As a sequel to the first paper of Blockchain & Law article series titled 'A New Digital Order - Unveiling the Interplay of Law & Blockchain Technology', this paper explores the inter-operability of India's data privacy regime and blockchain technology. In this regard, recording of a webinar conducted on 'Blockchain & Data Privacy: An India Perspective' by the AKS Partners can be viewed on YouTube here.
B. Data privacy in India
Constitution of India
Article 21 of the Indian Constitution is a comprehensive, all-encompassing provision that inheres within itself basic, fundamental rights that are absolutely essential to the existence of a human being with dignity and personal liberty. In the judgment of K.S. Puttaswamy v. Union of India,1 a nine-judge bench of the Honourable Supreme Court of India held that the right to privacy falls within the contours of Article 21 and is incidental to life and personal liberty. This right to privacy includes the right to data protection and privacy.
Information Technology Act, 2000
In India, data privacy is governed by the Information Technology Act, 2000 ("IT Act") and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("SPDI Rules"). Sections 43A (Compensation for failure to protect data) of the IT Act provides a statutory right to a data provider to claim compensation for unapproved disclosure of information (including in breach of a contract). Under Section 72A (Punishment for disclosure of information in breach of lawful contract) of the IT Act, wherever any person including an intermediary discloses information obtained under a lawful contract without consent shall be punished with imprisonment or with fine or both.
The SPDI Rules constitute a set of basic obligations to be adhered to in circumstances where sensitive data is being collected. It may be noted that the SPDI Rules apply only to 'Sensitive Personal Data or Information'.2 The SPDI Rules lay down guidelines for collection (Rule 5) and transfer of information (Rule 7) and also mandatorily require body corporates to adopt and implement a policy for privacy and disclosure of information (Rule 4).
On 24 August 2011, the Ministry of Electronics and Information Technology issued a clarification to the SPDI Rules ("Regulatory Clarification"). The Regulatory Clarification states that the SPDI Rules are applicable only to body corporates or persons located within India. Also, where a body corporate deals in data of any legal entity located within or outside India under a contractual arrangement, the SPDI Rules pertaining to collection (Rule 5) and disclosure of information (Rule 6) would not apply. It was also clarified that requirement to obtain written consent under Rule 5(1) of the SPDI Rules includes electronic consent as well.
The Personal Data Protection Bill, 2019 ("Bill")
The Bill is inspired from and is in many ways a replica of the European Union's General Data Protection Regulations ("GDPR"). The Bill lays down several provisions including in relation to crossborder transfer of data, sandboxing, privacy by design and introduces a more robust set of obligations for entities handling sensitive personal data. The Bill is currently pending before a Joint Parliamentary Committee. The Bill applies to and categorises data into 'Personal Data', 'Sensitive Personal Data' and 'Critical Personal Data'.
Regulated sectors such as telecom and financial services have separate obligations of confidentiality which restricts disclosure and transfer of customer personal information and mandates use of such information only in the manner agreed with the customer. Certain sectoral regulators (like Reserve Bank of India) also mandate data localisation.
C. Blockchain technology and data privacy
For details on the working of a blockchain network, please refer to our previous paper here.
The Bill defines 'Personal Data') as 'data about or relating to a natural person who is directly or indirectly identifiable'. This means where the origins of the data cannot be traced down to a natural person, the data would cease to be 'Personal Data'. Resultantly, storing the data in a manner where it cannot be traced to a natural person (including by introducing and implementing robust methods to address re-identification risks) may prove beneficial in reducing a blockchain network's interaction with data privacy regulations (such as by encryption or anonymisation of Personal Data).
Public v. Private Blockchain
Private blockchain which restricts and regulates network participation appears to be a more preferable fit when it comes to ensuring compliance with data privacy laws. Public blockchains with permissionless borders pose greater difficulty in procuring every participant to agree on and comply with relevant rules on protection of personal data.
The Bill identifies three categories of stakeholders (similar to GDPR) viz. Data Principals, Data Fiduciary and Data Processor. The SPDI Rules only provides for data provider and body corporate or person collecting data. The term 'Processing' has been defined to include collection, storage, retrieval, adaptation, disclosure etc. (Section 3(31)). Accordingly, any data stored or transmitted on blockchain will amount to processing.
