Privacy on the Blockchain — What role does privacy play in a world where nobody is ‘doxxed’?
On May 25, 2018, the EU General Data Protection Regulation (GDPR) came into effect with the intention of bringing a new standard in privacy compliance and awareness. Within a short period of time, the legal world as we knew it changed dramatically, as nearly every company, organization, and government entity inevitably began taking into account aspects of European privacy regulations. In parallel to these efforts, more and more jurisdictions began legislating their own privacy laws, in an effort to keep up with the new world order.
Tech companies scrambled to determine whether they are controllers, processors… or both, which of the data they process constitutes ‘personal data’ and is thus subject to privacy regulations, and to appoint data protection officers.
And yet, there is one industry that has, for the most part, escaped the “privacy rush” — Web3.
‘Web3’, a term loosely used to refer to blockchain technology-based platforms and services, allows users to interact with web services by syncing their digital wallets, which serve as a type of ‘semi-anonymous identifier’ representing the user making the transaction. The Web3 ecosystem is made up, predominantly, of anonymous users. In most cases, the only information that the platform holds with respect to the wallet holder is a wallet address — a slew of 20–40 randomly selected numbers and letters, referred to as a ‘public key’.
In addition to the public key which, as its name suggests, is publicly available and can be used to identify the two parties to any given transaction, each wallet also contains a private key — typically a 12-word phrase, which is used as a ‘password’ to access the wallet. For the purposes of this article, when we talk about a ‘wallet address’, we will be referring to the wallet’s public key.
Since privacy regimes predominantly apply to and set out to protect, ‘personal data’, a crucial question to ask in the realm of blockchain technology is: are wallet addresses considered ‘personal data’?
Privacy — Basic Principles, Regulation, and Importance
What constitutes “personal data” or “personal information” varies from jurisdiction to jurisdiction. On one end of the spectrum, we have the approach of US state privacy laws. Of those laws which are on the books at the date of publication, the Colorado Privacy Act, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act all specifically exclude any information which the consumer has lawfully made available to the general public from the definition of ‘personal information’ covered by the law. This means that, once information is lawfully made public, it is no longer subject to that law’s protections. Given the very nature of public keys and wallet addresses, once a transaction is made with a wallet and the information is available on the blockchain, these laws would not consider them personal information and they would not apply.
The California Consumer Privacy Act (CCPA) takes a slightly different approach to the other US state laws, which we may view as a “middle-ground” approach. The only information that is considered exempt from CCPA is “information that is lawfully made available from federal, state, or local government records”. This exemption only exists if the information is in an official public register. The CCPA also includes an exemption for what is called “de-identified” information, or “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer”. In order for a business to enjoy the “deidentified” exemption, it must take steps to ensure that any such de-identified information remains de-identified.
On the other end of the spectrum the GDPR, perhaps the most comprehensive of data protection laws currently on the books, applies to “any information relating to an identified or identifiable natural person”. There is no exemption under GDPR for publicly available data. Therefore, even if publicly available, wallet addresses would not automatically enjoy an exemption from GDPR.
Based on the above what we see is that in order to answer the question ‘are wallet addresses personal data?’ we must first understand which yardstick we’re using to assess what constitutes personal data. If we take the “stricter” GDPR approach as our yardstick, the question becomes: can a wallet address in itself reasonably identify an individual?
An important case to mention in this regard is Case C-582/14 of the Court of Justice of the European Union (CJEU) Patrick Breyer vs. Bundesrepublik Deutschland. This case asked whether dynamic IP addresses are considered ‘personal data’ under the Data Protection Directive (GDPR’s predecessor). In this case, the CJEU ruled that since a user’s internet service provider (ISP) could link a dynamic IP address to an individual user, this constitutes a mean “likely reasonably to be used to identify” the individual or by a third party. A caveat that should be noted from the case is “if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears, in reality, to be insignificant” it would not constitute personal data. If we compare this to our question — whether wallet addresses can reasonably identify an individual — we must not only answer the objective question of whether an individual can be identified based on their wallet address, but even if an individual was theoretically identifiable, we must ask ourselves how likely it would be, and what effort would it entail, to make this identification.
