July 2018 - Blockchain | e-Government | Cybersecurity

doteditorial: Blockchain & E-Government – Giving Citizens Control of Their Data

E-Government is a major driver of blockchain technology. Stephan Zimprich from fieldfisher looks at how the transparency and immutability of blockchain can help give citizens digital self-determination.

doteditorial: Blockchain & E-Government – Giving Citizens Control of Their Data

© 3DSculptor | istockphoto.com

E-Government represents one of the main drivers of the recent hype surrounding blockchain. Even without smart contract-based transactional capabilities, blockchain is an ideal technology for digitalizing governmental services for a nation’s citizens. Transparency is a principal competitive advantage for blockchain technology. This is both an essential and a highly desired characteristic of e-government, leading as it does to security and trust, aspects that Professor Norbert Pohlmann from the eco Association elaborates upon in interview. Transparency is closely linked to the so-called immutability of blockchain, meaning that nothing can be deleted, and every change made is automatically recorded, allowing for full traceability and accountability. Increased efficiency could also be a key motivator for adopting blockchain.

So far, in the digitalization of government services, Estonia is at the forefront (see the interview with Taavi Kotka, former CIO of the Estonian Government, “Creating Trustworthy E-Government Services with Blockchain”). They began even before blockchain was actually in the market, but they used a very similar system as a backbone structure for the administration of citizens' data. There are also private companies who are developing blockchain-based patient record administration systems, such as a Dutch company that offers a service for dental practitioners and the patients of these practitioners. This company is also going further by offering a kind of review system which allows you to rate your practitioner, with this again being put into the blockchain, where it is accessible for other patients. The wide applicability of blockchain is also exemplified in its extension to the logistics branch. In his article, Blockchain Technology: A Modern and Forward-Looking IT, Martin Przewloka of msg group automative introduces the VERIBOX solution employed in the logistics chain.

Giving citizens control of their data in a blockchain environment

In addition to articles on blockchain and e-government, dotmagazine this month is also looking at the proposed EU ePrivacy Regulation, and what companies need to be aware of. Watch the video interview with Oliver Süme, Chair of the Board at eco - Association of the Internet Industry, and partner and IT lawyer at fieldfisher.

Learning from such models, a striking use case for e-government could therefore be data exchange: Creating a central repository of citizen data secured in a blockchain environment, protected by strong encryption, and with the data firmly under the control of permissions provided by the citizen (this topic is taken up by Dieter Rehfeld from regio IT in his call for a European public-sector blockchain, in the article Government Blockchain Infrastructure – A Chance for Europe”). If we take Germany as an example, there is currently no regular exchange of citizens’ data between different authorities and at different levels of the state. This is actually partly due to data privacy laws, and it is naturally eminently clear that any centralized database must not be designed in such a way as to allow just anyone working in the state unlimited access to it. 

A blockchain-based approach would actually help solve this problem by implementing a system where the citizen can transparently see who has actually gained access to a certain dataset. The immutability of blockchain means that it is impossible to delete any action taken with the data stored, making all access to a citizen’s data traceable. If there is no justification for that access, then there has to be repercussions, and the perpetrator must be penalized accordingly. 

Use cases for blockchain in e-government

Apart from the transparency that blockchain offers, it also makes it very simple for the citizen to grant permission for a particular use case. This means that if the tax authority needs access to certain data, they can just send a request, and the citizen can give permission on a very granular basis. Citizens have full control over their data, and permission for specific purposes can be granted, revoked, extended, or can expire on a certain date. However, as Volker Skwarek from HAW Hamburg points out, each potential use case needs to be evaluated for the costs of implementing a blockchain solution compared to the costs of problems associated with the current system (see E-Government on Blockchain: About Obstacles and Chances”).

The advantages of digitalizing government services are enormous. There are many use cases where blockchain could help improve processes, such as e-voting, the registration of property, digital identification (see the article “Blockchain for Securing Digital Identities”), the granting and revoking of drivers’ licenses, certification systems (as already being explored in the educational sector - read a summary of the Fraunhofer FIT research report Blockchain for Education: Lifelong Learning Passport) and, as in the example already named, the handling of medical data. This last area is one with which Germany at least has been struggling to deal for the last ten years or even longer. There is a lot of bureaucracy involved, as well as many stakeholders, which makes it difficult to agree on a change of system. But it would be very comfortable for patients to be able to grant access to medical records for medical practitioners on a need-to-know basis, with this benefit also having applicability for, amongst others, the social security system and insurance companies.