Blockchain network is a decentralised system with each node / miner (i.e. network participant) spread all over the world. There is no clear demarcation between a Data Principal and a Data Fiduciary or a Data Processor over a blockchain network. The way the network functions, no single person can be said to be in-charge of the network thereby making it all the more problematic for regulators to fix the compliance burden on a party. Accordingly, the question of determining the identity status and fixing liability of various participants attains significance and complexity over a distributed ledger network like blockchain.
Each node over the network functions as a Data Processor on account of participation in the verification of the data. At the same time one or more of such nodes may also be acting as a Data Principal. With respect to mining over the network while it is a single miner who is able to formulate a valid hash, all the other miners also participate in the mining activity when they attempt to arrive at the winning lottery number. Thus making such miner also a Data Processor. While fixing liability on a private blockchain network that restricts the number of network participants is comparatively less complex, the same would be quite challenging on a public blockchain network, such as Bitcoin. With regard to identifying the status and roles, the guidance issued by French data protection authority ("CNIL Guidance")3 in the context of GDPR is useful. The CNIL Guidance categorises blockchain actors into the following groups: (a) participants with full read and write access to the data; (b) participants with read only access; and (c) miners that validate the transactions.
Participants falling in category (a) above are Data Controllers (equivalent to a Data Fiduciary under the Bill) while categories (b) and (c) are not.
Collection and processing of data over a blockchain network
The Bill sets out a number of obligations that have to be performed by the Data Fiduciaries, some key compliances being, obtaining consent of the data principals, retaining the data only till absolutely necessary (Storage Limitation), providing notice to the Data Principals, ensuring data is used only for the purpose (which has to be specific, clear and lawful) for which it has been taken (Purpose Limitation). Rule 5 of the SPDI Rules also lays down similar obligations for collection of data. Key concerns that the inherent and intrinsic nature of the blockchain technology raises are as under:
Firstly, with respect to the Storage Limitation principle, the immutable nature of the technology prevents the data from being deleted once the purpose has been fulfilled.
Secondly, given the decentralised nature of blockchain, it becomes challenging to determine the exact purpose for which data is collected over such a widespread network and who is to keep a check that the data so collected is used only for such predefined purposes.
Thirdly, it is commonly argued that the network participants over a blockchain impliedly consent while sharing their data. This may not however fulfil the requirements under the Bill which requires consent to be clear, through an affirmative action. This gives birth to concomitant regulatory issues over a decentralised system as to who shall oblige with these compliances under the law and who should be made responsible / liable for any lapses in compliance.
Lastly, the Bill also proposes certain additional requirements such as transparent and fair processing and the Purpose Limitation. The blurred distinction in the status of identities in blockchain makes determining purpose and manner of processing challenging.
A detailed governance framework setting out roles and responsibilities, off-chain and on-chain personal data, may provide useful guidance towards addressing the aforementioned concerns.
Key rights of Data Principals
Right to Confirmation and Access
The Bill entitles the Data Principals to seek information regarding the types and nature of personal data stored with the Data Fiduciaries, or to ascertain the nature of processing activities that has been undertaken on his/her data, or seek a brief summary of processing activities undertaken. While enforcement of this right may not be technically difficult, however, blockchain networks may establish a proper governance framework that delineates a specific authority to pass over the requisite data to the data principal as and when asked for. The network may also consider laying out methods of searching and accessing the necessary information which may be de-encrypted with the use of the private key.
Right to Correction
Section 18 of the Bill and Rule 5 of the SPDI Rules provides the right to rectify or correct the data. Given the immutable nature of the decentralised ledger maintained on a blockchain, exercising this right may not be compatible. To accomplish alteration/correction of data would be a burdensome task since it will require a majority of nodes to come together to identify the data, alter and re-hash not just the concerned block but also all previous blocks as well. Alternatively, a new block with corrected information may be added once verified through the consensus mechanism.
