December 19, 2018
Blockchain, Privacy and Regulation
by Mark Webb
The discussion on blockchain needs to be fully integrated within the context of existing and anticipated regulatory compliance requirements.
The past several months have seen increased activity and focus on the promising technology of blockchain and its potential in the insurance industry. Blockchain has also reemerged as an important issue in the European Union (EU) following the go-live date of the General Data Protection Regulation (GDPR) on May 25 of this year.
As a side note to U.S. policymakers, including the California legislature, the GDPR was adopted two years before its effective date. There was a reason for that. There will be a considerable amount of scrambling in Sacramento this year as efforts are made to clarify the scope and limit the unintended consequences of the hastily enacted California Consumer Protection Act 0f 2018 (CCPA). Virtually everyone in the insurance environment – including startup and established insurtechs – need to keep a very close eye on what emerges during this effort in 2019.
Regardless, it is important for all those dealing with technology to understand how the E.U. is dealing with issues such as blockchain. Businesses in California should be paying particularly close attention to how the E.U. is attempting to reconcile GDPR and emerging technologies while the CCPA is moving inexorably to its effective date of Jan. 1, 2020. Multinational companies are already dealing with GDPR compliance given its long extraterritorial reach. Inevitably, how the E.U. is dealing with privacy will serve as at least a partial template for how privacy issues will be dealt with in the U.S.
E.U. commissioners are currently attempting to sort out the interaction between GDPR and blockchain technology. It is not a nice fit. To foster a dialogue on this issue, the E.U. Blockchain Observatory and Forum was created as a European Parliament pilot project. Per its website, the observatory’s mission is to monitor blockchain initiatives in Europe, produce a comprehensive source of blockchain knowledge, create an attractive and transparent forum for sharing information and opinion and make recommendations on the role the E.U. could play in blockchain.
On Oct. 16 of this year, the E.U. Blockchain Observatory and Forum published a thematic report, “Blockchain and the GDPR.” As noted in the report regarding blockchain and GDPR compliance:
“The issue of compliance of blockchain with GDPR is an important one. By specifying how personal data is to be protected, the GDPR will play a fundamental role in shaping digital markets in the Union. Considering its strong support of this nascent technology, the European Union clearly believes that blockchain technology has an equally important role in these markets, too, offering new paradigms for the ways we transact and interact with each other.” (Report, p.8)
See also: Blockchain’s Future in Insurance
What is not clear at this point in time is how blockchain can flourish while remaining compliant with GDPR. There are those who think the fundamental structure of blockchain is irreconcilable with GDPR. That opinion is not prevailing at this time. As noted repeatedly in the report, GDPR compliance is not about the technology, it is about how the technology is used. There are clearly issues, even with private consortium blockchains, that need to be fully understood. The issue isn’t just where the data are housed, the issues also include who controls the data and, as the report repeatedly emphasizes, how that data are used.
The E.U. is ahead of the U.S. in efforts to balance the rights of natural persons regarding their own personal information and the improvements that can come from technological innovation. While various sectors of the economy, including insurance, seem to be gushing about the possibilities of blockchain, there is a singular silence about how this environment will comply with the host of state and federal requirements placed on all the participants in this distributed ledger technology. This isn’t just about privacy in general and the CCPA in particular, although the CCPA could disrupt blockchain even in the commercial context if there is no further clarification during the 2019 California legislative session.
The observatory’s report, however, serves as a reminder that the GDPR deals with personally identifiable information belonging to natural persons and not information that is shared with other business forms provided to businesses. That is an important distinction but not entirely dispositive. In the world of commercial insurance, there are sole proprietors who must have not only liability coverage but also workers’ compensation insurance. These are “natural persons” who under GDPR and currently under the CCPA could ask their personal data to be removed from a database. This is not consistent with the blockchain’s promise of immutable records. (See: Civil Code Sec. 1798.105)
Earlier this year, industry giants Marsh and IBM, working with Acord, teamed up to develop a commercial blockchain for proof of insurance. Acord is the Association for Cooperative Operations Research and Development, an industry-supported organization that, among many other functions, makes many of the forms used in the property and casualty insurance industry for the transaction of insurance (applications, certificates, etc.). The pilot participant for this is ISN, a global contractor and supplier information management business. Per Marsh’s announcement earlier this year, “A distributed ledger technology, blockchain is ideally suited to large networks of partners. It establishes a shared, immutable record of all the transactions that take place within a network and then enables permissioned parties access to trusted data in real-time.”
