Data Privacy Regulations Versus Blockchain Technology
Data privacy refers to the use and governance of personal data, including policies implemented by businesses and governments that govern the collection, sharing and use of an individual’s personal information. Information privacy refers to the individual’s right to exert some control over their own personal information that is collected and used by others. These two views of privacy are reflected in legislation enacted to govern organizations and, most recently, give more power to individuals.
EU’s General Data Protection Regulation
The European Union’s General Data Protection Regulation (GDPR), which took effect on May 25, 2018, is a comprehensive regulation that includes provisions for client consent, data breaches, data processing, security, and individual subject rights. It was designed to protect the privacy rights and freedoms of EU citizens and harmonize data privacy laws across all twenty-eight EU member states.
The GDPR applies to all companies processing the personal data of data subjects residing in the EU, regardless of a company’s location. It also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU.
One provision of the GDPR that can be problematic for companies employing blockchain technology is the right to be forgotten (i.e., the right of erasure).
Data Privacy in the United States
There is no single principal data protection legislation in the U.S. Hundreds of laws enacted on the federal and state levels attempt to protect the personal data of U.S. residents and often apply to specific industry sectors such as financial services, healthcare, telecommunications, and education. One example of U.S. federal data protection laws is The Federal Trade Commission Act (15 U.S. Code § 41 et seq.), which enforces actions against companies for failing to comply with their own posted privacy policies and for disclosing personal data without authorization. A second example is The Health Insurance Portability and Accountability Act (HIPAA) 42 U.S.C. §1301 et. seq.), which regulates medical information by entities that handle the information, including healthcare providers, data processors, and pharmacies.
Privacy rights not granted by the federal government are left to individual states to protect. The California Consumer Privacy ?Act (CCPA), passed into California law on June 28, 2018, is the strongest data privacy legislation enacted in the U.S. to date and closely mirrors the GDPR. It requires businesses to disclose the purpose for the information collected or sold, as well as the third-party organizations receiving the data. It gives consumers the right to ask businesses for the types and categories of personal information being collected, as well as the right to request data be deleted and to initiate civil action if they believe that an organization has failed to protect their personal data.