Right to be Forgotten
The Bill introduces 'Right to be Forgotten' ("RTF"). RTF entitles data principals to request the removal of his/her personal data, without undue delay, from any business's storage. RTF has been in loggerheads with the inherent immutability of blockchain technology. Across jurisdictions the term 'forgotten' has been pegged with erasure and is construed in various senses in different jurisdictions, ranging from data anonymisation,4 destruction of hardware,5 putting data beyond use.6
Given the distinction within the types of blockchain, the modes for exercising RTF are uniform by and large. A widely discussed solution is the destruction of the private key, thereby rendering the data encrypted by a public key inaccessible.7 Owing to the setup of blockchain, a Data Principal may reach out to any entity in the chain that qualifies as a Data Fiduciary to enforce their rights. Similar
to the Google-Spain case,8 wherein data subject's action against Google remained unaffected by the fact that the data could have been removed by the newspaper's website itself.9 However, the nature of a public blockchain network that does not identify a central authority might prove somewhat problematic where the data principal seeks to enforce his/her right.
As countries are yet to formulate policies with respect to regulation of blockchains, some other alternatives for exercising RTF can be programming chameleon hashes, zero knowledge proofs or a censorable blockchain, as the same would be 'forgetful'.10
Cross-Border Transfer of Data
Chapter VII of the Bill, which deals with restrictions on cross-border transfer of data, requires a copy of the Sensitive Personal Data to be stored domestically while Critical Personal Data must exclusively be processed and stored in India. However, these clear demarcations blur when applied to a blockchain ecosystem where storage and processing of data can be universal. Transfer of Sensitive Personal Data, requires explicit consent and the transfer must be under a contract or an intra-group scheme approved by the data protection authority (envisaged to be established under the Bill). While both of these requirements may get fulfilled over a private blockchain easily, a public blockchain due to undefined groups and lack of a central entity / authority may find it more challenging to implement adequate safeguards on restricting such transfer. Over a private blockchain the central body may enter into e-contracts with any number of participants and also obtain their explicit consent.
Under the present regime, Rule 7 of the SPDI Rules provides that a transfer outside India may only be allowed where the country offers the same level of protection to the data. Again, enforcing this may be challenging over a public blockchain network comprising of thousands of nodes across borders. An in-built cross-border transfer consent clause in the governance framework or otherwise may also provide the needed legitimacy from the perspective of data privacy.
D. Jurisdictional Issues
The present uncertainty in law (including lack of adequate legal provisions) has resulted in jurisdictional issues concerning the domestic and transnational presence of the blockchain network. While Section 1(2) read with Section 75 of the IT Act accords limited extra-territorial applicability to the Act, the SPDI Rules, as mentioned in the Regulatory Clarification are applicable only to body corporates or persons located in India. Consequently, blockchain technology may need to comply with the IT Act to a certain extent, while, the mandate under the SPDI Rules will bind only the nodes/miners operating from India. As a result, the network participants operating outside India on the same blockchain will not be required to comply with the SPDI Rules or IT Act.
Section 2 of the Bill affords extra-territorial application but only in certain limited circumstances viz. where the processing which takes place outside India is in connection with any business in India, or which involves the profiling of individuals within India. This will result in a subjective assessment of blockchains and its purposes in order to ascertain the applicability of the provisions of the Bill.
The Civil-Commercial Courts in India, have applied the test as to whether a website is an 'interactive website'11 for determination of jurisdiction, in relation to websites that do not have a physical place of business in a jurisdiction.12 In other words, wherever a website facilitates or even intends to facilitate active trade / commercial transactions in jurisdictions where it does not have a physical place of business, in such cases cause of action, if any, arises in all such jurisdictions where the website operates interactively. However, applying such a test on a blockchain network may not be so straightforward. The intrinsic nature of the blockchain technology allows for processing and storage of data at multiple domestic and international jurisdictions simultaneously. Resultantly, in both domestic as well as international, identification of the place of cause of action becomes complex. The complexity increases as identification of the individuals processing and storing data (nodes) would require de-anonymisation.
The determination of applicable laws will also depend on the nature of a blockchain network. It is practically more difficult to regulate a public blockchain network than a private blockchain network. In a private blockchain the architect/controlling entity may determine the governing laws or the governance framework may provide for a governing law.
In light of the foregoing, it may come as a mammoth task for governments to enforce their respective data protection and cyber-security legislations against such transnational networks without consensus on a multi-national treaty suggesting a model law to regulate the use of blockchain networks. In the alternative, laws may promote self-regulation by merely identifying basic tenets of regulations like governing law, data privacy, certification etc. Non-compliance may include compulsory suspension/termination of participation rights of nodes or blocking access to blockchains which do not provide for adequate self-regulation.
