April 17, 2024

Last Updated on April 17, 2024

Since the EU’s General Data Protection Regulation (GDPR) went into effect in 2018, the movement to protect personal data has gone global. New data privacy regulations bring compliance costs and risks—driving businesses to rethink the prevailing strategy of intensively aggregating and monetizing customers’ personal data.

Intrinsically enabling this shift both philosophically and technologically is Web3, a potential reshaping of today’s “Web 2.0” internet that decentralizes control over data and digital identity now held mainly by a few tech giants. At the foundation of Web3 is distributed ledger technology (DLT), a disruptive transactional model of which blockchains are the best-known examples.

How exactly can DLT simplify privacy compliance? This article connects the dots and presents a “win-win” vision for the control and monetization of personal data in cyberspace.

 

How do Web3, DLTs, and privacy laws intersect?

Web3 is an increasingly influential and populist view of how we can apply emerging technology to reshape our online experience, re-empower individuals, and reduce the data-driven dominance of the world’s largest tech firms.

Most online transactions today are controlled and managed by powerful intermediaries (e.g., Amazon, Google, Meta) that harvest and leverage users’ data at their sole discretion. A central Web3 tenet is giving users more control over their data via DLT-based transactions, versus seeing it exploited as one of the world’s most valuable commodities with little regard for privacy rights.

In a DLT model, the database is shared across a network of members, each of whom simultaneously maintains and updates a copy of the ledger. Each participant in a distributed ledger transaction can securely process, record, and confirm the transaction with no intermediary (e.g., a website owner) involved. Data also increasingly resides with individual participants, with much less need to hold it centrally.

 

How can DLT disrupt the longstanding data accumulation paradigm?

In today’s digital and analog realms, the two or more entities that mutually agree on a transaction often trust a third-party go-between to perform the exchange and record the results. A central “middleman” such as a financial services firm, ecommerce provider, or social media site typically controls, processes, and validates transactions and associated data. For example:

  • A bank, or credit card company confirms you have sufficient funds or borrowing power to make a purchase, and
  • Records on various financial statements the digital transaction exchanging money from your account for goods from an online marketplace.

This centralized ledger model has traditionally been the accepted way to enforce transactions’ security and authenticity. It works well for those purposes, assuming you can trust and accept the central authority’s business ethics and the efficacy of government/industry oversight.

In contrast, what might happen if your mortgage company controlled your payment transactions with no bank in between? They could falsify their records to show that you were in arrears, and potentially take your home.

But thanks to the emergence of DLTs, a safe, distributed, peer-to-peer trust model becomes possible. Data on distributed ledgers can be securely shared only with chosen parties and not through a central intermediary.

By giving individual participants greater choice and responsibility for how their data is stored and exchanged, the distributed ledger paradigm also gives businesses alternatives to the reflexive acquisition of personal data with its increasingly burdensome costs and risks.

 

What are DLT’s data privacy compliance implications?

To gradually make Web3’s vision of power transfer a reality, consumers, communities, and companies all need to choose it. The most compelling advantages for consumers and communities include reduced harm from economic exploitation, privacy violations, and cybercrime.

But what do corporations stand to gain by refraining from attempting to monetize personal data?

Among the biggest wins for companies that participate in distributed ledgers can be a streamlined and simplified privacy compliance picture, with associated reductions in:

  • IT and other operational costs
  • Business process complexity
  • Privacy rights compliance challenges and risks

As participants in DLT transactions for goods and services, many businesses simply won’t need to hold or process large amounts of personal data, at least in usable/unencrypted forms. DLTs can also support robust technological approaches to privacy rights compliance, such as individuals’ rights to access, correct, update, delete (be forgotten), and withhold consent to use personal data.

 

What does a DLT privacy compliance model look like for businesses?

Zenobia Godschalk, SVP and founding team member at Hedera/SwirldsLabs, points out that DLTs can potentially free companies from the burden of protecting sensitive data. Instead of building data collection functions into every new application, transaction participants can rely on their DLT’s consensus algorithm to validate many data requirements without having to own or even access the unencrypted data.

“Think about how much of the data collection and privacy burden gets removed for those companies,” says Zenobia. “I don’t have the same burden of GDPR compliance because I don’t actually own that data and I’m not seeing it—I’m just seeing a hashed or pseudonymous version of it. So, I don’t have to manage all that data. I don’t have to let you know when there was a data breach…”

In Zenobia’s view, the collective shift towards disaggregated data ownership can happen organically through organizations incorporating DLT into more and more new applications as they sunset Web 2.0 applications.

 

How does DLT overcome privacy challenges?

Distributed ledgers are generally designed to be decentralized, universally transparent, and immutable. Transactions are largely both unchangeable and accessible to all participants, independent of the sensitive data they contain.

These traits could undermine privacy compliance. For example:

  • Privacy regulations mandate various rights to modify and delete previously collected personal data. Yet data held in blockchains, the Hedera network, and other DLTs is generally referred to as “immutable,” as trust in the ledger depends on its resistance to unauthorized changes.
  • Data on DLT networks is inherently distributed and ubiquitously duplicated. Thus, some personal data could easily end up residing in a geography where no privacy laws are in effect to protect it.

The different options available to protect privacy in distributed ledgers include:

  • Private, permissioned ledgers that allow only authorized entities to participate and access ledger data.
  • Storing some data off the ledger, like sidechains in a blockchain. This enhances privacy by keeping certain data confidential while still supporting its verification for transactional purposes.
  • Applying cryptographic techniques (e.g., zero-knowledge proofs) to verify data without sharing the data itself. This approach offers data protection yet maintains transparency.
  • Enforcing regulatory guidelines that require DLT participants to protect privacy through data encryption, anonymization, minimization, and other best practices.

 

Future possibilities for DLTs

As DLTs continue to evolve rapidly, organizations, communities, and consortia from SMBs to governments are building decentralized networks to manage all kinds of financial, contractual, supply chain, and personal data exchanges.

While these increasingly diverse networks function autonomously, they are still interconnected and need the ability to exchange or transfer digital assets while maintaining information security and privacy. Open-source projects like Corda, Cardea, and REDLedger offer new solutions to reduce the effort required to take advantage of DLTs while addressing privacy compliance concerns.

Zenobia relates: “There are online developer communities that are so willing to engage with newbies and have conversations about how it works and how they’ve implemented it. They can read or they can ask questions. And there really are no dumb questions because this technology has been around for only a hot minute and there are no experts—only folks who are just continuing to learn.”

 

What’s next?

For more guidance on this topic, listen to Episode 135 of The Virtual CISO Podcast with guest Zenobia Godschalk, Senior Vice President at Hedera.