Caveat Legal, a law firm in South Africa, notes that in the wake of the Panama Papers and with growing instances of data breaches and identity theft, software developers need to show that they are taking privacy seriously.

The proliferation of digitised-storage of data has moved global attention to the blockchain – the technology that underpins the cryptocurrency, Bitcoin. While the future of Bitcoin is uncertain, many are saying that blockchain technology will revolutionise the way in which individuals and businesses transact and store information in today’s digitised world. The full potential of the technology is, however, almost impossible to predict. It could, for example, be used to store large quantities of personal data but it is unclear what effect this would have on the right to privacy and compliance with the partially in force Protection of Personal Information Act, 2013 (POPI).

The relationship between the blockchain and personal information

One of the biggest selling points of a public blockchain (like the one underpinning Bitcoin) is that the data stored within it cannot be tampered with or altered and is therefore immutable. But this may also be its biggest drawback: individuals and business may not want all of their information to be stored permanently on a public platform. In theory, any record that can be stored electronically and recognised by a computer could be stored on a blockchain with the potential to be used by a wide range of players (governments, financial institutions, individuals and businesses) and for a variety of uses (‘smart contracts’, money transactions, the creation of land registries or data-storage for academic/professional qualifications, medical records or criminal records). However, the irreversibility and inalterability of the data suggests that blockchain technology may not be well suited for storing personal information in the South African context.

The right to privacy and data protection under POPI

POPI regulates the processing of personal information, with both concepts being exceptionally widely framed. Anything that is done with information about a person will be regulated by POPI and compliance with the 8 conditions for the lawful processing of personal information will be mandatory once the act is fully operational. The consequences of non-compliance are severe. And if one is dealing with ‘special personal information’ (such as a person’s health-related information, criminal history or information pertaining to a child) then the requirements are even more onerous.

Given the stringent regulatory requirements of South Africa’s data laws, using a blockchain is likely to be problematic from a POPI perspective, for two key reasons:

1. Storage and retention

Section 14 of POPI prohibits the storage and retention of personal information for any longer than is necessary. And any personal information must also be capable of being deleted or destroyed in a manner that prevents reconstruction. This resonates particularly with international trends in favour of recognising a right to be forgotten – a subset of the right to privacy. The idea has attracted much international attention since the European Union (EU) judgment in Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, which affirmed the existence in the EU of a right to have personal data deleted from search engines on request, or put differently, a right to have that data forgotten where there is no public-interest justification for its continued visibility/accessibility to the public.

2. Updating personal information

Section 16 of POPI requires that reasonable steps be taken to ensure that any personal information is complete, accurate, not misleading, and updated where necessary. Section 24(1) allows a data subject, on request, to have any information corrected, deleted or destroyed. Utilising a blockchain to store personal information may not be bad for privacy, particularly in light of the ability to customise and design private blockchains to meet a range of needs. For example, the rules of a specific private blockchain can allow for deletion, alteration or updating of data (using smart contracts).

As far as public blockchains go, the Bitcoin blockchain is pseudonymous and uses an address rather than the name of the user, so any private information is depersonalised. However, the difficulties associated with irreversibility and inalterability suggest that public blockchains – by their nature – are not necessarily suited to the storage of personal information. In the end, it will all come down to how blockchains are designed; and anyone experimenting with this technology should carefully consider its implications.

Sources

• POPI COMPLIANCE: CAN PERSONAL INFORMATION BE STORED ON A BLOCKCHAIN?