BLOCKCHAIN ECOSYSTEMS IN A GDPR LEGAL COMPLIANCE PERSPECTIVE:
CASE I: “NEW WORLD INSURANCE POLICIES”
______________________
INTRODUCTION
This paper shall be construed as an innovative business concept presented in the sections I-IV. The purpose of this paper is to give a very specific example of how new business types engaging with blockchain ecosystems need to consider the regulatory framework set out in GDPR. I find the subject particularly interesting, as it is built upon my own business idea in the sphere between the future General Data Protection Regulation (GDPR) and the blockchain technology.
On one hand, we have a mathematically very complex construction that will provide innovative solutions for e.g. future supply chains, safely stored personal identity protocols and storage of health profiles. On the other hand, we have a rather strict legal tradition in the European Union that sees a rational pride in protecting its citizens through well implemented regulations in social welfare systems and relatively uncorrupted governments. The GDPR enforcement date is set for May 25, 2018 and will inevitably bring drastic changes to the way businesses are conducted. The blockchain technology will most likely revolutionize our very way of outliving consumerism and trust amongst parties. Thus, it is absolutely essential that we do not get lost in translation.
Please note that I, naturally, reserve this innovative business case as my own intellectual property and thus kindly request the reader to respect my rights. However, I hope that the idea showcases i) a few very relevant areas that might prosper from this technological revolution and ii) that we are still in the early years of adaption.
I. THE FRAUD TENDENCY PROBLEM
The premium is a calculated result of several factors and reflects the risk profile of the common policyholder gathered under the same pool policy. Complicated insurance cases and fraud tendencies establish a fundament for bureaucracy and resource heavy personnel solutions, as insurance providers have no way to control and verify the reported events. Hence, the insurance providers are led to enforce a practice that burdens the premium expenses.
This unfortunate irrational business model will thus ultimately be paid by the policy holders that do not commit insurance fraud. Policy holders that do not have the opportunity to gather in unions and thereby lower their premiums are left with two options: a) stay uninsured (which might be unlawful) or b) pay for other people’s insurance fraud.
II. A RATIONAL POOL OF RESOURCES, aka. THE SOLUTION
The world is — with an even increasing rate — integrating things into the internet (IoT). Things gather all types of information that can track particular behavioural patterns. By giving a specific consent to constant passive surveillance that, however not exclusively, includes the consent to GPS-tracking, kilometre ticker systems on vehicles, video and audio surveillance on mobile devices, tracking records from various IoT devices, a case of insurance fraud is almost certainly hindered. Insurance fraud is a burden of the common man, as poor surveillance techniques and lack of evidence material build an unhealthy platform of false trust. The common man accepts this unhealthy disposition as a policyholder, as no alternative exists. And it is a self-worsening cycle, as the common man who is used to pay irrationally high premiums might see an opportunity to earn some of the expenses back by either tampering his list of damaged items in the event of an insured accident — or even create a false event by providing the insurance company with false or no evidence material.
The New World Insurance Policies have two main beneficial effects. First off, insurance fraud and tampering is prevented, lowering personnel expenses and bureaucratic inefficiency, as the average complexity of insurances cases decrease. Secondly, there is a psychological and preventive aspect as well, as the people pooling under the same policy have a common characteristic — they simply do not commit fraud (it would simply not be beneficial for them to risk being caught/not get covered in the case of a tampered event).
Hence, the policy holders will share a common economically rational policy and pool of resources, ultimately leaving the people committing insurance fraud with an even higher premium, as they must endure one another. The premium will reflect the scope of the consent, i.e. the volume of passive surveillance will be proportional to the premium expenses. The constant passive surveillance will create an overwhelming amount of data and will inevitably contain sensitive data such as ethnical information and health profiles, as events and recordings in the moments around an accident will create the fundamentals of the specific case material.
A business model built upon constant passive surveillance is highly controversial and will naturally be met with scepticism and criticism. Given its nature, it will very likely be subject to adequate supervision, cf. section IV.
