Inevitably innovation challenges the typical ways of doing things and regulation always seems to lag progress. How can we balance protecting personal identification information with the opportunities offered by blockchain?
There’s no doubt that 2018 was the year that the protection of personal information became front of mind, whether through data breaches, Facebook sharing information for dubious purposes, or the implementation of the General Data Protection Regulation (GDPR) in the European Union and the still pending roll out of the Protection of Personal Information Act (POPIA) in South Africa. Depending on your perspective, 2018 was when we finally started ensuring companies take their responsibilities seriously, or the year we started breaking things and stifling innovation by trying to protect personal information in inappropriate ways. (It’s probably a bit of both.)
Take POPI and blockchain, for instance. Blockchain is the distributed ledger technology that underlies cryptocurrencies, but also can be used to power many other things. For instance, Malta is looking at a blockchain-powered land and health registry. And Estonians can log into their blockchain-based healthcare registry and see exactly who has accessed their details.
The savings alone that blockchain offers are staggering. Goldman Sachs estimates that the securities industry could save $11 – $12 billion in fees by using blockchain to remove errors in the clearing and settlement of cash securities. And we have only started to scratch the surface of what blockchain technology will allow us to do. It’s useful to think of blockchain as an operating system, like Microsoft Windows or Apple OS. The really exciting stuff is what people will develop on top of it.
A fundamental feature of a blockchain, what makes it so useful for storing important records, is that it can never be erased or rewritten. But wait a minute, what about the right to be forgotten, to have personal data deleted, especially from the internet? This is explicit in GDPR, which any South African company dealing with customers in the European Union has to comply with, and implied by POPI, which says that people can request their personal information and records be corrected or deleted.
Does this mean we have to choose? Remain stuck in the past and miss out on the promise of what blockchain will enable for us and our customers, or risk the fines threatened by POPI and GDPR and the brand damage associated with non-compliance? Alternatively, do we water down blockchain technology, and its capabilities and promise? Can you imagine if almost 40 years ago, we severely constrained an aspect of the brand-new Microsoft Windows interface manager? What would we have missed out on? Let’s not do that with blockchain, either.
Unlike central registries controlled by a single authority, say a bank, blockchain ledgers are spread out over a number of anonymous computers, connected on a peer-to-peer basis. The people involved don’t have to know, or even trust, each other. Transactions are announced to the group and recorded by everyone. At set intervals a section of the ledger, called a block, is locked irreversibly using cryptography and information from the previous block, and added to the blockchain. Working on the principle that the majority is honest, if any copy of the block on the network doesn’t match that of the others, it is replaced with information the majority agree on. In other words, the longest block is the true one.
As published in ASA Magazine December/January 2018