Companies involved in global supply chain services are becoming increasingly interested in blockchain technology and how the use of this technology can enhance efficiency and security within the supply chain. Blockchain-based applications have enormous potential to transform transportation and logistics operations in the United States and worldwide.
Last month at Transparency 18 in Atlanta, approximately 40 companies performed demonstrations for supply chain stakeholders from around the world exhibiting how software using blockchain and other disruptive technologies could enhance supply chain efficiency. In addition to private stakeholders, government agencies, such as various customs authorities, have expressed interest in using blockchain technology as a foundational element for more robust trusted trader programs and improved risk management systems.
However, many of the companies involved in global supply chain services are also subject to the European Union's (EU) General Data Protection Regulation (GDPR). One unintended consequence of the GDPR, which became enforceable on May 25, is that it creates serious legal uncertainties for companies that are developing and/or considering whether to implement potential blockchain applications for the supply chain.
The GDPR regulates the collection, processing, transfer, and retaining of personal data relating to individuals in the EU by an individual, company, or organization. "Personal data" is defined very broadly in the GDPR to include any information relating to an identified or identifiable living individual, which includes, without limitation, names, surnames, and e-mail addresses.
Perhaps most importantly with regard to the use of blockchain, the GDPR gives users:
- the right to request that personal data is rectified;
- the right to restrict processing of personal data;
- the right to move their personal data from one company to another; and
- the right to delete their personal data (the "right to be forgotten").
The blockchain is an elastic shared record that may be (depending upon the type of blockchain) distributed across numerous computers to help ensure that the record remains unmodified. In contrast, the GDPR provides that individuals must be able to request, among other things, the correction and deletion of their personal data. For a blockchain that involves personal data, this poses a problem. Reconciling the impracticality of changing the blockchain (in particular, a public blockchain) with the GDPR's individual rights requirements is a puzzle that will need to be solved in order for organizations to make use of blockchain technology and comply with the GDPR.
Given the large number of individuals and the amount of paperwork (e.g., shipping instructions, letters of credit, master and house bills of lading, customs documents) involved in shipping cargo between countries, blockchain appears ideally suited for use in the supply chain. By creating a record that is designed to be immutable, blockchain-based applications could, for example:
- make it more difficult to
- ship counterfeit products; and
- divert shipments from their intended destinations;
- provide information to consumers about the history and life cycle of products they buy; and
- simplify efforts to determine a shipment's location at any given time (and if applicable, the cause of any delay or damage).
However, to the extent that such records contain personal data protected by the GDPR, the use of such blockchain-based applications may create unintended compliance complications.
The breadth of the GDPR raises numerous legal questions regarding the possible use of blockchain for supply chain applications. For example, using blockchain to transmit bills of lading would help prevent fraudulent transactions; however, a bill of lading may contain personal data. Because blockchain technology makes it impractical to alter data – which is one of the major advantages of using blockchain the technology – it would appear to complicate the ability of an individual to, for example, move or delete his or her personal data.
As a result, it is problematic for GDPR compliance purposes to store personal data in a blockchain. Moving this data off the blockchain would address the GDPR problem, but it would also defeat the purpose of using blockchain in the first place by increasing complexity, lowering transparency, and actually reducing personal data security. This increased complexity, in turn, would make efforts to develop standards for blockchain – which are necessary to promote widespread adoption and benefits throughout the supply chain – that much more difficult.
That being said, there could be opportunities to make the case to EU authorities that additional clarity and flexibility is needed to "future proof" the GDPR so as to allow for the use of blockchain and other new technologies that have the potential to yield immense benefits to global supply chains and enhance global economic growth.
Venable's International Trade and Logistics Group, in coordination with its Blockchain and Digital Currency Group and Data Privacy Group, is actively monitoring developments and is well positioned to help companies navigate the requirements of GDPR to achieve the benefits of blockchain.