[container section_title=’Container’ fullwidth=’no’ bgtransparency=’0′ top=’20’ bottom=’20’ innerbottomshadowsize=’0′ bordertop=’0′ borderbottom=’0′ collapse=’false’][column type=’12’ last=’1′][title fontfamily=’Muli’ textcolor=’#8224e3′ fontsize=’20’ th_height=’10’ th_margintop=’5′ th_bgtransparency=’0′ th_bgpattern=’3′ animation=’default’]KVKK-Compliant Blockchains[/title][text google_font=’Muli’ transparency=’0′ animation=’default’]
Introduction
With its strict data protection requirements, Turkish lawmakers apparently require blockchain software companies to square the circle. Inventors of data protection-compliant blockchains need suitable solutions.
When people mention blockchain and personal data protection laws (GDPR or KVKK (Personal Data Protection Law of Turkey), the right to be forgotten and the erasure of data are always controversial. The immutability and thus the decentralized nature of the blockchain suddenly stood in the way of its use.
One right, another duty
As is known, KVKK and GDPR gives the right to information, the right to correction, the right to be forgotten (it is peculiar to GDPR) and the right to data portability with regard to personal data. Last but not least, it is important to implement the latest mechanisms to ensure cybersecurity and data portability.
A KVKK-compliant blockchain must, therefore, have the ability to destroy personal data, if available, and, if necessary, to undo on-chain log entries. This ability must be consistent with the principles of decentralization and the immutability of the transaction log.
In addition, the question of who should control the legality of the required modifications remains open. A central regulatory body for a supposedly decentralized blockchain? Would public blockchains be strictly prohibited?
Depending on the technical design of a specific blockchain solution, companies may be required to carry out a data protection impact assessment in accordance with KVKK. This is only necessary, according to the KVKK Board, if the new technology – for example the blockchain – is combined with another processing factor that would increase the data processing risk to a high level. How to judge the latter is a matter of discretion. There is a high level of legal uncertainty in the blockchain scene.
In the United States, the right to the verifiability of data is coming to the fore in the discussion about the desirable properties of a blockchain. With a blockchain that forgets nothing, the Americans have no problems. This way of thinking regards the public availability of data as fundamentally desirable, unless it is subject to sector-specific data protection requirements, such as in the case of the financial industry or the healthcare system. The resulting patchwork of industry-oriented regulations is incomprehensible to normal consumers.
In practice, any blockchain solution that wants to be universally applicable must comply with the stricter Turkish data protection laws.
The blockchain should be understood as a “shared and synchronized digital database”, which is “managed and distributed across several network nodes” by a consensus algorithm. However, obliged parties should continuously improve their organizational and technical controls in order to reduce the risks associated with their activities. In a blockchain system, no one could be single-handedly required to act as a “data controller” for data protection. As a rule, many parties are involved in maintaining a blockchain, the problem unfortunately occurs.
In spite of Turkish authorities, the European Union proposes some logical solutions.
This year (i.e. in 2020) the EU wants to close existing gaps in the GDPR framework with the ePrivacy Regulation and clarify doubts about contradicting wording. The ePrivacy regulation does not need to be transposed into national law; it becomes effective in all member states immediately after its entry into force. It is intended to replace the E-Privacy Directives of countries.
With its first draft, the EU Commission ran against the wall in discussions with the member states, had to reject it at the end of last year, and now wants to make a new attempt at the ePrivacy regulation. Observers expect a new draft at the earliest in June 2020. This is very encouraging
There is already a high level of uncertainty among European SMEs in connection with the GDPR. If large companies such as Facebook, IBM or Google, which have comparatively unlimited IT budgets, do not take concrete measures to implement the GDPR correctly, what should smaller companies do?
Actually, the cost-benefit ratio is completely unbalanced with GDPR or KVKK. On the one hand, consumer data protection has not been significantly strengthened, on the other hand, legally compliant data processing is becoming increasingly complex from the economic perspective. The availability and usability of data are “increasingly essential for a company’s economic success.
Conclusion
With data protection regulations, the EU legislator has questioned the decentralized, self-governing nature of the blockchain. Blockchain platforms have to open completely new pages to meet European data protection requirements. I hope Turkish regulators (Personal Data Protection Authority) may offer a solution something like that.
[/text][/column][/container]