A new generation of stringent data protection regulations being implemented around the world, spearheaded by GDPR, aims to tackle the privacy and security concerns posed by the proliferation of personal data. This article examines why those efforts alone may not be enough, and why a problem caused by network technology may also need to be solved by it – if our laws will allow it.
For many of us, it began with email. We created an account and a password, and from that moment on, for the sake of convenience, began trusting someone else to store and maintain our personal information. Then came Internet banking, retailers, hotel booking sites, social networks, mobile phone apps – eventually, almost every commercial or social relationship in our lives moved online, each one demanding a username and password and a long list of personal information. For those of us old enough to remember living without a mobile phone, the change has been dramatic; for the younger generations, it has never been any other way.
All of that information is stored somewhere, but where? It may be in another country, or in several countries. Quite often, even the organisation handling the data cannot be sure precisely where it is stored, how many copies exist, or who might be able to access it. This is because modern network technology makes it very easy to copy data and transmit it instantly across vast distances, ignoring national borders, whereas storing it securely in one location can be costly and inconvenient.
That data has value – not just to its owner, but also to others who may use it for financial gain, for political ends, to steal, or even to cause physical harm. The extreme proliferation of valuable personal data leads to major risks, as recent events have made clear. Cyber-attacks such as WannaCry and the Equifax hack continue to grow in frequency and severity, and represent a flourishing criminal industry based on exploiting the value of personal data. However, this merely mirrors the growth of legitimate business based on the collection and use of personal data, with companies like Google and Facebook now among the world’s biggest; disturbingly, that legitimate business also gives rise to concerns over privacy and potential misuse, as demonstrated by the Cambridge Analytica scandal, in which personal data from 50 million Facebook profiles was reportedly used to influence US voters in the 2016 presidential election.
Hong Kong is one of the world’s hotspots for cyberattacks. Many major incidents are never revealed to the regulators or the press, since the Personal Data (Privacy) Ordinance (Cap. 486) (“PD(P)O”) does not require data users to report breaches and a culture of silence largely prevails. There have, however, been some high-profile incidents, including the infiltration of an inactive database owned by Hong Kong Broadband Network that held information on 380,000 customers, and cyberattacks targeting the personal data of approximately 220,000 individuals held in travel agencies’ databases. The Privacy Commissioner for Personal Data (“PCPD”) has revealed that the number of data breach notifications surged by nearly 20% in 2017.
A New Generation of Data Protection Regulations
To address this concern, a new wave of regulation is sweeping the globe, imposing stricter obligations on those using, controlling or processing personal data to keep it secure. The most prominent example of this trend is the EU’s General Data Protection Regulation (“GDPR”), which came into force on 25 May 2018.
The GDPR represents a significant tightening-up of previous European data protection regulations; however, although the regulation is European, its influence (along with much associated anxiety) traverses the globe, because of three key elements:
- It has extra-territorial effect. Put simply, a non-EU business (including a Hong Kong business) needs to comply with the GDPR if it offers goods or services to, or monitors the behaviour of, EU residents (Article 3).
- Unlike the PD(P)O, which requires no data breach notification at all, the GDPR requires data controllers to notify a data breach to the supervisory authority within only 72 hours. Data subjects must also be notified where a breach is likely to result in a high risk to their rights and freedoms (Articles 33 and 34).
- Most concerning of all are the sanctions for breach of the GDPR: the higher of €20 million or up to 4% of an organisation's total worldwide annual turnover of the preceding financial year. Had GDPR been in force during the Cambridge Analytica affair, Facebook could have been fined as much as US$1.9 billion – nearly 3,000 times the £500,000 fine levied by the ICO under the UK's Data Protection Act 1998 (being the maximum fine under that legislation).
Other important provisions introduced in the GDPR are restrictions on the transfer of data out of the European Economic Area and a “right to be forgotten”, i.e. a right to request the deletion of data in certain circumstances.
Other jurisdictions around the world are also tightening up their data protection regulations. For example, with the world’s largest online population (around 772 million), China has also taken steps to regulate its cyberspace, introducing a new Cybersecurity Law in June last year. While the international media has tended to focus on the national security aspects of the legislation, many of its provisions mirror those in the GDPR, including tighter controls on collection and use of data as well as obligations to inform data subjects and authorities of breaches. In the wider Asia-Pacific region, mandatory data breach reporting has also been introduced in South Korea, Taiwan, the Philippines, Indonesia and Australia.
Change has yet to come to Hong Kong; however, in April 2018, the current PCPD, Stephen Wong Kai-yi, indicated that it was time to review the PD(P)O following the entry into force of the GDPR.
The Limits of Regulations
The stricter regimes implemented by this new generation of data protection regulations, and in particular the heavy sanctions and extra-territorial reach of the GDPR, should encourage many of those handling personal data to do so more responsibly. However, there remain concerns that these regulations cannot alone solve the problem. In particular:
- The technological and commercial forces behind data proliferation will remain – put simply, data is valuable and easier than ever to copy and transmit. As increasing numbers of commercial and governmental entities collect and store multiple copies of valuable personal data, greater risks will ensue.
- Despite the GDPR's extra-territorial application, in practice it may prove difficult to enforce against infringers based outside the EU. While the GDPR seeks to address this by requiring entities handling EU residents' data to appoint an EU-based representative, it is easy to foresee widespread violation of this requirement.
- There are already indications that the cost of compliance with the GDPR is too much for many smaller businesses to bear – especially technology companies handling large volumes of personal data.
- In today's connected world, the restrictions on cross-border data transfer set out in the GDPR and China's Cybersecurity Law are arguably unworkable and fail to acknowledge the Internet's capacity to transcend national boundaries.
