Nothing challenges the effectiveness of privacy laws like technological innovation. As the volume of data being generated about individuals increases, technology is making it easier than ever for data to be captured and analyzed, making that data ever more valuable.

Unfortunately, technology also introduces new and previously unknown threats. As such, how companies collect, process and protect the personal data of their customers, staff and suppliers has become a key challenge.

The General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, is the European Union’s legislative response to this challenge. Drafted to be “technology neutral,” the GDPR is intended to give individuals better control over their personal data and establish a single set of data protection rules across the EU, thereby making it simpler and cheaper for organisations to do business. So far, so sensible. Unfortunately, technology always runs ahead of the law and the GDPR is already starting to show some of its limitations as the law clashes with newer technologies.

Blockchain technology

Blockchain – or distributed ledger technology – replaces the centralised transaction database with a decentralised, distributed digital ledger where each and every transaction flowing through it is independently verified against other ledgers maintained by different parties, in different locations. In this way, the record of any single transaction cannot be altered without changing all subsequent transactions or “blocks” that are chained together across the entire distributed ledger. It is this immutability that ensures the reliability of the information stored on the chain.

The GDPR gives data subjects the right to request that their personal data is either rectified or deleted altogether. For blockchain projects that involve the storage of personal data, these legal rights do not mix well with the new technology. Drafted on the assumption that there will always be centralised services controlling access rights to the user’s data, the GDPR fails to take into account how a permissionless blockchain works. Ultimately, this may mean that blockchain technology cannot be used for the processing of personal data without potentially falling foul of the GDPR.

Interestingly, blockchain technology provides its own potential solution to this problem by allowing personal data to be kept off the various ledgers altogether. It does this by replacing the personal data with an encrypted reference to it – a “hash.” These hashes, or digital fingerprints, prove that the data exists, but without the data itself appearing on the chain.

Problem solved? Unfortunately not. The GDPR draws an unhelpful distinction between pseudonymised and anonymised data. Pseudonymisation occurs where personal data is subjected to technological measures (like hashing or encryption) so that it no longer directly identifies an individual without the use of additional information. Anonymisation on the other hand, results from processing personal data in order to irreversibly prevent identification. As such, anonymised personal data falls outside the scope of the GDPR, whereas pseudonymised data – including hashed data – does not.

Unlawful algorithms

Social media sites and search engines specialise in algorithms that allow them to target advertisements at users. However, the way those algorithms work makes all the difference and reveals an unintended consequence of the GDPR’s drafting.

Take the example of Bob. Bob decides to buy a new car by doing all of his research using an internet search engine. He then posts details of his new purchase on social media. The algorithms for Bob’s social media site correctly profile Bob as someone who is likely to buy car products or access car-related services in the future. Bob will therefore start to see targeted adverts on his social media page. Following his hours of online research for a new car, the algorithms used by his chosen search engine reach the same conclusion and Bob will also start to see some of those same adverts each time he goes online. While the resulting adverts Bob receives may be the same, the way the algorithms achieve this result is very different.

Social media algorithms target adverts by knowing who you are, whereas search engines target adverts by knowing what you are searching for. The who versus what dichotomy is therefore critical under the GDPR. Social media sites know which adverts to show Bob because they analyse his profile and hold personal data about him. The algorithms for most search engines, on the other hand, look only at what Bob searched for. The only data those engines need to target their advertising to Bob is to know that somebody in a particular geographic area used the search term “new car.” The engines have no idea that it was Bob searching for a new car, just that someone did. Search engines can therefore ignore personal data and still achieve the same algorithmic precision, social media sites cannot.

Should Bob be required to give his consent to this use of his data before it is used in this way? Under the GDPR, arguably yes, but only for the way the social media site uses his data. Bob has no ability to stop his chosen search engine using the data it holds because that data is not considered “personal data.”

Artificial intelligence

Artificial intelligence relies on machine learning, but for machines to learn, they need to crunch data, and lots of it. The GDPR makes it more difficult for those machines to get the data in the first place and once they have the data, rights granted to data subjects under the GDPR could also make it difficult for companies to reap the full benefits of machine learning.

The volume of data available for machine learning is not a problem, but under the GDPR, using that data lawfully often will be. This is because those developing machine learning will often be data processors rather than data controllers. Data processors are not permitted to decide for themselves how personal data is used, they can only use the data as directed to do so by the data controller and with the consent of the data subject.

