Keeping it real: Implications of blockchain technology on privacy obligations

09 April 2019

The LA Kings of the NHL recently launched an augmented reality ("AR") "authentication app", which it describes as an "augmented reality blockchain authentication platform" to help consumers validate the authenticity of approved merchandise and memorabilia purchased from the team or affiliated sellers.

The app allows fans to use their phone camera to scan a sticker attached to the product and confirm whether the product is registered as an authentic item. If confirmed, the app can then play multimedia messages recorded by prominent Kings personnel, including hall of famer Luc Robitaille.

AR in a consumer app makes sense. It has become increasingly ubiquitous in mainstream applications, with virtually everyone having a device with a camera and some networking capability. The use-case for consumers is easy to imagine.

The use of blockchain technology, which is as much a buzzword as AR, may be the more interesting feature. Blockchain can help heighten security by ensuring the reliability of information, but it does not necessarily otherwise protect the data from scrutiny.

Developers of platforms utilizing blockchain technology should be aware that responsibilities under applicable legislation and the risk of liability in common law are not diminished because of the use of such technology.



Blockchain technology does not necessarily protect personal information during a breach

It is unclear from the press release and related coverage how blockchain technology is utilized in the LA Kings app, but given one of its purposes is to help authenticate merchandise, it is reasonable to assume blockchain technology plays some role in the app's verification functionality. A blockchain ledger may be well suited for verification. However, the use of blockchain technology does not necessarily mean the user data is more protected.

Blockchain is based on the idea of a ledger hosting information that can be robustly verified.[1] It is the backbone supporting various cryptocurrencies, including bitcoin. It prevents bad actors from unilaterally changing information on the ledger. However, it is not, by design, intended to hide information that is recorded on the ledger, nor does it reduce the responsibility of hosts under law to protect that information using other safeguards.

It may be that a blockchain ledger is only being used to host a record of verified merchandise and memorabilia, allowing individual users to check whether the code for the product they possess is properly registered. But a blockchain ledger can also host sensitive information such as purchase details or names of registered purchasers, particularly once a user has tracked a purchase through the app. Even if the blockchain ledger only maintains generic product information, the transmission of personally identifiable information from the user to the host server and back creates the risk of breach or interception.

A blockchain ledger will not necessarily restrict the ability to view data, only the ability to modify that data. If personal information is hosted on a ledger, the use of blockchain has little impact on the security of the information itself. In the event of a breach, the fact the data is hosted on a blockchain ledger does not mean it is more protected than it would otherwise be. And if personal information is being recorded, retained, or otherwise implicated in the functionality of the app, a wide host of privacy and data legislation apply.

What kind of liability arises if there is a data breach?

If an organization relying on a blockchain platform suffers a data breach exposing personal information of users, it faces the same potential liabilities as any other organization suffering a similar data breach. Inadequate safeguards can expose an organization to sanctions under privacy legislation, as well as from private action, including class proceedings.

(a) Privacy Legislation

Most jurisdictions have privacy laws applicable to data which is digitally transmitted and stored. Canada is governed federally through the Personal Information Protection and Electronic Documents Act ("PIPEDA"),[2] which applies to all organizations which collect, use, or disclose personal information in the course of a commercial activity,[3] and personal information is defined broadly as anything that can be traced back to an identifiable individual.[4] Some provinces also have separate pieces of privacy legislation which operate in the stead of PIPEDA, but offering similar protections to the federal statute.[5]

Many American states have their own privacy legislation,[6] supplemented by additional federal statutes.[7] The EU has perhaps the most aggressive privacy framework in the world through its General Data Protection Regulation ("GDPR").[8] The applicability of any particular regulation depends on factors including the nationality of the individual to whom the data belongs; the location of the servers; and the location of the hosts.[9]

Liability under the various pieces of legislation varies, as do potential sanctions. Some, such as PIPEDA, contemplate monetary penalties where there is failure to notify of a breach. For instance, under PIPEDA, an organization which knowingly fails to report a breach can be liable for fines up to $100,000.[10] Under the GDPR, an organization can be fined up to 4% of its annual global turnover or 20 million Euros.[11]

(b) Private action

Lawsuits can also arise as a result of a breach. These breaches are amenable to class proceedings because they tend to affect more than one individual, with common circumstances and damages. Whether brought individually or as a class proceeding, a plaintiff may rely on several causes of action, including intrusion upon seclusion, negligence, breach of confidence, or breach of contract.[12]

Conclusion

Developers are finding increasingly diverse uses for blockchain, and the utility of the technology has the potential to add significantly value to the services offered to consumers. However, both users and developers have to be mindful of risks the technology can mitigate and the risks it cannot. Legal obligations to protect personal information are largely unaffected by what technology is being used.


[1] There are many primers available that provide a more thorough explanation of blockchain.

[2] SC 2000 c 5 ("PIPEDA")

[3] Ibid at s 4(1)(a).

[4] Ibid at s 1

[5] Alberta, BC, and Quebec have discrete privacy-related legislation that apply to the private-sector.

[6] https://www.dataprivacymonitor.com/category/state-legislation/

[7] https://www.gsa.gov/reference/gsa-privacy-program/privacy-laws-regulations-and-more

[8] General Data Protection Regulation, Reg (EU) 2016/679 [link] ("GDPR")

[9] GDPR, Articles 2 and 3

[10] PIPEDA, SC 2000, c 5 at s 28.

[11] GDPR, Article 83

[12] As an example, in Tucci v People's Trust Company, 2017 BSSC 1525, the BC court certified a class proceeding brought for a data breach where the litigants alleged those causes of action.


NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.