Over recent years, the extent to which our privacy has been eroded has become increasingly apparent. From the Snowden revelations in 2013 to the Cambridge Analytica scandal of 2018 to near-daily headlines of hacks and leaks – privacy has become one of the most heated topics of our times.
In response to the challenge, governments around the globe are now introducing more stringent regulations governing how data is managed, creating a significant compliance burden for firms.
A Tidal Wave of Privacy Legislation
The EU General Data Protection Regulation (GDPR), introduced in 2018, is the most far-reaching legislation to date, covering 500 million citizens. Rather than limiting the scope of the regulation to firms and data within EU countries, legislators extended the scope to cover any data relating to EU citizens and residents anywhere in the world. This means that a US firm is in scope of the regulation if it processes or controls data for any person in the EU.
The US itself has yet to implement any data privacy legislation at the federal level. However, several states have taken their own measures to protect residents’ data. Vermont was the first in 2019 with its Data Broker Regulation, followed by the California Consumer Privacy Act, which came into force in January 2020. Virginia will be next up, with the Virginia Consumer Data Protection Act taking effect in January 2023, and Colorado’s Privacy Act will follow by July.
In 2020, New Zealand and Brazil passed their own versions of data privacy laws. India was set to enforce a 2019 bill this year, although the government has delayed it so far. However, Singapore’s Personal Data Protection Act came into force in February, followed by Thailand’s identically named law in June.
China is the latest to follow suit with its Personal Information Protection Law. It’s comparable to the EU GDPR in scope, but the short implementation period – announced in August to come into effect by November – has left firms scrambling to ensure compliance by the deadline.
Canada also seems set to overhaul its privacy legislation, although it’s still subject to confirmation.
A Moving Target
Even after a company has managed to put in place all the necessary controls and documentation to demonstrate compliance, the job is never finished because legislation is always being updated. For instance, following the landmark “Schrems II” data privacy ruling, EU lawmakers introduced a new set of Standard Contractual Clauses that put the onus on firms to conduct an impact assessment each time data is transferred to a jurisdiction outside the EU. Companies in the UK now also face an overhaul as the nation seeks to extricate itself from EU laws following Brexit.
A further complicating factor is that many firms now have external parties handling a significant amount of their data. Cloud partners, SaaS providers, outsourced services such as payroll or accounts payable – all create an additional burden on firms to ensure that all data trails across all relevant jurisdictions comply with the regulations.
In response to the challenge, firms are now turning to external services to help them navigate the complexity. While some resources, such as UNCTAD, are free, many companies end up spending significantly on external law firms or other third parties to ensure compliance.
How Decentralized Solutions Help Compliance
Decentralized solutions could be the answer. The Covid-19 pandemic was an interesting case study, where for a short time, debate raged over the best approach to implementing a track and trace app. Eventually, governments, including those in France and Germany, advocated a decentralized solution where location and tracking data was stored locally on a user’s device, communicating with other devices on a peer-to-peer basis.
Such a solution removes the need for central data storage and reduces the risks of hacks, leaks, or abuse of such data in future. In addition, it avoids many of the complexities inherent in complying with data protection laws.
Blockchain has been widely touted as an enabler of self-sovereign identities, allowing anyone to store their personal data in an encrypted wallet and decide who has access to it on a case-by-case basis. However, existing solutions based on concepts like zero-knowledge proofs remain experimental and complex; since they are also application-specific (i.e. cannot be extended across platforms), this complexity has been a serious barrier to adoption.
Beyond identity management, firms in many sectors may wish to compute aggregate statistics from user data. A smart watch manufacturer may wish to know the average length of time that runners wear their device to decide the size of the battery required for future products for example.
For both scenarios mentioned above, trusted execution environments (TEEs) combined with an on-chain registry for auditability offer a solution. A TEE is a secure, isolated hardware environment that can process data without giving anyone, even system admins, access to the underlying dataset.
Integritee’s blockchain-based registry provides a decentralized TEE verification system based on the Polkadot platform. This approach provides clear benefits for both users and firms operating data-driven services. Users have verifiable evidence on the blockchain that their data is only being processed in an isolated and secure hardware environment. Firms can continue to operate data-driven services and benefit from aggregated, anonymized data analytics while removing a significant part of their compliance burden.
The current approach to data protection has evolved based on centralized systems. Decentralized, secure processing environments offer a compelling alternative, enabling firms to provide regulators and consumers with an assurance of privacy in any jurisdiction.