IBM and Marsh also recently announced that they are working on making the proof of coverage blockchain accessible to Marsh clients through Salesforce.
Recently, The Institutes, best known for its professional designation programs in the insurance industry, has launched its RiskBlock Alliance. Per its Sept. 23, 2018 announcement, “…a blockchain consortium representing 31 risk management and insurance companies, has launched Canopy, the industry’s first end-to-end reusable blockchain framework, using the Corda blockchain platform.” One of the use cases currently being developed for Canopy is proof of insurance.
In remarks on the National Association of Insurance Commissioners (NAIC) Innovation and Technology (EX) Task Force Oct. 15, 2018, conference call, Christopher McDaniel, president of RiskBlock Alliance, said, in response to an inquiry from Oregon Division of Financial Regulation Deputy Administrator TK Keen: “…if regulators have their own node on the blockchain, they could push a button and create a report, as long as the appropriate agreements were in place to share the information.” [NAIC Innovation and Technology (EX) Task Force conference call Oct. 15, 2018, draft minutes dated Oct. 26, 2018]
In a July 12, 2018, blog titled “Ultimate Guide to Blockchain in Insurance” from management consulting firm Accenture, it was noted that blockchain would facilitate “using shared loss histories to obtain data-driven insights on prospective customers for more sophisticated pricing.” I suspect that state insurance regulators would have a keen interest in how that would be accomplished. Workers’ compensation rating organizations such as the National Council on Compensation Insurance, Inc. (NCCI) or the Workers’ Compensation Insurance Rating Bureau of California (WCIRB), operating under license from state insurance regulators and serving as a critical part of the active regulation of insurance required under the McCarran-Ferguson Act, would most likely have a few questions as well.
In other words, while there has been much discussion about the promise of blockchain, that discussion needs to be fully integrated into the discussion of how all that data are going to be secured, shared, and stored within the context of existing and anticipated regulatory compliance requirements. This goes beyond insurance regulation and, as is the case with the EU, directly implicates the emerging and complex privacy environment as evidenced by the CCPA.
Take, for example, the issue of proof of coverage and the issuance of certificates of coverage within the workers’ compensation environment. These are two separate issues that require separate solutions. States maintain coverage verification portals for any person to verify workers’ compensation coverage. These are managed by rating organizations pursuant to statutory mandate and generally by self-insurance regulatory authorities. In some instances, such as with California’s Contractors State Licensing Board (CSLB), there are separate coverage disclosure requirements that are also accessible by the general public. This is not a testament to the accuracy of these systems, but rather only to their accessibility.
For blockchain to be effective in the workers’ compensation environment, therefore, it needs to have some degree of integration with public databases. That isn’t as easy as it may seem. For example, Labor Code Sec. 3715 states, “The nonexistence of a record of the employer’s insurance with the Workers’ Compensation Insurance Rating Bureau shall constitute in itself sufficient evidence for a prima facie case that the employer failed to secure the payment of compensation.” Does this mean that rating organizations should have a node on the proof of coverage blockchain, as should the Division of Labor Standards Enforcement (DLSE) and the Department of Insurance (CDI)?
If that is the case, then what does that mean for purposes of public records laws and whether the blocks in the blockchain are public records? In other words, if the blockchain is to serve a public purpose then it must take into account access issues that may not be present when the ledger is entirely for private transactions.
See also: How Insurance and Blockchain Fit
A certificate of insurance is issued, arguably, by either an agent or broker or an insurance company. For most transactions, this is currently done through a writable .pdf document or done manually. This process is an open invitation for fraud. The work Acord is doing with Marsh and The Institutes underscores a technology solution may help make the certification of insurance coverage – both as to existence and to limits (for liability lines of insurance) more reliable and transparent. This is not an inconsequential matter, especially in California and considering the particular issue of whether some staffing companies are very much part of the problem.
The latter issue regarding staffing firms is a critical one for California. Given the Golden State’s broad regulation of employment relationships, it is at best vexatiously ironic that when it comes to staffing agencies, with some very limited exceptions, there is virtually no regulatory framework to verify the legitimacy of staffing firms and the way they do business. This is a problem – and a problem that needs to be resolved before applying a technology solution to the issue of bogus certificates of insurance.
And that finally leads us back to what the observatory noted in its thematic report: “… start with the big picture: how is user value created, how is data used and do you really need blockchain?”