GDPR’s fairly broad definition of the term “personal data” has far-reaching ramifications. According to the CJEU’s definition in the Breyer case, the fact that most companies in the world cannot identify an individual based on their dynamic IP address is irrelevant, so long as a third party (the ISP) can do so without much cost and effort.
So, when are digital wallets considered ‘personal data’?
For wallet addresses, this means that attention needs to be paid to the data that may be used to link a public key with its owner. In the initial design of permissionless blockchains, users themselves should be in charge of generating the public/private key pairs to be used and take responsibility for safeguarding the private keys. In this case, if we follow the logic of the Breyer case through, the public key likely won’t in and of itself be considered personal data. However, once users are relying on a centralized service to manage their keys, a central body holds the data required to identify users by their public keys. In these instances, the Breyer test would lead to the conclusion that these keys are personal data because a single entity could match the public key with a specific individual, similar to the way an ISP can match a dynamic IP to a specific individual.
Some wallets, for example, are generated by and hosted on third-party platforms such as Binance, Kucoin, or Coinbase, some of which require the wallet holder to verify their account by providing certain identifying details and sometimes even undergoing a full KYC (know-your-customer) identification process for anti-money laundering purposes. In the case of these wallet hosting sites, the wallet addresses they hold constitute the personal data of their users.
There may be other examples where a public key can be combined with certain additional information, and may then be sufficient to identify the wallet holder, thus rendering the wallet address personal data. For example, in some cases the wallet’s contents, which can be viewed on third party sites such as Etherscan, ethplorer.io, or Opensea, can be used to corroborate data with respect to its owner — e.g. (i) if the wallet contains the ENS domain, yitzyhammer.eth, one can infer that Yitzy Hammer may be the owner of such wallet; or, (ii) if the wallet contains an NFT that Avishai Ostrin is using as his profile picture on Twitter, one can infer the same.
One wallet provider, ZenGo provides users the ability to use the biometric data of their facial image instead of a 12-word phrase, as a private key. Biometric data, “for the purpose of uniquely identifying a natural person” falls under a list of GDPR’s “special categories of data” as well as other laws such as Illinois’ Biometric Information Privacy Act, placing stricter limitations on the collecting, storage, and processing of such data.
Conclusion
Given the above use cases, it is clear that a shift must be made in how people think about personal data and digital wallet addresses. Public keys and blockchain transactions do not exist within a vacuum. Each address and each transaction has its own use case, and as such, the question of whether or not a public key should be considered ‘personal data’ needs to be balanced on a ‘linkability scale’, based on the entirety of the context, rather than a binary blanket predetermination of whether personal data is involved or not. In other words, the more points which allow the linkability of the public key with a specific individual, the more we would lean towards saying it constitutes personal data.
As such, and as is often the case with legal questions, the classic lawyer’s answer to the question of ‘is a wallet address considered personal data?’ is very simply: “it depends”.
This article was co-authored with Avishai Ostrin.
Avishai Ostrin is Head of Privacy Consulting at PrivacyTeam, the top privacy consultancy & data protection officers. Avishai is a Certified Information Privacy Professional in European (CIPP/E) and US (CIPP/US) privacy laws and regulations, a Certified Information Privacy Manager (CIPM), and has been recognized by the International Association of Privacy Professionals (IAPP) as a Fellow of Information Privacy (FIP) for his distinguished work in the privacy field. He volunteers as the Chapter Chair of the IAPP’s Tel Aviv Chapter and as a mentor for nascent startups, guiding them on their data strategy journey as part of the Techstars Accelerator Program. Avishai holds degrees in Law & Government, Diplomacy and Strategy from Reichman University, is a qualified lawyer in both Israel and England and Wales, and has years of experience providing companies of all sizes, and from all over the globe, practical, no-nonsense advice on all matters relating to their global privacy programs and strategies.
