GDPR, CCPA, Blockchain and Renewable Energy: Policy Lagging Behind Technology
Blockchain technology, and its use as a distributed ledger system, has seen a dramatic uptick in commercial use in recent years. The renewable energy sector has followed that trend, applying blockchain technology to some of its most vexing problems. As blockchain solutions become more prevalent, companies should be aware of, and account for, secondary issues that may not be immediately apparent. Interestingly, as companies apply blockchain technology to the renewable energy sector, data privacy—a concept not normally associated with energy technology—may present a problem.
In Spain, WePower uses blockchain technology to directly connect consumers with renewable energy producers, delivering lower energy prices to the consumers. Typically, only larger corporations are able to directly purchase renewable energy because they are able to shoulder the large transaction fees associated with traditional power purchase agreements. WePower solved this barrier to entry for individual and smaller entities by creating a marketplace where renewable energy producers can sell energy directly to consumers through tokenized energy auctions.
The United States has seen companies bring solutions to the renewable energy sector through blockchain technology as well. In California, Power Ledger and Clean Energy Blockchain Network are working on a pilot project for the municipal utility Silicon Valley Power. The project will track the solar energy production and use in a Santa Clara parking garage and tokenize the use of the energy in the garage’s EV charging stations. The California Air Resources Board’s Low Carbon Fuel Standard (LCFS) offers EV charging network operators the ability to sell credits from those EV charging stations to fossil fuel producers. Until the advent of distributed ledger systems, the accounting and administrative process to track and sell these credits had proven too burdensome for the majority of EV charging network operators to capitalize on the program. This pilot will use blockchain technology to collect and track all of the data necessary to receive a LCFS credit with less accounting and administrative costs, allowing EV charging network operators to sell these credits and gain the maximum economic potential.
While the use of blockchain technology to improve the renewable energy industry has promise, trouble may lie ahead in the form of data privacy laws. The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018 and a similar law in California, the world’s fifth largest economy, the California Consumer Privacy Act (CCPA), will have its requirements go into effect on January 1, 2020. GDPR states that “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.” CCPA states that “a consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” The GDPR’s “right to be forgotten” is essentially the same concept as CCPA’s “right to deletion”. While the CCPA regulation is not as strict as the GDPR regulation, both present the same problem to companies using blockchain technology: how can companies reconcile a de-centralized network utilizing an immutable ledger purposefully designed to store data permanently with the right to be forgotten?
The fact that blockchain technology incorporates an immutable ledger, one of the most appealing features of the technology, clashes with the requirements of the right to be forgotten. The immutability of the system means that once data has been written to a block, no one and nothing can change or delete that data. More simply, data stored on the blockchain is permanent. This is an attractive feature for systems that primarily focus on record keeping, but it has troublesome implications for companies deploying blockchain technology in California, the EU and elsewhere.
Any for-profit company, regardless of location, that collects the personal information of California residents is required to comply with CCPA if that company satisfies one of the following criteria: (1) has annual gross revenues in excess of $25,000,000 as adjusted, (2) annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices or (3) derives 50 percent or more of its revenues from selling consumers’ personal information. The pilot project run by Silicon Valley Power would collect and store data from each transaction that occurred at its electric vehicle charging stations. In order to facilitate the sale of LCFS credits, that data would be stored on an immutable ledger. If Silicon Valley Power, and companies that similarly use blockchain technology, were subject to CCPA, they would be faced with the issue that they collect and permanently store the personal information of California residents, who will have a right to compel these companies to delete that data beginning in 2020.
Companies like WePower face a similar problem in the EU. According to GDPR, any “identifiable natural person,” or data subject, can compel a data controller to erase any personal data related to that subject. WePower’s tokenized auctions result in smart contracts being signed to an immutable ledger that contain the personal data of its customers, who are data subjects. As the data controller in this instance, WePower would be obligated to erase the personal data of the data subjects if the data subjects so direct them. As it stands, that would be an impossible task for WePower.
Many in the industry argue that there are ways to alleviate the tension between an immutable distributed ledger and the right to be forgotten by anonymizing data on that ledger. GDPR regulations do not apply to anonymized data that is impossible to be identified through any means and is impossible to be reconstituted to its original form. ConsenSys, a company founded by one of the co-founders of Ethereum, produced a report titled “Blockchain and the GDPR” for the European Union Blockchain Observatory and Forum in which it explained that anonymizing data may be the means for blockchain technology to be GDPR-compliant. The report also made clear that this issue has “not been conclusively settled by the data protection authorities, the European Data Protection Board (EDPB) or in court.” According to the Article 29 Working Party’s Opinion 05/2014 on Anonymisation Techniques, encryption and hashing of personal data, the two techniques hypothesized to anonymize personal data on the blockchain, pseudonymize that data but do not anonymize it. The current technology for anonymizing personal data, therefor, does not comply with GDPR regulations and until it can ensure perfect anonymity this solution remains hypothetical. In short, anonymizing data on the blockchain in order to make blockchain systems GDPR-compliant may in fact be the future but, right now, it is simply pure speculation without any further regulatory guidance.
California and the EU were the first to pass data privacy legislation that includes the right to be forgotten. Other jurisdictions will likely consider data privacy issues like the right to be forgotten in the near future and, with it, be presented an opportunity to examine the implications of data privacy laws on blockchain technology. Texas is an example of a jurisdiction that has not yet passed regulations regarding the deletion of personal information. In Texas, Grid+, a company owned by ConsenSys, is developing an Ethereum-enabled gateway that will allow consumers to undercut costs of incumbent utilities. Grid+’s platform will smooth energy consumption throughout the day by enabling consumers to arbitrage energy prices using Grid+’s technology. Ethereum smart contracts will provide an accounting layer to the system and also permanently store the personal data of Grid+’s customers. While this does not currently present Grid+ with a problem, future regulations could pose an insolvable dilemma.
As Texas, in this hypothetical, and other jurisdictions begin to consider implementing regulations to protect the personal information of their residents, they have the chance to build in considerations for blockchain technology as they write these regulations. Anne Toth, the Head of Data Policy at the World Economic Forum wrote that “GDPR is not blockchain-compatible the way it is written today,” and “While European policymakers were debating and finalizing aspects of GDPR, blockchain wasn’t on most people’s radar.” GDPR and CCPA were not crafted to threaten blockchain technology, despite the compatibility issues highlighted here. Instead, these laws are a prime example of policy lagging behind technology. As more jurisdictions draft regulations similar to GDPR and CCPA, it is vital that these jurisdictions create flexible regulations that will protect the rights of individuals and be inclusive of beneficial new technologies. Mintz partners with innovators in the energy industry to provide forward-thinking guidance. As blockchain technology and privacy regulations mature, Mintz will continue to focus its practice on innovation.
For more information, tune in to the upcoming California Consumer Privacy Act Series developed by our Colleagues, Cynthia Larose and Brian Lam, and check out the EU General Data Protection Regulation Webinar Series created by Cynthia Larose and Susan L. Foster, PhD.