Blockchain and regulation within the EU

While the benefits of blockchain are easy to argue, the legal status of blockchain-based approaches within the EU is a trickier area. There is sector regulation – like finance regulation, insurance regulation, or the regulation of the energy market – and general regulation, whether flowing from the European Union or  the individual Member States, most of which follow traditional structures. This means that there is always a responsible entity, and this responsible entity must fulfill certain requirements – for instance, in the capital markets it is necessary for a bank to have a certain amount of own capital in order to be allowed to operate. Looking at a public blockchain project, there is no such central entity that would bear all this regulatory responsibility. Instead, it is comprised of a network of peers that have come together in order to make something happen. In the blockchain environment, there is therefore an incompatibility between a regulation that seeks to put all the responsibility onto one legal entity, and the lack of such a central entity. In order to really harness the potential that public blockchains and this peer-to-peer economy have, it will be necessary to find a way to regulate these markets without using these centralized structures any longer. This may well prove difficult because, of course, everyone wants someone to blame if something goes wrong. So this is one example of where sector regulation, or the structure of certain sector regulation, does not really harmonize well with peer-to-peer public blockchain concepts, and new regulatory concepts will need to be developed that both support distributed responsibility while at the same time ensure that legitimate interests of the public in safety and liability will be preserved. 

Blockchain and data protection law

A good example for this is the challenge of data privacy. The General Data Protection Regulation (GDPR) also is subject to this centralized structure. There is always a responsible entity, called the controller, who bears certain regulatory responsibility. In a cross-border public blockchain environment which touches multiple jurisdictions even outside of the European Union, there may even be incompatibilities between European regulations and U.S. regulations within one blockchain, because one node may sit in the U.S., and other nodes in the European Union. 

The GDPR also exhibits consent and regulatory obligations which are difficult to fulfill in a blockchain, or where a blockchain is involved. One example is the right to be forgotten. The GDPR includes the right for data subjects affected by collection and processing of data to demand that their data be deleted, unless there is a legitimate reason for the controller to maintain the data. Given that blockchain is immutable, this is of course an issue. It is not possible to delete, for example, the transactional data related to a particular customer from the blockchain. This would change the blockchain, but the blockchain is immutable, so such a change would destroy the blockchain, or the change wouldn't be accepted by the network. 

However, there is always a technical solution, because the GDPR applies only to personal data. Blockchain systems could be designed in such a way that, on the one hand, allows for compliance with certain regulatory requirements, while on the other hand, maintaining the advantages offered by the use of this technology. This could probably be achieved by using different blockchains interacting with each other, such as a main chain and multiple side chains, and by using technologies that allow for anonymization.

Blockchain and IT security

Security in a blockchain is of course a separate issue to transparency and immutability. The blockchain itself is designed not to be manipulable, because the network will not accept a change that is not properly authorized. However, it remains a question of how well individual wallets or encryption keys are protected by the individuals who own the data. Access to the key would enable malicious changes to be made in an authorized manner. Added to this, blockchain-based smart contracts, as software programs, may potentially contain errors in the source code leading to security vulnerability (this topic is discussed by Prof. Alexandra Dmitrienko in the video interview “Securing Smart Contracts” and by Dr. André Kudra from esatus AG, in his article Smart Contract Security – Expect and Deal with Attacks”. This means that blockchain cannot replace IT security. IT security will, rather, remain an essential component of the digitalization of governmental services, just as much as in the private sector.

Stephan Zimprich is a lawyer in the intellectual property and media team of Fieldfisher's Hamburg office with six years of experience in advising clients, ranging from start-up size to multinational market leaders in the fields of copyright, media and broadcasting regulation, and data protection. The main focus of his work lies in the area of digital content distribution and data-driven business models such as targeted advertising and mobile advertising. He has a particular expertise in the online travel sector, where he advises international clients from Europe and the US in the fields of data protection, advertising, and travel regulation, as well as general commercial law, including cross-border co-operations.