Cyprus: The developing blockchain regulatory landscape and privacy concerns
The possibility of the implementation of decentralised technology in Cyprus was publicly debated for the first time in 2018, following an initiative by the Cyprus Parliament. The Council of Ministers established an ad hoc working group for the implementation of blockchain technology in Cyprus in the same year, with the aim of researching technology implementations, implementing pilot projects, and introducing the requisite legislation that would apply in both the public and private sectors. Three years on, Vasilis Charalambous, Lawyer at George Z. Georgiou & Associates LLC discusses the latest development in the regulatory landscape and assesses blockchain in light of data protection rules and principles.
What is blockchain?
A brief overview of how blockchain and Distributed Ledger Technology ('DLT') work is necessary before discussing the activities that are taking place regarding the regulatory landscape in Cyprus. The terms blockchain and DLT are often used interchangeably to refer to the same technological function.
Blockchain is essentially a digital ledger of transactions, that is duplicated and distributed through the blockchain's entire network of computer systems. Each block in the chain contains a number of transactions, and if a new transaction occurs on the blockchain, a record of that transaction is added to the ledger of each party. The decentralised database which is managed by multiple participants is also known as DLT.
Latest regulatory developments
The abovementioned initiative followed the accession of Cyprus to the European Blockchain Partnership and the signing of a declaration of cooperation for the use of DLT with the MED7 member countries.
In 2019, the ad hoc working group published the National Blockchain Strategy1, which identified the current state of blockchain in Cyprus and established the following priorities for achieving the objective of blockchain development:
- the preparation of a legislative framework;
- strengthening the application of technology by government and the private sector; and
- the promotion of DLT in the financial sector.
It is important to mention that in accordance with the National Strategy, amendments to the Companies Law and the Income Tax Law will follow.
According to the National Strategy, the proposed legislative framework, which is expected to be voted in 2021, will aim to facilitate blockchain applications in Cyprus in a neutral way, so as to be consistent and in line with legislative developments at European level.
Privacy and security concerns
The amount of data generated in our everyday lives is enormous, and the volume continues to increase. Technology has opened up infinite possibilities to billions of people linked to mobile devices, with computing power, storage space, and accessibility, but it also poses a risk to individuals and their privacy rights. Not very long ago individuals had little or no control over the data that was stored about them and how it was used. In recent years, however, we have seen worldwide move towards regulating the processing of data, providing more control to individuals and protecting their data through comprehensive legislation such as the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
In the financial sector, blockchain has demonstrated that using a shared network of peers and a public ledger, trusted and auditable computing is possible. It is also true that blockchain can be used as a decentralised personal data management framework that guarantees users' data ownership and control.
Blockchain is a promising technology for securely sharing data and managing transactions, with several potential applications in the fields of e-health and e-government, such as health records, land registries, or the security certification of links in an Internet of Things chain of devices, food safety, trust funding (for example, for development or humanitarian programs), and managing intellectual property rights, e-ID , and many more. By redefining how we operate transactions, access information, and exchange data (e.g. enabling patients to safely share e-health records and determine who has access to their data), this new technology may contribute to a major political innovation.
EU data protection law regulates processing of personal data and requires a legal ground for such processing, particularly the fulfilment of the conditions set in the GDPR. The GDPR, in reality, was created to control the centralised processes of data collection, storage, and processing. Blockchain technology, on the other hand, is a decentralised network that has introduced a radically new paradigm of data storage and management. The 'decentralised' aspect of blockchain is likely to pose a regulatory challenge for the EU legal system, which is designed to deal only with centralised actors.
In order to assess the privacy and security concerns posed by the use of DLT and blockchain, one must consider whether the GDPR provisions can be applied to the global blockchain system, whether personal data is processed on the blockchain, who acts as a data controller and processor, and the various challenges that arise in order to protect data subjects' rights.
While it is true that the transnational nature of blockchains gives rise to various jurisdictional issues, the broad territorial scope of the GDPR means that GDPR obligations have to be followed by the respective controllers and processors that have a link to the EU.
GDPR compliance concerns arise due to blockchain's immutability and the fact that it is a permanent and open ledger. Due to the GDPR's requirement that personal data be held for no longer than is required for the reason for which it is processed, public blockchains may pose a problem because data cannot be deleted.
When debating whether data on blockchains counts as personal, it's also important to distinguish between public and private blockchains. Since blockchain technology is decentralised, there are no central administrators monitoring data; instead, the network is controlled by all of its users, who serve as data controllers for themselves and data processors for others. In light of this, it appears that identifying the data controller or data processor and fulfilling data subject rights on private blockchains is simpler than identifying them on public blockchains for GDPR purposes.
The GDPR, on the other hand, introduces the concept of pseudonymisation, which is described as 'the processing of personal data in such a way that the personal data can no longer be traced to a particular data subject without the use of additional information.' Data on blockchains can be stored in three ways: as plain text, encrypted text, or by hashing it to the chain. However, for the purposes of the GDPR, these types of data storage are unlikely to properly anonymise users' personal data, since some user information can lead back to the individual's identity, even if cryptographically secured.
According to the French data protection authority ('CNIL'), a case-by-case basis should be considered when assessing blockchain in light of the GDPR, rather than the relationship being determined in a broad and general manner.
Considering the above and until these issues are settled either by the European Data Protection Board ('EDPB') or the courts, anyone that would like to develop use cases should consider the following:
- examine if they need to use blockchain for their project;
- conduct a Data Protection Impact Assessment ('DPIA');
- avoid storing personal data on a blockchain and instead encrypt and aggregate the data using all available encryption and aggregation techniques; and
- collect personal data off-chain or use permissioned blockchain networks.
It is estimated that blockchain technology will soon begin to be viewed, not as a threat to individuals' fundamental privacy rights and freedoms, but rather as a tool that gives data subjects exclusive ownership and control over their personal information.
Vasilis Charalambous Lawyer [email protected] George Z. Georgiou & Associates LLC