May 15, 2019

Blockchain and Data Protection: What Happens When the Data Is Public?

Chances are you or your company use multiple software as a service or “SaaS” applications. They’re ubiquitous. This blog post was written using one — Google Docs. My firm uses one to keep its books and another to issue invoices.

One long running issue with these applications is what happens to the data in a SaaS platform.

Data, of course, is a hot commodity and most SaaS services want rights to as much of their customers’ data as possible. This allows them to use it to refine their offerings, repurpose it or, in some cases, monetize the data themselves.

In contrast, a SaaS user probably wants to retain as much control as possible over any data. There are many reasons for this. For example, to avoid privacy and compliance problems (especially in light of the GDPR, California’s Consumer Privacy Act, and similar laws that may be enacted in other states) and to protect the hard work and goodwill involved in gathering the data.

Thus, in negotiating SaaS contracts, one big sticking point is frequently who owns the data on a SaaS platform — the company who provided the data in the first place, or the SaaS vendor with the platform that analyzes, aggregates and/or alters it? While consumers might not have a lot of room for negotiation, where two companies are involved, there’s likely to be a lot of back and forth on this topic.

Generally speaking, these discussions are shaped by well-established principles governing the protection of trade secrets and, to a lesser extent, copyright law. The former focuses on what a database owner has done to protect its data from the outside world. The latter applies where the work to be protected is, to some degree, original. Because of this, copyright law is generally less important here because a database that is merely a collection of facts lacks the originality required for copyright protection.

The incorporation of data published on a public blockchain to any SaaS platform adds another wrinkle to any discussion about data ownership and protection. By way of background, a public blockchain is a blockchain network that is open to anyone. Bitcoin is one of the largest and best-known public blockchains. In contrast, as the name suggests, a private blockchain requires permission to publish information to it and, thus, limits who can publish and see information on the blockchain.

Obviously, publishing previously private information on a public blockchain changes the nature of the information when it makes the information public to the network. Probably the best example of this is cryptocurrency transactions. While it’s generally difficult to connect a transaction to a particular individual, the public blockchain for a cryptocurrency is a huge, publicly available collection of information that is open to anyone who wants to participate. This makes it difficult, if not impossible, to claim trade secret protection because publication of information on a public leger such as blockchain negates any claim that the information is secret.

Because of this there are limits to the degree to which anyone can claim ownership and — as a result — the right to control data on a public blockchain — there are still some issues that a user and SaaS vendor in this situation should discuss:

  • Particularly in light of the GDPR, California’s Consumer Privacy Act and other similar laws, does the data contain any personally identifying information? If so, who is responsible under those laws for protecting it?
  • What happens if there’s a data breach?
  • Who owns the data that is altered/aggregated by the SaaS platform? How about the output from the SaaS platform?
  • What can the SaaS vendor do (or not do) with the data it receives? Can the owner of the data license its use by the vendor?