Smart Contracts from a Data-Protection Perspective

Rocco Panetta

Panetta & Associati Law Firm

Panetta & Associati Studio Legale (Panetta & Associati) is considered one of the most innovative Italian law firms in the field of privacy and data protection. During the last few years, Panetta & Associati has been conducting considerable research on the integration between law and new technologies.

In particular, Panetta & Associati was among the first law firms in Italy to offer legal advice to some sensitive EU projects on data sharing for scientific research purposes. In this article, the recent evolution of the relationship between contracts and automated decision-making processes, in relation to “smart contracts”, is briefly explored.


What do we mean by smart contract?

Recently revived by the advent of blockchain and distributed-ledger technologies, smart contracts were defined, more than 20 years ago, as “computerised transaction protocol – i.e. an algorithm – that executes term of contract” (Nick Szabo, 1997). Once they are embedded in a distributed ledger, such agreements become as binding between the parties as traditional contracts, with the peculiarity that they are auto-executive, not requiring any intervention by a trusted third party (i.e. when certain conditions are met, these contracts are able to automatically perform actions or execute provisions). Therefore, smart contracts can now work thanks to the blockchain technology.


Why are smart contracts relevant?

Nowadays, the use of smart contracts is deeply associated with privacy and data protection. Since the entry into force of the General Data Protection Regulation n. 679/2016 (the “Regulation” or “GDPR”) there was a need to conciliate the privacy legislation with the automated inherent nature of smart contract.

In fact, when a smart contract involves the processing of personal data based on the consent of the data subject, it is crucial to foster privacy-by-design solutions, in compliance with the GDPR. In this regard, some forms of “dynamic consent” are now being developed to allow data subjects to better control their data. Smart contracts are important to demonstrate the trustfulness of data sharing, identifying the data subject and his/her consent preferences, in order to provide the data controller with a transparent and tamper-proof record of the permissions obtained and their subsequent traceability.


What is automated individual decision-making?

Based on the above, it is easy to understand why smart contracts certainly fall into — and maybe are the best expression of — the definition of “Automated individual decision-making” processes set out by Art. 22 of the GDPR. To this extent, a smart contract can be such as to trigger “a decision based solely on automated processing (…) which produces legal effects concerning [the data subject] or similarly significantly affects him or her”.

This is one of the most innovative provisions of the GDPR, being an opening clause aimed at governing and putting reasonable limits on any form of fully automated decision-making, including artificial intelligence. Said limits are represented by the obligation to make the individual fully aware (by means of a privacy notice or ad hoc clauses) about the entire informatisation of the processes leading to a decision which produces effects on the data subject, and by the need for the data controller to ground the relevant processing on the data subject’s explicit consent, or on the existence of legal provision requiring or authorising this kind of automated activity or, finally, on the need to enter into, or perform, a contract between the data subject and the data controller.


What kind of safeguards are necessary?

Smart contracts and the related processing of personal data shall be subject to suitable safeguards, which shall include specific information to the data subject, or de-identification techniques, in order to protect the data subject’s rights and freedoms and legitimate interests, with particular reference to special categories of personal data referred to in Article 9(1) of the GDPR.

It is worth stressing that even when the automated decision-making process is necessary for entering into or performing a contract between the data subject and the data controller, or is based on the individual’s consent, the controller is required to adopt measures to

1) ensure that the data subject can obtain a human intervention (thus breaking the full automation of the processes),

2) express his or her point of view on the relevant outcomes, or

3) contest the decision resulting from the process.

The new borders of smart contracts are now about actually enabling the data subjects to control the processing of their personal data and to allow them to easily exercise the rights granted by the GDPR. As an example, through a complex blockchain-based mechanism, the exercise of the right to access personal data can be “translated” into a smart contract that automatically executes data transactions whenever the predetermined conditions are met. Consequentially, if only one of the conditions is not properly satisfied, the smart contract keeps itself on standby, until all conditions are verified.

Smart contracts, in other words, can be leveraged as a privacy-preserving tool to enhance the security of personal data and foster accountability.


Rocco Panetta is the founding member of Panetta & Associati Studio Legale and Country Leader (Italy) of the International Association of Privacy Professionals (IAPP).


XLNC MAGAZINE | No. 03 | May  2019

Interested in becoming a member of XLNC?

If you are a professional services firm with an international client base and are regarded as one of the leading industry practices in your country, working to the highest standards and providing excellent client service, you meet the basic requirements for XLNC membership.

Become a member