What, then, is the solution?
Blockchain, the White Knight
The relevance of blockchain technology to data protection may not be immediately apparent to many. After all, isn’t it something to do with cryptocurrencies?
It is indeed true that blockchain technology’s roots can be traced back to bitcoin – the (probably) pseudonymous inventor of bitcoin, Satoshi Nakamoto, first described it in a 2008 white paper as the technology underpinning the virtual currency. However, the focus of the technology’s use has since shifted from cryptocurrencies to a range of other applications, one of which is improving data security.
To understand why this is, it is important to examine how the technology works. A blockchain is a decentralised public ledger, duplicated thousands of times across a network of computers (known as “nodes”). The ledger is regularly updated and the copies of it compared for consistency, ensuring that it cannot be tampered with. It is not controlled by any single entity. In addition, the use of encryption ensures that the data can be transferred securely to the right recipient, and not intercepted.
These features are extremely useful for virtual currencies, since they allow a bitcoin, for example, to be transferred securely from one individual to another without the need to rely on a single trusted third party such as a bank, and the ledger of transactions ensures that the bitcoin cannot be copied and spent more than once. However, a virtual currency is really just a piece of digital information, and the same technology can be applied to transfer any data securely.
In the context of data protection, blockchain technology’s key characteristics offer significant advantages:
As the Cambridge Analytica scandal shows, having thousands of copies of sensitive information held by a centralised platform is inherently problematic. At the core of blockchain technology is the concept of decentralisation: a blockchain is typically run on a peer-to-peer network, meaning that there is no central entity with direct access to users' private information, reducing the opportunity for data to be harvested and sold. Furthermore, the absence of a centralised point of vulnerability reduces the risk of data leaks resulting from cyberattacks or human error.
Crucially, encryption can be used to protect data privacy on a blockchain network. If an individual consents to share his or her personal data with a particular organisation, the associated decryption key will be transferred to the recipient, who will then be able to use it to unlock the encrypted data. As opposed to most modern storage systems, where there is root-level administrator access, there is no "back door" through which a third party could access users’ information; nobody other than the holder of the decryption key is able to unlock the encrypted data.
Once a record is stored and spread across the nodes, groups of data are built into blocks and chronologically chained to each other, making it virtually impossible to change existing data without altering the other blocks. Compared with traditional databases, a blockchain provides greater reliability and security, since any manipulation of data can be easily identified and traced.
Blockchain technology is rapidly being adopted to help manage and verify personal data. For example, since as far back as 2012, Estonia has been using the technology in its data registries across national health, juridical, legislative, security and commercial code systems. Illinois is also testing various blockchain initiatives, including a birth registry which will allow companies and government departments to verify and authenticate citizens’ identities by making a request for encrypted access to certain information, such as name, date of birth, sex or blood type.
One of the clearest use cases for blockchain technology is to address concerns over the security of medical records. Around the world, large, centralised databases containing medical records have frequently been targeted by hackers; for example, in July 2018, it emerged that personal data belonging to approximately 1.5 million Singaporeans – including Singapore’s Prime Minister, Lee Hsien Loong – had been stolen from the database of the country’s largest healthcare institution. Were a similar data breach to occur in Hong Kong, only very limited sanctions would be available under the PD(P)O (although civil claims could also be brought in the courts). It remains to be seen whether those sanctions will be strengthened in line with global trends; however, penalties, however harsh, cannot undo the damage done.
A number of blockchain projects are now in development seeking to address the problem at source. Developers are building new infrastructure to allow medical records to be stored on a “permissioned” blockchain where only members of a closed group will have access rights. With this technology, medical records will be encrypted and not directly accessible on the blockchain itself; users will only be given indicators as to the actual location of the records, and particular members’ rights to access the data can be limited in scope and time as required. This offers greater security in terms of data management, as opposed to a traditional database in which personal data can be obtained directly from a centralised location. These and similar developments have the potential to give individuals greater control over their personal data and reduce the risks associated with data proliferation.
Mind the Gap
Although blockchain technology’s potential to mitigate data privacy and security risks is beginning to be recognised, the question of whether its use will comply with the new generation of data protection regulations has received little attention. It is perhaps unsurprising, however, that potential difficulties do arise – the GDPR was drafted for a world of more traditional centralised databases, while the blockchain is, by its nature, decentralised. On the face of it, it may be difficult to reconcile the use of technology designed to maintain multiple copies of (albeit encrypted) data on thousands of networked computers with regulations aimed at controlling where data is stored and by whom. In addition, the immutability of blockchain databases would appear to put the technology at odds with the “right to be forgotten” provided under the GDPR – while Article 17 grants individuals the right, in certain circumstances, to require a data controller to erase their personal data, it is technically difficult, if not impossible, to delete data from a blockchain. Records can be updated and amended by supplementation, but the past cannot be erased.
One potential way to resolve this conflict between technology and regulation is to store the data in question off the blockchain, with only proof of its existence and integrity (known as a “hash”) kept on the chain. For instance, with a blockchain established for the purpose of maintaining medical records as mentioned above, only the hashes would be stored on the chain, the actual medical records remaining in secure “off-chain” hospital databases, thereby reducing proliferation and ensuring that the data can be deleted if required. Whether this technique would be sufficient to ensure regulatory compliance, however, remains unclear – even a hash could constitute personal data – and the technology presents a range of other compliance challenges.
Despite regulators’ valiant efforts to update data protection regulations to address modern risks, the gulf between law and technology has perhaps never been wider. Lawmakers now face the daunting task of keeping up with fast-moving technology and ensuring that regulation does not stand in the way of much-needed technological solutions.