III. THE BLOCKCHAIN ECOSYSTEM
The blockchain ecosystem will provide the New World Insurance Policies provider (hereafter referred to as the “Supplier”) with tamper-proof hosting services and will be built upon a secure SHA-256 hashing algorithm to verify events, evidence material and safe storage of personal data. A blockchain is a distributed ledger/peer-to-peer trustless network that automatically manages the authentication of records, which means that records can’t be altered without altering all subsequent blocks. Data, and especially personal data, is still a very new type of digital asset and has formerly been managed by central data centres vulnerable to tampering.
Another problem has been the poor level of transparency. A blockchain will provide a transparent solution as transactions are publicly traceable with hashes. In this current business case, the passive surveillance records and actual data won’t be accessible, however, the very transaction will. This way, the policy holder can ensure that there won’t be stored any data divergent to the specific purpose/consent and business procedure (e.g. the 24-hours protocol exemplified in the next section).
The blockchain ecosystem will thus prevent tampering and insurance fraud and will most likely meet the strict requirements regarding personal data processing found in the GDPR, as blockchains are secure by design and thereby meets the principle set out in Article 25 GDPR. Some relevant requirements are briefly outlined in the next section IV.
IV. GDPR COMPLIANCE
The GDPR regulates personal data which is defined as “(…) any information relating to an identified or identifiable natural person (…)” (see Article 4 (1) GDPR). Any information — even encrypted (although not irrevocable anonymized data) — that can identify a person, is therefore considered personal data.
Decentralization seems to be a keyword in the blockchain revolution. However, a “decentralized” organisation simply does not create fundamentally viable solutions for the European welfare systems, as decentralization produces legal uncertainty and unaffordable risk for institutions. The Supplier would thereby have a natural interest in purchasing a viable/compatible blockchain ecosystem service from a “centralised” trusted legal entity (such as e.g. the VeChain Foundation) that can maintain the blockchain.
Now, let’s assume that a IoT-data provider sells its data to the Supplier (given that the user gave a specific consent to the IoT-data provider that meets the GDPR requirements, cf. below) in return of a remuneration. The Supplier will then use the data for its own insurance business/premium calculation and thereby determine the processing guidelines, which is why the Supplier shall be considered a data controller (see Article 4 (7) GDPR). The Supplier must, as a data controller, ensure that the personal data is being processed i) lawfully, ii) fairly and iii) in a transparent matter (see Article 5 (1) (a) GDPR).
The use of sensitive data requires a specific consent outlining the specific scope and purpose(s) and shall meet the requirements set out in Article 7. Hence, the consent shall be clearly distinguishable from others, and freely given. Furthermore, the policy holder has an extended “right to be forgotten” and a right to withdraw each and every consent. The consent withdrawal must be as easy as giving a consent (see Article 7 (3) GDPR). This supports the principle of fairness (ii) and the requirement of explicit purpose set out in Article 5 (1) (b) GDPR.
Hence, there are certain requirements to be met by the Supplier. First off, in order for the business to perform a ii) fairly and iii) transparent service, it is important to limit the dataflow and the usage of the data to what is specifically outlined in the terms of the consent. The passive surveillance will produce data amounts way beyond need. Thus, the storage must be limited by e.g. integrating a protocol that deletes records that do not regard an incident every 24-hours. Furthermore, the Supplier must ensure that every third party providing any kind of processing service (including the entity providing the blockchain ecosystem, as storage of the supplier’s transaction history is considered processing, (see Article 4 (2) GDPR)) process the data accordingly. The Supplier shall ultimately regulate the relation to any data processing party with a Data Processing Agreement (DPA) and (optionally) a set of IT-Security Controls such as i.a. the widely adopted ISO27001/ISO27002 standards.
So, even though a business model as the one set out in this paper may seem intrusive to one’s personal life, it will be possible to execute. A business must however consider the regulatory framework of GDPR when engaging with blockchain technology. The GDPR is a very reasonable set of standards that will stabilize the market and force corporations to adopt more desired data policies and enforce strict data procedures, which will ultimately outline a new era of trust among parties.
