Last week the Court of Justice of the European Union (CJEU) struck down a key data-sharing agreement between the United States and European Union, with possible implications for U.S. blockchain companies that serve EU customers.
The 2016 agreement, known as the Privacy Shield, lets American companies self-certify they are complying with data privacy laws, like the General Data Protection Act (GDPR). GDPR gives end users greater control over data held by companies like Google and Facebook.
“The court’s imploring data protection authorities in Europe to no longer sit idly by while illegal transfers of data are taking place,” he said. “The court has called the data protections supervisor to action.”
Companies handling a European’s personal data are supposed to share only that data with entities in countries that have similar protections. The U.S. lacks strong federal privacy legislation, and has a long history of security agencies like the National Security Agency secretly surveilling vast swathes of personal data, under legally dubious justifications. When a person in the EU uses a service like Facebook or Google, they are sending their data outside of the EU.
Next steps for companies
Over 5,000 U.S. companies were certified under the Privacy Shield deal, including Facebook, Twitter, Amazon, and Google, meaning they may now have to take extensive steps to figure out how to protect EU customers data, and comply with GDPR in other ways. This is a challenge for smaller-sized companies, said Blickensderfer, considering the measures needed to account for data and the number of third parties involved.
One alternative is to make sure users give informed consent, so their data is processed in the U.S. and personal data may be used for commercial purposes. But, said Blickensderfer, it’s doubtful that existing terms of service cover that. Another options is reviewing the standard contract language, making more explicit how, for example, the U.S. government may access data.
Prominent cryptocurrency exchange Coinbase was certified under the Privacy Shield. When asked what the impact on their EU customers might be and what exchanges and blockchain companies should be looking to as an alternative, it said nothing had changed for now.
“We have been monitoring developments regarding the EU/US Privacy Shield closely and, in light of the CJEU’s recent decision, we will continue to use approved data transfer mechanisms…to ensure Coinbase provides services to customers in the EU without interruption,” said a Coinbase spokesperson.
Max Schrems, an Austrian lawyer and activist, brought the case to the CJEU over concerns about the legality of how Facebook was using his data. The court found that U.S. surveillance laws clash with fundamental EU rights.
“This judgment is not the cause of a limit to data transfers, but the consequence of US surveillance laws,” Schrems said in a statement. “You can’t blame the Court for saying the unavoidable – when shit hits the fan, you can’t blame the fan.”
Confusingly, U.S. Secretary of Commerce Wilbur Ross said in a statement the Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification, recertification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. All this despite the fact the program was invalidated immediately on the EU side, and therefore seemingly contains little value.
“That’s the big unstated response to this statement by the Secretary of Commerce,” said Blickensderfer. “Why would you want to remain in this program if you are not getting the benefits it otherwise provided to you?”
Ross said he was disappointed in the decision and hoped to “limit the negative consequences to the $7.1 trillion transatlantic economic relationship.”
Enter privacy tech
Companies that use privacy-oriented technology and include features like end-to-end encryption, may have an easier time complying with the new reality, according to Blickensderfer.
“Decentralized tech and tools like blockchain can help establish the existence of sufficient protections – or ‘supplementary measures,’ to borrow from the Court’s opinion – to ensure the adequacy of the protections necessary to satisfy the GDPR,” he said.
At the same time, GDPR compliance presents a challenge to those technologies because of the seemingly unavoidable conflict between immutability on the one hand and the right to be forgotten, or to restrict processing, on the other.
In “cross-border transfers under the GDPR, these technologies can certainly help,” Blickensderfer said. “But there are other potential unavoidable conflicts… when considering wholesale adoption of this technology to demonstrate GDPR compliance.”
End-to-end encryption prevents state surveillance apparatuses from compelling companies to access and share that data with them. Additionally, decentralized tech doesn’t have a centralized point of control, meaning there are very few ways for one actor to brute force access all the information on the network or protocol.
Raullen Chai, CEO of IoTex, which leverages blockchain to secure the internet of things, said people who want to preserve their privacy have had little option but to rely on permissive corporate policies and ineffectual regulations.
“At the heart of the problem is data ownership,” said Chai. “Decentralization offers a way to stop storing data centrally and allow individual people and entities to own their data.”
Huang Lin, CTO of Suterusu, which is working to develop privacy protection over smart contracts, transactions and data for blockchain networks, said a new transatlantic data transfer framework giving individuals more control over their data privacy is urgently needed.
“The current trend on private data transfer regulation exemplified by European GDPR is that data will be more and more governed according to digital code,” he said. “In a word, code is the law.”
In the next few years, he sees scalable smart contract platforms actively adopting a variety of advanced cryptographic technologies. Zero-knowledge proofs, or protocols that allow data to be shared without a password, or any information associated with the transaction, is one such technology.
Another is secure multi-party computation, in which a number of separate yet connected computing devices carry out a joint computation without knowing the other inputs, just the outputs. This method protects against intrusion because there is no trusted third party that handles all the data involved.