Scott: Your personal info is at risk by under-regulation of blockchain

(A focus on Health Data Systems)

Not everyone believes that crypto-currencies are the future, but most will agree that the blockchain technology behind these currencies is here to stay, and it might be affecting your personal information in the years to come.

Blockchain is a distributed ledger technology that records data transactions in a permanent and immutable way. The recent hype around blockchain technology has blossomed into widespread propositions of obscure use cases, ranging from using the tech to reunite refugee children with their parents, or to sell solar energy to neighbours, or to make video games more interactive.

While some new blockchain strategies may simply remain as novel as they sound, select industries are actually fast approaching production stage for blockchain-enabled systems, and they are very real reasons why our regulations need to catch up with these developments.

I recently advocated for increased regulation of the tech and health industry at a Symposium held by the International Association of Privacy Professionals. In the international sphere, over 150 private companies are piloting blockchain solutions in the health sector, with at least 15 national government-coordinated implementation strategies, and a prediction of 70% adoption rate of the tech at scale by 2020.

Canada has been slow to get on board with blockchain enabled health systems, with is perhaps lucky given the minimal effort the government has put into regulating blockchain in any capacity, let alone in areas of privacy law. However, even regulators in Europe have taken the wait-and-see approach to blockchain in healthcare, which appears at odds with their high adoption rates of the technology in the industry.

So why is the lack of regulatory guidance on blockchain a problem for the privacy of individuals?

Blockchain turns the regulatory tenets of some traditional transactional data systems on their heads. Patient health information is owned by the institution that stores the records, and is governed by private-sector national and provincial Canadian data privacy laws. But in a blockchain-enabled system, where a complete decentralized copy of all records is housed simultaneously by all blockchain participants, who is held accountable for a data breach? And if the health record blockchain is implemented at a national level with government participation, does this subject your patient information to the Constitution and the Privacy Act?

The blockchain panel at the Canadian symposium proved that privacy professionals are concerned about the way blockchain technology can interface with privacy, both nationally and internationally. With the GDPR (the EU’s new data protection legislation) coming into force the same day as the panel, prominent concerns included provisions like the right to be forgotten.

The right to be forgotten allows a person to force removal of certain information about themselves from internet records so they cannot be found by the public. If personal information gets immutably and permanently published to a public blockchain, how will this right be enforced? Even if best practices are understood to involve never publishing personal information to a block, can the situation even be prevented in such a peer-to-peer system? The fact that there are not answers to these questions is a source of consternation for privacy professionals.

While blockchain technology brings great promise for utility, the security it offers alongside its permanence and immutability require a level of scrutiny by policy makers. You cannot erase data that gets written onto a block in the system, and the implications of this feature are not difficult to predict. A reactive regulatory approach may be appropriate for some innovative tech solutions, but unalterable systems should clearly warrant a new approach.