocurrency exchange BitMEX was temporarily closed as a result of a DDoS attack. This, in turn, lead to a drop of the price of Bitcoin by USD 300.