POPI Compliance: Can Personal Information be Stored on a Blockchain?

Will Technology Render Lawyers Obsolete?
August 11, 2016
Yvonne Wakefield on Cape Talk with John Maytham
September 2, 2016
Show all

In the wake of the Panama Papers and with growing instances of data breaches and identity theft, software developers need to show that they are taking privacy seriously.

The proliferation of digitised-storage of data has moved global attention to the blockchain – the technology that underpins the cryptocurrency, Bitcoin. While the future of Bitcoin is uncertain, many are saying that blockchain technology will revolutionise the way in which individuals and businesses transact and store information in today’s digitised world. The full potential of the technology is, however, almost impossible to predict. It could, for example, be used to store large quantities of personal data but it is unclear what effect this would have on the right to privacy and compliance with the partially in force Protection of Personal Information Act, 2013 (POPI).

The relationship between the blockchain and personal information

A blockchain is a ledger that essentially keeps a public record of a series of transactions (data) stored in blocks. Each time a person transacts, the transaction data is stored in a block, and when each block is full, another is created, forming a chain. For example, if person (A) transfers information to person (B) this transaction will be recorded, encoded and stored permanently on the blockchain. A public blockchain is distributed (not centralised) and is maintained by a network of computers that each have a copy of the blockchain and are competing to verify the transactions on it. This allows people who do not necessarily trust each other to collaborate without having to go through a central authority or intermediary.

One of the biggest selling points of a public blockchain (like the one underpinning Bitcoin) is that the data stored within it cannot be tampered with or altered and is therefore immutable. It is also only possible to add data to the blockchain, not remove it. This is useful from a trust perspective since it guarantees that the data in the blockchain has not been changed. But this may also be its biggest drawback: individuals and business may not want all of their information to be stored permanently on a public platform.

Although a blockchain can be customised to offer greater privacy protection, through for example, the creation of private blockchains (where write permissions are centralised within an organisation and strict access criteria may be imposed), the fact that the information is permanently stored on the system is problematic from a data-protection perspective.

In theory, any record that can be stored electronically and recognised by a computer could be stored on a blockchain with the potential to be used by a wide range of players (governments, financial institutions, individuals and businesses) and for a variety of uses (‘smart contracts’, money transactions, the creation of land registries or data-storage for academic/professional qualifications, medical records or criminal records). However, the irreversibility and inalterability of the data suggests that blockchain technology may not be well suited for storing personal information in the South African context.

The right to privacy and data protection under POPI

POPI regulates the processing of personal information, with both concepts being exceptionally widely framed. Anything that is done with information about a person will be regulated by POPI and compliance with the 8 conditions for the lawful processing of personal information will be mandatory once the act is fully operational. The consequences of non-compliance are severe. And if one is dealing with ‘special personal information’ (such as a person’s health-related information, criminal history or information pertaining to a child) then the requirements are even more onerous.

Given the stringent regulatory requirements of South Africa’s data laws, using a blockchain is likely to be problematic from a POPI perspective, for two key reasons.

(i)         Storage and retention

Section 14 of POPI prohibits the storage and retention of personal information for any longer than is necessary. And any personal information must also be capable of being deleted or destroyed in a manner that prevents reconstruction.

This resonates particularly with international trends in favour of recognising a right to be forgotten – a subset of the right to privacy. The idea has attracted much international attention since the European Union (EU) judgment in Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, which affirmed the existence in the EU of a right to have personal data deleted from search engines on request, or put differently, a right to have that data forgotten where there is no public-interest justification for its continued visibility/accessibility to the public.

(ii)        Updating personal information

Section 16 of POPI requires that reasonable steps be taken to ensure that any personal information is complete, accurate, not misleading, and updated where necessary. Section 24(1) allows a data subject, on request, to have any information corrected, deleted or destroyed.

Utilising a blockchain to store personal information may not be bad for privacy, particularly in light of the ability to customise and design private blockchains to meet a range of needs. For example, the rules of a specific private blockchain can allow for deletion, alteration or updating of data (using smart contracts).

As far as public blockchains go, the Bitcoin blockchain is pseudonymous and uses an address rather than the name of the user, so any private information is depersonalised. However, the difficulties associated with irreversibility and inalterability suggest that public blockchains – by their nature – are not necessarily suited to the storage of personal information. In the end, it will all come down to how blockchains are designed; and anyone experimenting with this technology should carefully consider its implications.

 

Raisa Cachalia

Raisa has a BA (law) LLB LLM (commercial law) (all cum laude). She was admitted as an attorney in 2013 after having completed articles at Bowman Gilfillan, and proceeded to take up a position as research clerk to Justice Zondo and Justice Froneman at the Constitutional Court. Raisa specialises in constitutional law and administrative law, which incorporates public procurement law and general regulatory advice. She is currently working as a researcher at the South African Institute for Advanced Constitutional, Public, Human Rights and International Law, a Centre of the University of Johannesburg. She joined Caveat Legal in 2014.

Taryn Hirsch

Taryn has a BA and LLB and was admitted as an attorney is 2003 after having completed her articles at Deneys Reitz (now Norton Rose Fulbright). She rose to the level of director at Deneys Reitz’ banking and financial services department by 2007, before moving to Allen and Overy in Tokyo for a year. On her return, she joined Allan Gray where she worked in various legal advisory positions before joining Caveat Legal in 2016.