Blockchain (III): Smart Contracts and personal data

Smart contracts are algorithms that run without human intervention on a blockchain. When the result of the same has a significant impact on natural persons, or elaborate profiles, the requirements established in article 22 of the RGPD must be taken into account  from the design. This implies that, when designing or selecting the blockchain on which a service is deployed, the conditions that lift the prohibition of such treatment will have to be determined, in addition to  incorporating the guarantees and measures to protect the rights of the interested parties. Those measures shall include at least human intervention by the controller and the possibility for the data subject to challenge that automated decision.

Smart contracts are one of the most widely used and well-known applications of the blockchain along with cryptocurrencies. Despite its name, a smart contract is nothing more than a program (an algorithm) that is stored on the  nodes of a blockchain and that executes automated decisions. These decisions can be of a financial nature, such as virtual currencies that pass from one user to another, but also of another type, such as managing the data related to the digital identity of a natural person.

Smart contracts can be included in the blockchain by its designers and managers, but they can also be made by anyone who wants to create a new service on a blockchain, for example, automatic betting, buying and selling, notary, document certifications, financial, investments in digital assets, verification of digital identities, etc.

In theory, the smart contract does not access data from abroad and the information it uses is the data stored in the blockchain itself. However, there is an instrument that allows the smart contract to access the outside world to the blockchain. This instrument is called "oracle" and allows  updating the internal states of the blockchain from information external to it, making a new transaction. Some "oracles" function autonomously and are even offered as third-party services.  When making a transaction on a smart contract, events can be generated that leave a record with other information additional to the transaction itself in the blockchain (logs), which is accessible and can be consulted and used for external applications.

In turn, sometimes, even the decision of when these smart contracts are executed is beyond the control of any natural person. In these cases, the programs will run automatically when transactions are made on them when it is detected that an event has occurred, such as a change in the blockchain, outside it, or the execution of another previous transaction.

As mentioned, the result of the smart contracts is reflected in a change in the state of the information stored in the blockchain, which in turn is automatically recorded on the same blockchain. These changes can cause other cascading smart contracts to be executed , or they could even cause smart contracts of different services or blockchains to be executed (there is always a transaction that initiates the process).

A smart contract is designed to, once deployed and validated in the blockchain, remain invariant, since otherwise it would produce a detectable inconsistency in the chain. The philosophy underlying the smart contract is, as Lawrence Lessig stated in his book "Code and Other Laws of Cyberspace" in 1999, "CODE IS LAW". This expression, which can be interpreted as "the algorithm is the law", aims to eliminate the human factor in decision-making and make it rest only on a computer program. In this way, create an environment in which human laws and principles, and the execution of humans themselves, are not effective.

However, since a smart contract is a computer program made by people, it is susceptible to the existence of programming errors, unexpected or unknown behaviors by the programmer, or the existence of vulnerabilities.  In addition, other elements that make up the blockchain environment, such as the aforementioned oracles, DApp (traditional computer applications that allow people to interact with the blockchain and smart contracts), wallets, exchange offices, etc., can be manipulated to that cause errors in smart contracts.

This circumstance is more common than we might think and can generate a set of fraudulent data that the blockchain governance model does not contemplate correcting.  In relation to the latter, in the face of errors produced in smart contract that have had serious economic consequences, transgressions have been made to this immutability in the interpretation of smart contracts.  These transgressions have had important impacts by not foreseeing these circumstances, nor having governance models to manage them. An example case is known as DAO Fork of Ethereum, due to a massive appropriation of assets due to an error in programming, which forced a human intervention with the consequent inconsistency, and a conflict between the interveners in the blockchain that materialized in the fork and separation of said blockchain into two networks.  different blockchain, with a different cryptocurrency each of them.

From the above, a smart contract can produce automated decisions that could have legal effects or affect the interested party significantly, for example, economic losses, loss of rights over digital or material goods, fraud of any kind, etc. In turn, the smart contract generates and stores new data of the interested parties in the blockchain that, for example, could be used to create a profile of the interested party if digital identity data is being processed.

The very nature of the smart contract, when applied to data of natural persons, falls within the scope defined by Article 22 of the GDPR. This refers to the right of a data subject not to be subject to decisions based solely on automated decisions, including profiling, when those decisions have legal effects on him or significantly affect him.

Paragraph 2 of that article provides for three exceptions to that prohibition: consent, the conclusion or performance of a contract between the data subject and a controller, and the existence of an enabling law.  In any case, it is necessary to identify a figure of responsible in the execution of said smart contract.

Given the nature of a smart contract, the sophistication and complexity it can achieve, and the blockchain environment where it is deployed and executed, it is not immediate to ensure or affirm the validity of the conclusion of a contract between the controller and the interested party, or to be considered as a contract in the strict legal sense. It is also difficult to ensure that the express, unequivocal, specific and informed consent of the interested party in the processing of their data can always materialize, in order to be able to consider it as one of the exceptions allowed in article 22 of the RGPD.

But even if these exceptions apply in a given case, the same article 22 of the GDPR obliges the controller to take measures to safeguard the rights of the data subject. The rule specifies at least two safeguards expressly and as minimums: human intervention by the person responsible, and that the interested party can challenge that automated decision.  However, other safeguards that may be necessary are data protection policies, governance measures of the service provided, effectiveness beyond the mandatory minimum of exercise of rights and protection measures by design, by default, security and management measures, notification and communication of personal data breaches based on the risk to the rights and freedoms of the interested parties.

All these issues have to be addressed and documented prior to the deployment of a blockchain-based service, within the framework of risk management for the rights and freedoms of natural persons, where appropriate, by carrying out an impact assessment provided for in Article 35  of the GDPR and when prior consultation with the supervisory authority provided for in Article 36 is necessary. That is, they must be carried out from the design of the treatment and prior to its implementation and production.  Therefore, it is recommended to review the guidelines prepared by the AEPD to apply the principles of proactive responsibility that can be found in the  Innovation and Technology microsite, among others: