Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Entertainment and Sports LawFeaturesLitigationPrivacyRegulationEntertainment Law & Finance

Issues Between EU Data Protection, Use of Blockchain

By Justin Hectus and Kristy Sambor
August 01, 2018
General Data Protection Regulation (GDPR) Entertainment Law & Finance A Primer for the Entertainment Industry on the Use of Blockchain Technology Smart Contracts and Blockchain
  • The GDPR may be a privacy regulation, but data protection is a core principle. Controllers, processers and sub-processors are held to high standards with respect to broad cybersecurity concepts and specific breach notification requirements. Blockchain's encryption and decentralized structure makes the network and data highly tamper-resistant and, in theory, less vulnerable to unauthorized modification than a single instance database.
  • The GDPR represents a shift to consumer ownership of their own data, requiring companies to provide visibility and control to individuals, on demand. Blockchain is being used as the base technology for dozens of applications focused on consumer control of data from identification to monetization.
  • The GDPR has made great strides by requiring not only transparency into what companies will do with consumer data, but also mandating clear consent mechanisms to ensure that consumers understand what companies are sharing, with whom and for what purpose. Blockchain and cryptocurrency came into existence in part because of a loss of trust in financial institutions. Blockchain continues to be leveraged in ways that bridge the gap in consumer trust in areas as varied as news and insurance.
  • As with most coming of age stories, the tale of these two Generation Z kids is not without conflict. In this case, the GDPR's right to erasure and blockchain's fundamental immutability may be akin to an unstoppable force meeting an immovable object.
Los Angeles Times Chicago Tribune

'Privacy By Design'

  • Increased use of private or enterprise blockchains, which are blockchain systems used by one company or amongst companies in the same industry. Unlike public blockchains, which provide decentralized utility and access to as many users as possible, private and enterprise blockchains limit the dissemination of personal information to just one company or a limited number of companies. In reducing the scale of the chain, fewer individuals have access to sensitive information and the possibility of data breaches significantly diminish.
  • Use of pseudonymization techniques in combination with data stored off-chain. In order for data to be considered pseudonymous under GDPR, the data must “no longer be attributed to a specific data subject without the use of additional information” (GDPR Art. 4(5)). Pseudonymous data, unlike anonymous data, therefore still allows for re-identification. While pseudonymization techniques make it more challenging for users to identify data subjects, it does not scrub all identifying personal information. Pseudonymization with pointers to personal data stored off-chain in a manner that allows the personal data to be destroyed — and thus removes the link to the data on the chain and renders it anonymized — may allow a user to remove all of their personal information from the chain, as required by the GDPR's right to erasure.
  • Development of mutable blockchains. For example, the R3 Corda team is currently exploring “sophisticated anonymization techniques” that would allow users to edit and/or delete their personal information shared on a private blockchain, giving them 100% control over their own data. This “self-sovereign solution” would “ensure provisions in GDPR that allow individuals to access and correct their personal data would be fulfilled and provides a compliant solution to restrict data processing.”
  • Reliance on exceptions to the right to erasure. The right to erasure is not absolute in all circumstances. For instance, the right to erasure does not apply to the extent that processing is necessary for compliance with a legal obligation that requires processing by EU or Member State law, and it does not apply to the extent that processing is necessary to establish, exercise or defend legal claims. (GDPR Art. 17(3)(b) and (e).) Other exceptions may also apply. Businesses might reject a request for erasure of personal data based on recognized exceptions in the GDPR, but there is little guidance in this area and whether these exceptions will successfully apply to blockchain solutions has yet to be tested.
***** Justin Hectus Cybersecurity Law & Strategy Entertainment Law & Finance Kristy Sambor This article has been prepared for informational purposes only and is not intended to be legal advice. Individuals and/or companies should not act upon this information without seeking professional counsel from an attorney.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
Overview of Regulatory Guidance Governing the Use of AI Systems In the Workplace Image

Businesses have long embraced the use of computer technology in the workplace as a means of improving efficiency and productivity of their operations. In recent years, businesses have incorporated artificial intelligence and other automated and algorithmic technologies into their computer systems. This article provides an overview of the federal regulatory guidance and the state and local rules in place so far and suggests ways in which employers may wish to address these developments with policies and practices to reduce legal risk.

Is Google Search Dead? How AI Is Reshaping Search and SEO Image

This two-part article dives into the massive shifts AI is bringing to Google Search and SEO and why traditional searches are no longer part of the solution for marketers. It’s not theoretical, it’s happening, and firms that adapt will come out ahead.

While Federal Legislation Flounders, State Privacy Laws for Children and Teens Gain Momentum Image

For decades, the Children’s Online Privacy Protection Act has been the only law to expressly address privacy for minors’ information other than student data. In the absence of more robust federal requirements, states are stepping in to regulate not only the processing of all minors’ data, but also online platforms used by teens and children.

Revolutionizing Workplace Design: A Perspective from Gray Reed Image

In an era where the workplace is constantly evolving, law firms face unique challenges and opportunities in facilities management, real estate, and design. Across the industry, firms are reevaluating their office spaces to adapt to hybrid work models, prioritize collaboration, and enhance employee experience. Trends such as flexible seating, technology-driven planning, and the creation of multifunctional spaces are shaping the future of law firm offices.

From DeepSeek to Distillation: Protecting IP In An AI World Image

Protection against unauthorized model distillation is an emerging issue within the longstanding theme of safeguarding intellectual property. This article examines the legal protections available under the current legal framework and explore why patents may serve as a crucial safeguard against unauthorized distillation.