Assuming consent is obtained and the machines learn from the data they consume, the output those machines then generate may also be restricted by the GDPR. This is because data subjects have a right under the GDPR not to be subject to a decision based solely on automated processing if that decision significantly affects the data subject. In other words, much of the ability to allow machines to make automated decisions will be linked to how those decisions affect our lives. Automated decisions about our shopping habits will probably be fine but automated decisions which determine a career promotion or mortgage application are likely to be challenged in the future.

Conclusion

With the GDPR now in force, not only is the long arm of EU data protection law reaching beyond the EU’s borders, potentially it is also impacting our use of new technologies.

Technology will not stop to adjust to the new laws, which means legal frameworks like the GDPR need to remain flexible enough to strike a balance between technological progress and the protection of individual privacy.

Locations

Cayman Islands

Sectors

Technology & Innovation

Type

Insight

Share
X.com LinkedIn Email Save as PDF
More Publications
Appleby-Website-Funds-and-Investment-Services
1 Jul 2025

Crypto Funds in the Cayman Islands

As one of the leading offshore financial centres, home to approximately 70% of the world’s offshor...

Matt Mulry
Sailaja Alla
Peter Colegate
Matt Mulry, Sailaja Alla, Peter Colegate
Dispute Resolution
28 Jun 2025

High Court of Hong Kong confirms arbitrability of shareholder claims for oppression and loss of confidence

In the recent decision in PI 1 & PI 2 v MR [2025] HKCFI 1110 (PI 1 & PI 2), the High Court of Hong K...

Harriet Ter-Berg
George Mallis
Harriet Ter-Berg, George Mallis
Appleby-Website-Funds-and-Investment-Services
26 Jun 2025

Navigating CIMA Audit Requirements for a Cayman Regulated Fund

To maintain good standing with the Cayman Islands Monetary Authority (CIMA), a Cayman regulated mutu...

Eason Huang
Maree Martin
Freya Xu
Yan Zeng
Eason Huang, Maree Martin, Freya Xu, Yan Zeng
Appleby-Website-Cayman2
25 Jun 2025

A Corp V Firm B: The Abcs Of Arbitral Confidentiality

In the recent judgment in A Corp v Firm B, the High Court of England and Wales set out an elucidati...

Alan Bercow
David Lewis-Hall
Jae Shin
Alan Bercow, David Lewis-Hall, Jae Shin
Appleby-Website-Corporate-Practice
11 Jun 2025

Minority shareholder protections in the Cayman Islands - What are your options?

Minority shareholders often query whether a jurisdiction’s laws afford them a level of comfort or ...

Simon Raftopoulos
Darryl Jago
Andrew Jackson
Simon Raftopoulos, Darryl Jago, Andrew Jackson
Website-Code-Cayman-2
9 Jun 2025

No fishing allowed: Key lessons from the rejection of cross-border letter of request in high value fraud case

In Byju's Alpha Inc v OCI Ltd and others [2025] EWHC 271 (KB), the English High Court (High Court) s...

Alan Bercow
Charlotte Walker
Alan Bercow, Charlotte Walker
Appleby-Website-Dispute-Resolution-Practice
3 Jun 2025

Whose Opportunity is it Anyway? The Line Between Fiduciary Responsibility and Private Entrepreneurship

Although it is well-understood that fiduciaries are subject to the no profit rule, its proper ambit ...

Andrew Jackson
Andrew Jackson
Appleby-Website-Regulatory-Practice
2 Jun 2025

Cayman Islands Regulatory Round Up - Spring 2025

The round-up provides a concise yet thorough summary of regulatory developments relevant to financia...

Simon Raftopoulos
Menelik Miller
Miriam Smyth
Maree Martin
Simon Raftopoulos, Menelik Miller, Miriam Smyth, Maree Martin
Appleby-Website-Arbitration-and-Dispute-Resolution
2 May 2025

State Immunity - Opt Out?

In its recent judgment in CC/Devas (Mauritius) Ltd v Republic of India, the High Court of England a...

Alan Bercow
Jae Shin
Alan Bercow, Jae Shin
Website-Code-Cayman
17 Apr 2025

Court of Appeal confirms limitations on investors’ statutory right to “true and full information” in Abraaj Group Fraud

Sebastian Said
Alan Bercow
Susan Fallan
Daniel Coelho
Sebastian Said, Alan Bercow, Susan Fallan, Daniel Coelho