The developers of blockchain networks may consider incorporating dispute resolution and regulatory mechanisms as integral parts of the networks. The developers may also consider coding networks with peer-to-peer decentralized courts such as 'kleros' or 'codelegit' as part of a network's dispute resolution process.
E. Way forward
Blockchain technology carries the potential of disrupting business operations right from supply, manufacturing, logistics and final consumption especially in a post Covid-19 era. Please refer to our previous article on use cases of blockchain here. Accordingly, it is crucial that data privacy laws (with adequate concessions, where necessary) be treated as an enabler and not inhibitor to continued adoption of blockchain technology. Certain additional rights like data portability and right to withdraw consent adds to the complexity of having a compliant blockchain network. Certain obligations like mandatory registration may also be problematic if the government notifies certain blockchain network as a significant data fiduciaries.
Set out below are few indicative measures towards harmonious application of data privacy laws and blockchain technology:
1) Every blockchain network must provide a detailed governance framework that is in alignment with the basic requirements under data privacy regulations. Such a framework would have to be binding on all participants over a blockchain network, stating all rights, obligations and duties of parties, including a detailed mechanism for communication, security measures, cross-border data transfer, and grievance redressal and may even set out applicable laws etc.
2) Such a self-governance framework could also include a privacy by design policy and provisions for Data Protection Impact Assessment (as set out in Chapter VI of the Bill).
3) 'Pruning' is used for situations where historical blocks of data beyond a certain timeline are deleted. Similarly, where data has to be altered or rectified, the same may be done by 'forking' where data is altered or deleted, the hash changed and a new fork is created. However, over a public blockchain Pruning and Forking can be challenging and may require a huge amount of computing consensus.
4) To ensure the safeguarding of right to privacy a Memory Optimized and Flexible Blockchain (MOF-BC) can be considered as an effective measure. It enables the IoT (Internet of Things) users and service providers to edit their transactions, thereby altering the details of data entry.13
1 K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
2 SPDI Rules, R. 3 defines 'Sensitive Personal Data of Information' to include personal information comprising of password, financial information, health conditions etc.
3 Commission Nationale de l'informatique et des Libertés, Solutions for a responsible use of the blockchain in the context of personal data, https://www.cnil.fr/sites/default/files/atoms/files/blockchain_en.pdf.
4 Austrian Data Protection Authority, DSB-D123.270/0009-DSB/2018 (05 December, 2018), https://www.ris.bka.gv.at/Dokumente/Dsk/DSBT_20181205_DSB_D123_270_0009_DSB_2018_00/DSBT_2018 1205_DSB _D123_270_0009_DSB_2018_00.html.
5 Article 29, Working Party, Opinion 05/2012 on Cloud Computing (WP 196) 01037/12/EN, https://www.technethics.com/assets/Opinion-05-2012-on-Cloud-Computing.pdf.
6 Individual Rights, INFORMATION COMMISSIONER'S OFFICE, https://ico.org.uk/for-organisations/guide-to-dataprotection/guide-to-the-general-data-protection-regulationgdpr/individual-rights/right-to-erasure/.
7 Commission Nationale Informatique et Libertés, (September 2018), https://www.cnil.fr/sites/default/files/atoms/files/la_blockchain.pdf.
8 Case C-131/12 Google Spain and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (2014) EU:C:2014:317, para 80. The Court emphasised that search engines made it easier for internet users to find the relevant data and played an important role in its dissemination which was 'liable to constitute a more significant interference with the data subject's fundamental right to privacy than the publication on the web page'.
9 Finck, M. (2019). Blockchain and the General Data Protection Regulation. Tech. rep., Panel for the Future of Science and Technology at European Parliament
10 Ateniese G, 'Redactable Blockchain - or - Rewriting History in Bitcoin and Friends', EURO S&P (2017), https://eprint.iacr.org/2016/757.pdf.
11 An interactive website comprises of internet pages that allows active participation of users. For example, online retail websites or social networking websites can be categorized as interactive websites.
12 World Wrestling Entertainment Inc. v. M/s Reshma Collection, 2013 SCC OnLine Del 3987.
13 Ali Dorri, MOF-BC: A memory optimized and flexible blockchain for large scale networks, 92 Future Generation Computer Systems 357-373 (2019).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.