As someone who has worked in data policy and data protection for 20 years, I read privacy policies for a living.
GDPR is a unified privacy regulation that largely harmonises the various and disparate legal frameworks that cover the more than half a billion European data subjects, or as I prefer to call them, people. GDPR gives specifically articulated rights to people over their data so that the phrase, “you own the data about you” has meaning.
These rights are enshrined in European law but making them actionable has not been simple. Adding complexity to the task is the fact that technology has a habit of changing quickly. It’s well known that technology often leap-frogs ahead of existing regulatory frameworks, leaving legislators and regulators to play catch-up.
Consider the example of blockchain.
Blockchain has existed as a concept since 2008 but it has only recently exploded into public consciousness through the wildly gyrating valuations of cryptocurrencies like Bitcoin. Most people equate blockchain with Bitcoin and cryptocurrency but they are not one in the same. My colleague Sheila Warren, head of blockchain at the World Economic Forum describes blockchain succinctly: “It’s a cryptographically-secured transaction record that’s created without a central authority.” Many technologists believe that blockchain will be more transformational than the internet itself.
Because blockchain relies on a distributed ledger system that is decentralised and immutable, it is intended to be a permanent, tamper-proof record that sits outside the control of any one governing authority. This is what makes it such an attractive and useful technology. But because data stored on the blockchain, including personal data, cannot be deleted, there is no way to exercise the right to erasure that people are granted under GDPR. Blockchain is not designed to be GDPR-compatible. Or rather, GDPR is not blockchain-compatible the way it is written today.
While European policymakers were debating and finalising aspects of GDPR, blockchain wasn’t on most people’s radar. This is yet another example of where regulation is addressing a problem in the rear view mirror rather than looking at the road ahead. This is the nature of most traditional regulation and illustrates how quickly technology shifts, pivots and morphs at a speed much greater than laws and regulations are designed to move. In this case, while we wait for the rules to play catch up, the question we have to ask is whether existing blockchain applications that store personal data are now rendered illegal in Europe until this is sorted..
Government regulation has a critical role to play in creating accountability, ensuring responsible use of data and providing enforcement mechanisms to penalise bad actors. I am not arguing against regulation, nor am I arguing against GDPR. I am arguing instead for a layered and cooperative approach to policy making. We need future-flexible frameworks for governance that allow us to realise the benefits of data and technology while minimising harm. This is much easier to say than to do.
If our collective goal is to ensure a future where we cure cancer in our lifetimes through better medical research, improve infrastructure and service delivery in connected cities, increase crop yields to feed more people, better understand and predict extreme weather patterns, create durable digital identities for refugees and people who have no documentation of their existence, provide more immediate disaster relief in times of crisis - then we will need to use data more than ever before to realise these benefits. Governments must work in collaboration with civil society, academia and the private sector to co-develop policy with a process that is as dynamic as technology. Policy makers and the regulatory processes they use need to be re-imagined to be as nimble as the technology they seek to regulate to help create the future we all want to see.
Anne Toth is head of data policy at the World Economic Forum's Center for the Fourth Industrial Revolution