Blockchain technology is decentralised, distributed ledger. It is revolutionary technology that is expected to reshape the future of business and commerce. Although the first real emergence of this technology dates back to 2009, it is the use of this technology in Bitcoin that had put the technology behind it under examination.
Bahrain has been a regional financial hub for over four decades and has the largest concentration of financial institutions and funds registered and domiciled in the region.
As a result, significant attention is paid to the use of this technology in the financial sector while other potential uses are also considered.
Moreover, the kingdom is also known for its reliable Information and Communications Technology (ICT) infrastructure and platform for innovation and disruptive technologies, which makes the kingdom well-placed to become a regional hub for a digital ecosystem to build blockchain and fintech investment.
However, from a legal perspective, one cannot find laws or regulations that are specifically designed to regulate blockchain technology in Bahrain.
Hence, legal issues arising or resulting from blockchain application are subject to laws and regulations that are related to the relevant legal issue.
In other words, legal questions regarding the use of blockchain technology when selling goods for instance will be subject to provisions of Legislative –Decree No. 19/2001 promulgated Civil Code and Law No. 35/2012 concerning consumer protection.
Legal questions concerning protection of personal data and one’s privacy in blockchain technology will be subject to Law No. 30/2018 with Respect to Personal Data Protection Law.
Despite the importance of all legal topics and issues in relation to blockchain technology, it is the aim of this article to focus on the legal questions related to personal data and to open doors for further studies and discussions.
Thus, when considering the potential legal issues of blockchain technology in relation to protection of personal data, one shall keep in mind that laws and regulations protecting personal data were designed around the notion of centralised collection and storage of data.
On the other hand, the heart of blockchain technology is designed around Distributed Ledgers Technology (DLT) to ensure its immunity against hacking.
In other words, the key feature of this new technology is distribution, rather than centralisation of data.
Another issue is related to a key feature of blockchain technology, being the ability to perpetually store data.
From a legal perspective, this could have serious legal consequences.
For instance, under the General Data Protection Regulation (GDPR – Regulation EU 2016/679) one has the right to request that his personal data is removed from a record, this right is known as the Right to be Forgotten.
Clearly, this will conflict with the essence of this technology where data is stored perpetually.
In Bahrain, questions with respect to personal data are governed by Law No. 30/2018 with Respect to Personal Data Protection Law.
Thus, any processing of data via blockchain technology will be subject to this law. Personal data stored in plain text is certainly personal data for the purposes of this law.
However, the question with respect to encrypted data and to hashing techniques is more complicated.
The Law in Bahrain only refers to encrypted data in the context of Article (3/5) with respect to requirements for data quality control which reads:
“The following shall be complied with, in regards to personal data that is processed:
“Shall not be kept in a form which permits identification of data subject once the purpose for which the data was collected or further processed was achieved. Personal data that is stored for longer periods for historical, statistical or scientific use, shall only be kept in anonymous form, by modifying the personal data into a form in which it cannot be associated with the data subject, if that is not possible, the identity of the data subjects must be encrypted.”
Accordingly, data kept in anonymous form is not considered personal data for purposes of this law; furthermore, encryption of data subject is key if it were not possible to anonymise personal data. Thus, the technique used in blockchain technology still allows linking the data to the data subject, it would still be considered personal data and therefore is subject to Bahrain Law No. 30/2018.
Moreover, the decentralised feature of this technology means that any node can access transactions and users actions are transparent meaning that user’s transaction history is accessible to anyone. As a result, it could be a threat to one’s privacy.
As the situation stands today, no answer is available as to how such questions are going to be dealt with.
The position of court’s interpretation is also unclear due to the lack of case-law in Bahrain.
Hence, these legal questions are left to the technical and legal experts to discuss, examine, and make suggestions as to what needs to be changed.