PDPC launches guidance on personal data protection considerations for blockchain design

Introduction

On 18 July 2022, the Personal Protection Commission («PDPC“) launched the Guidance on Personal Data Protection Considerations for Blockchain Design (“Guide“) to help organizations with blockchain adoption.

The guidance provides principles and assessments for how to comply with the Personal Data Act 2012 (“PDPA“) when deploying blockchain applications that process personal data. It also provides guidance on data protection by design (“DPbD“) regard for organizations to implement more responsible management of customers’ personal data. In particular, it looks at:

1. Considerations and recommendations for personal data regarding unauthorized blockchain network;
2. Considerations and recommendations for personal data regarding permission blockchain network; and
3. Using off-chain approaches to further reduce the risk to the protection of personal data on both permissionless and permissioned networks.

In the appendix, it also covers the development of a data protection program (“DPMP“) for blockchain operators.

The guidance will be relevant for organizations that:

1. Manage, configure and operate blockchain networks and consortia (i.e. blockchain operators);
2. Design, deploy and maintain applications on blockchain networks (ie application service providers); and
3. Use blockchain applications (i.e. participating organizations).

In this update, we elaborate on the main points of the guide. Although largely focused on blockchain technology, some of the guidance’s principles and recommendations may be applicable to other distributed ledger technologies (“DLTs“) too.

Background and limitations

“DLT” is an umbrella term for a “ledger shared across a set of DLT nodes and synchronized between DLT nodes using a consensus mechanism”. The term “blockchain” refers to a specific subtype of “distributed ledger of verified blocks organized into a mere append, sequential chain using cryptographic links”.

Businesses and organizations worldwide are beginning to deploy DLTs in finance and supply chain management applications. Some of these applications may store personal data in these blockchain networks.

While blockchains are a type of DLT, there are differences in how DLTs and blockchains store and transfer data compared to centralized systems. For organizations planning to adopt blockchain, the bulk of the data will still be stored and managed by traditional database management systems. Consequently, organizations may be uncertain about how blockchain applications can be designed to comply with personal data obligations under the PDPA.

The guidance aims to aid blockchain adoption by clarifying how to comply with the PDPA when deploying blockchain applications that process personal data.

The PDPC has also published an infographic to summarize four broad takeaways from the guide:

1. Anticipate potential compliance issues when planning to store personal data on blockchains.
2. Do not store any personal data on-chain on a permissionless blockchain, whether obfuscated, encrypted or anonymized.
3. Encrypt or anonymize all personal data written on-chain on a permissioned blockchain.
4. Use off-chain approaches to further reduce privacy risks on permissionless or permissioned blockchains.

Important points

(A) Considerations and Recommendations for Permissionless Blockchain Networks

By way of background, the guide classifies blockchain networks based on whether they contain one the permission layer which allows an entity or consortium of entities to place technical and contractual controls on: (i) who can join and participate in the network; and (ii) what these devices can do on the network.

Permissionless blockchain networks generally allow anyone (ie the public) to host nodes and read or write data on the network anonymously. Consequently, data written on the chain can be hosted by multiple nodes residing in different jurisdictions, and can be accessed by any entity participating in the permissionless network. As a result, liability and immutability issues pose a higher risk of non-compliance with the PDPA.

The PDPC considers any personal data published in clear text on a permissionless blockchain to be a form of public disclosure. Personal data must only be written on a permission-free blockchain if consent has been obtained from individuals, or if the data is already publicly available.

The baseline recommendations are:

1. Application Service Providers (“ASPs“) should design their applications so that no personal data controlled by participating organizations is written on the chain, either in clear text, encrypted or anonymized form.
2. Likewise, participating organizations should avoid business use cases that require uploading personal data on-chain in plaintext, encrypted or anonymized forms to a permissionless blockchain.

(B) Considerations and Recommendations for Allowable Blockchain Networks

Unlike permissionless networks, permissioned blockchain networks typically have blockchain operators who can limit participation in the network to known and authorized participants. Participants are typically required to enter into a consortium agreement, which establishes a layer of contractual controls to complement technical controls, mitigating some of the liability and immutability issues faced in permissionless networks.

The baseline recommendations are:

1. All personal data written on-chain should be encrypted or anonymized, and access (e.g., decryption keys or identity mapping tables) should only be granted to authorized participants with a business purpose for the data.
2. Blockchain operators should implement and effectively enforce legally binding consortium agreements or contracts to ensure PDPA compliance by participants with clear obligations to the controller or data processor.
3. Blockchain operators should ensure that technical measures, supplemented by contractual and operational controls, are implemented to enable compliance with other PDPA obligations (e.g. protection, rectification and retention limitation obligations).
4. Blockchain operators should also regularly review these technical measures to ensure that industry-recognized standards, algorithms and practices are used; policies and processes are put in place to securely manage and protect the relevant keys (such as decryption and encryption keys); and that technological developments are continuously monitored to ensure that the protective measures are still relevant.

(C) Off-chain approaches to reduce risk

Instead of writing personal data on-chain, organizations can consider off-chain approaches that store personal data in centralized data stores, while only writing representations of the personal data on-chain.

This can be achieved through the following:

1. ASPs that design their applications so that personal data is stored in an off-chain database or data store where traditional access control mechanisms can be implemented.
2. Only a hash of the personal data or a hash of the link to the off-chain database should be written on the chain. The hash can be used as a digital signature to immutably verify the integrity of the underlying data.
3. Hashes generated should be reasonably strong (eg, use industry standard algorithms and incorporate a salt) to prevent attackers from using precomputed tables to derive the data hashed, especially data that follows predetermined formats such as NRIC numbers.

(D) Develop a data protection program for blockchain operators

To promote awareness and accountability over personal data among all blockchain participants, a blockchain operator should implement a DPMP. The DPMP should include the following actions:

1. Establish an oversight committee for the blockchain consortium where relevant;
2. Ensure that the Data Protection Officer for each Consortium Participant oversees proper PDPA compliance;
3. Set guidelines and rules to determine the roles, responsibilities and rights of each participant in the blockchain application. Where possible, legally binding mechanisms should be used to make all participants adhere to these guidelines as a prerequisite for joining the network;
4. Conduct a Data Protection Impact Assessment (DPIA) to identify and assess potential risks to personal data in the blockchain network and application; and
5. Regular review of guidelines and processes for data protection and cyber security to ensure continued relevance in light of changes in technology, best practice in the industry and regulations.

Final words

The guidance provides welcome guidance to organizations wishing to ensure that their blockchain applications will comply with their PDPA obligations. It will continue to be updated and revised regularly, as it is intended to be a living document. However, organizations should note that their recommendations do not ensure compliance with other data protection or privacy laws, such as the EU General Data Protection Regulations (GDPR).