The New ‘American Data Privacy and Protection Act’ and Blockchain Technology

To be clear – there is no mention of blockchain technology and cryptocurrency in the new American Data Privacy and Protection Act (ADPPA). But, with its introduction, it may raise the question for some of when/where privacy can be a part of the blockchain discussion.

A track of content at last Saturday’s crypto conference Consensus 2022 in Austin, Texas said it “all” with its title: “Can We Solve Privacy?

Later in the day, Carole House, Director for Cybersecurity and Secure Digital Innovation for the White House National Security Council, told the audience she is hopeful that one day uniform KYC AML (Know-Your-Customer Anti-Money-Laundering) crypto rules can be applied globally for financial transactions – an application at the opposite end of privacy. Yet, she also indicated that consumer privacy is a conundrum that needs to be solved for today’s blockchain tech.

Similar to recent blockchain policy efforts such as the Responsible Financial Innovation Act in the Senate and the Digital Commodity Exchange Act in the House, creating a “a strong national framework” – and this time for a national government data privacy policy – is taking centerstage this week with hearings for the ADPPA.

The bill was released as a draft on June 3:

    • See the bill’s draft here.
    • View the draft’s press release here.
    • Section by section discussion of the bill here.

With the introduction in the House and Senate, bi-partisan efforts are at work with Rep. Frank Pallone, Jr. (D, NJ) and Rep. Cathy McMorris Rodgers (R, WA), Chairman and Ranking Member of the House Committee on Energy and Commerce, and in the Senate, Sen. Roger Wicker (R, MS), Ranking Member of the Senate Committee on Commerce, Science, and Transportation.

Once again, like the Lummis/Gillibrand partnership, politicians realize bi-partisan efforts are key to getting anything passed by a divided government especially as Republicans likely claim the majority in the Fall across House and Senate. Bicameral bipartisanship is becoming a popular alliterative phrase on The Hill if you want to get something done.

Industry organization, the International Association of Privacy Professionals (IAPP), has been keeping its members updated on the new legislation and released an op-ed from Northeastern University professor Woodrow Hartzog and Washington University professor Neil Richards which reads, “But possibly the most significant part of the bill are ‘duties of loyalty,’ which in theory would require organizations to act in our best interests when processing data and designing services.”

The idea is that companies wouldn’t be working just for profits when it comes to using data, they’d need to be working in the interest of the consumer’s data they are using and protect privacy. Call it self-regulation (or an SRO) within regulation, perhaps. Therefore, when considering the blockchain, is there room for blockchain companies to figure it out?

Blockchain and Privacy

The blockchain may enable secure, private cryptographic transactions but once the deal is done, it’s recorded on the ledger for all to see – for example with Ethereum: see Etherscan.

Self-sovereign identity seems to be the goal of goals of blockchain technology enthusiasts with presumed privacy capabilities built-in. IBM describes self-sovereign identity as, “Lifetime portable identity for any person, organization or thing that does not depend on any centralized authority and can never be taken away.”

Some companies are diving in such as Privy (see a bit more from their presentation at ETH Denver in February) which is helping companies that use blockchain technology manage privacy by servicing a blockchain’s privacy needs off-chain. An impressive group of investors led by Sequoia saw enough that they climbed aboard in April.

Meanwhile, Ethereum co-founder Vitalik Buterin has suggested that specific non-fungible tokens (NFTs) – which use blockchain technology – might be the way to go for privacy. In a blog post in January, he described “Soulbound NFTs” which can never be transferred from the initial owner. He argues, “Privacy being a core part of the design can avoid these bad outcomes and increase the chance that we create something great.”

And a recently published outline from Microsoft’s Alex Simons offers 5 guiding principles for decentralized identity (DID) for their cloud products and what is colloquially known as Microsoft Azure Active Directory Verifiable Credentials beginning with Principle #1: “Secure, reliable, and trustworthy.” Read more. Wired provides an overview on Microsoft’s service and how the Bitcoin blockchain is integrated in the solution.

Many proposed solutions -but still evolving.

Everyone Wants Changes

Like almost any new bill, the new American Data Privacy and Protection Act, is inspiring extensive changes. In a letter to the House, special interest Electronic Frontier Foundation (EFF) thinks more should be added to the bills saying (PDF), “This bill would preempt many existing kinds of state data privacy laws” and the EFF wants states rights back in the bill.

In fact, yesterday’s House Energy and Commerce Committee hearing included eight (8) witnesses who each wanted changes. The IAPP noted, “Those comments reflect the proposal’s imperfections, but it also demonstrates the reality of the ongoing stakeholder process lawmakers are working through despite consultations that led to the bipartisan draft.”

More to come. Lots.