By know, most of you have probably heard about blockchain technology. At its essence, it is a distributed ledger technology (“DLT”) that leverages a decentralized computer system to create secure, verifiable and permanent records of transactions.
Each block contains data not only about the transaction, but other data that “links” it to the previous block in the chain. Think of a log of transactions (blocks) linked together (chain) in an encrypted ledger without a centralized administrator, replicated and authenticated across a computer network and synchronized so that they all reflect the information as it is updated. You have probably heard it most often in conjunction with cryptocurrencies, such as Bitcoin and Ethereum — examples of decentralized, digital currencies that use blockchain technology at their core to verify and record the exchange of currency directly between two parties, all without the involvement of a centralized banking structure. This technology is as ingenious as it is effective, but as with all technology, it can also be legally deceptive for the unwary.
It is no surprise that blockchain/DLT has become such a hot button technology — it provides a secure transaction methodology that lends itself to a degree of automation. Security is a seminal benefit, as the names of the parties are pseudonimized, each block is authenticated across the network prior to being added to the chain, and the records are encrypted. Moreover, the blocks in a blockchain are immutable by design — they cannot be changed once authenticated and added to the blockchain due to the use of “hashing” algorithms (mathematical functions that essentially transform the data being hashed into a unique output of a fixed length creating a digital “fingerprint” of the underlying data) that order each block in the blockchain with reference to the previous block’s hash. These hashes are not amenable to being easily reversed, securing the entire blockchain as it grows. Of course, this is a very rudimentary explanation, but you get the basic point — it creates a secure, distributed database of information and transaction records.
Cryptocurrencies are the most common example of implementing DLT, but in fact, we have only scratched the surface of applications for this foundational technology. There are a multitude of other applications of DLT that look to transform a host of other industries beyond cryptocurrency, such as securities (e.g., digital stock certificates; records of stock trades), health care (e.g., medical data and billing management) and general business transactions (e.g., “smart” contracts). The music industry is looking at DLT as a secure way of ensuring royalty payments, and it wouldn’t surprise me if our right to vote becomes exercised by way of DLT someday (really).
As with all such technologies, however, the law is still playing catch-up. Where you company (or client) are considering DLT applications, there are specific risks involving this technology that must be evaluated and cannot be underestimated as you evaluate their implementation. Here are three big ones that should not be ignored:
By its very nature, DLT is decentralized and distributed — it is not only possible, but likely, that certain applications will be tailored to keep personal information within the blockchain. As a result, such blockchains would foreseeably be comprised of blocks containing personal information from data subjects resident in a multitude of jurisdictions. Which data privacy laws would apply? The EU-US Privacy Shield may provide some protection for cross-border transfers of personal information from the EU to the US, but the scope and extent is unclear (and is itself limited to EU-US data transfers). What about the EU General Data Protection Regulation (GDPR) that becomes effective in May 2018? The GDPR is a comprehensive regulation designed to protect the privacy of personal information of EU citizens for transactions taking place among (and with) EU member states. Although pseudonymization of personal information is part of the GDPR requirements (something that is already implemented within DLT), the requirement that data subjects be able to request deletion of their personal information directly contradicts the immutability of information in records contained within the blockchain. Failure to comply with GDPR requirements can result in hefty fines, so the answers to these questions are not only complicated, but carry significant potential risk.
Jurisdiction and Dispute Resolution
Of all the potential risks involving DLT, regulatory risk is the most unpredictable. As of the time of this writing, the U.S. federal government has not preempted the states from passing their own laws and regulations regarding DLT, so state regulation of blockchain remains quite possible. That said, the increasing acceptance of digital currencies may push federal regulators to implement mechanisms and safeguards for consumers that open the door to increased federal regulation. Internationally, the approach to DLT has been cautiously optimistic, with the European Commission openly supporting more projects based upon DLT for its member states. Similar to privacy concerns, there is every indication that US and international laws may need to be reconciled as DLT becomes more prevalent across industries.
Without question, DLT presents a foundational technology that will gradually reshape the way business is transacted (even if there is a long way to go before there is widespread adoption). Even though DLT blocks may be immutable, your company’s (or client’s) risk is not — businesses cannot afford to ignore the writing on the distributed ledger (so to speak) as the technology gradually moves mainstream. DLT is likely here to stay for a while, so get ahead of the curve — this is one set of risks that is worth hashing out.