The problem with public permissioned ledgers is not the concept, but that they allow individuals to write to the ledger. This means that the ‘Holy Grail’ of data, Personal Data, or worse, Sensitive Personal Data, can be inputted onto a public permissioned ledger by an individual in the network, unbeknown to the creator of the ledger who now is processing personal data.
With a public permissioned ledger structure, one central governance body appoints supervisors or affiliate companies to run nodes on the ledger, which together act as the policing authority or overall governance framework for the content on the ledger. In Self-Sovereign Identity frameworks, the nodes on the ledger govern the public DIDs which are written to the ledger which generally provide public information about what information companies will issue credentials for.
For this reason, it can be suggested that in public permissioned ledgers, the company which creates the ledger is a designated data controller for the Personal Data written to the ledger. This is a significant burden for a company because it shifts liability for data breach directly into its hands. Furthermore, the creator of the ledger will be responsible for actioning the data subject rights of an individual, such as the right to be forgotten. This is almost technically impossible to carry out if Personal Data is written to the ledger and might involve backdating and forking the ledger such as after the DAO hack on Ethereum.
Furthermore, the European Parliamentary Research Service highlighted that the companies which act as stewards use the ledger for their own purposes, and therefore, pursuant to the case of wirtschaftsakademie schleswig-holstein, are data controllers as well. Subsequently, these joint controllers, pursuant to Article 26 GDPR must conclude legal agreements setting out the respective responsibilities between each party.
I am also of the opinion that the individual who acts as a data subject in this circumstance is also a data controller for the data about themselves. The European Parliamentary Research Service declines to address this explicitly and concedes that DLT architecture may compel them to answer the question explicitly in the future. They do however note that the notion of an individual being a data controller for their own data goes against the broader underlying objective of the GDPR to some extent.
A deep dive into the fundamental data protection law around individuals in a Self-Sovereign Identity framework will be subject of a later article. The crux of this article is that public permissioned ledgers can lead to complex data protection issues because of the potential for Personal Data to be written to the ledger by an individual. Although companies working in this area state that Personal Data should never be written to the ledger, they are nonetheless making contingency plans because Personal Data could be written to the ledger. Therefore, companies becoming supervisors or affiliates of public permissioned ledger technology need to factor into account that at some point they may have data controller obligations, despite only minimally affecting the purposes and the means of the data processing.
Unlike public permissioned ledgers, private permissioned ledgers such as Corda, only give specific companies access to write to the ledger, and what is written to the ledger is reviewed by the Governance body. For this reason, no Personal Data will be written to the ledger. Only entity public DIDs, DID documents and credential schemas will be on-ledger. All Personal Data and information will be stored off ledger, either in an individual’s credential repository or in a decentralised identity hub.
The subtle difference between these two architectures is a large difference for current data protection law. If no Personal Data is processed on the ledger then companies running nodes on Corda will not need to worry about data breaches other than in their own internal source systems. Furthermore, data breaches internally should be reduced as the quantity of data stored can be minimised over time. This is because companies will issue credentials to individuals and can rely on those credentials as single points of trust.
Ultimately, a movement towards Self-Sovereign Identity is a welcomed one only if it is carried out in the correct way. Personal Data should never be allowed to enter into a distributed ledger environment. If it is, then the benefits that the technology provides will not outweigh the data protection negatives which may arise. As a result, private permissioned ledgers should pave the way towards a self-sovereign future. This is not because public ledgers are a bad idea in principle, but because individuals cannot be trusted not to create public DIDs with personal data in practice.