On personal data
We need to clear up some misconceptions about personal data before they perpetuate past the point of no return.
- Personal data ≠ private data. Although many people use the terms “private data” and “personal data” interchangeably, the term “private data” has no meaning at law. While “personal data” under EU law means “any information relating to an identified or identifiable natural person” (who is known as a “data subject”), the data need not be “private” or unknown to others. In fact, some of the most public things about us — including our name, city of residence, employer, etc. — are unquestionably personal data under the law. So where’s the confusion? Presumably, those using the term “private data” are referring to data that they wish to keep private from certain other parties. This is where personal data-related regulations, like the GDPR, are useful because they regulate the use of data about us in certain contexts, whether that data is well known by others or not. They also impose certain obligations on data that we wish to be less “public” about such as special categories of data or more “personal” data in the sense that it may reveal more intimate or inward-facing aspects of who we are (e.g. religion, political views, sexual orientation, etc.).
- Personal data is not illegal. It feels as though the blockchain world is either obsessively worried about personal data (or not at all concerned about it) based on this notion that it’s some kind of digital toxin — and it is, but not in the way that they think. I am always getting asked “is X personal data” or “is hashed data still personal data” or “can we put personal data on the ledger” and so on. And the answers are, respectively, “probably (since most everything relates to an identifiable person)” and “hashed data is definitely still personal data (we have clear precedent/guidance on this)” and finally, “it depends.” There are few answers that people hate more from a lawyer than “it depends” but the truth is, whether or not you put personal data on a ledger — and in fact, every question about what you do with personal data, including how you store it — depends on a number of factors. The most important factor is what your lawful basis for processing (or doing anything at all) with that data is. For example, if your lawful basis for using the data is the data subject’s consent, the rules are different than using the data in the performance of a contract.
- Not all personal data has to “be forgotten.” Few concepts have caused more agitation and confusion than the right to erasure under Article 17 of the GDPR. Just as there is an obsession with personal data in the blockchain world, there is an equal obsession and consternation around the “right to be forgotten” (though it often feels as though few people in this debate have read the regulation directly). The right is far more limited than the hype machine makes it out to be and with good reason — the regulators have actually thought long and hard about this and engaged multiple sophisticated stakeholders in negotiating the final text. For example, one of six conditions must apply before the right can be invoked. The rules are different in the case of data subject consent vs. the performance of a contract. Moreover, the right flat out does not apply in certain contexts (e.g. purposes in the public interest, scientific or historical research purposes or statistical purposes). While technologies like blockchain admittedly blur the lines around some of these concepts, e.g. what constitutes “the performance of a contract” on a ledger (for now, it does not appear that a smart contract suffices), they don’t obliterate those lines entirely (i.e. exceptions still apply).
- Personal data is personal. My final point is a philosophical one — personal data is and should be personal, in the sense that a person or individual should have a degree of control over data that relates to that individual (note it’s not absolute control because — at least for now — we live in a world where some parties, sometimes, need access to information about us). This is where self-sovereign identity comes into play — it takes some of the power and control over personal data about us away from third parties and others and restores much of it back to us as individuals so that we can have more autonomy over how, when, where and with whom we share that data. Terms and conditions may still apply (but hopefully, in a self-sovereign world, they are our terms and conditions — more on this point to come . . .)