Click here to download the full report in PDF format.
Executive Summary
Our current online ecosystem is dominated by targeted advertisements. Companies collect troves of information about their users and use that information to monetize otherwise-free services, such as social media platforms and search engines. The inescapability of this system has led policymakers to question how the collection and monetization of user data affects an individual’s right to privacy.
What privacy is and how it should be operationalized—already difficult questions—are made more complex by the digitization of daily life and the disparity between people’s beliefs and actions around privacy preservation. Governments have attempted to provide comprehensive frameworks for how users’ privacy should be treated online, placing restrictions on the collection, storage, distribution, and use of personal information. Such regulatory frameworks have been imperfect but largely workable in the current iteration of the Internet. However, the advent of new decentralizing technologies has the potential to radically alter how data privacy must be operationalized.
The current Internet paradigm, known as Web 2, is typified by large, centralized companies controlling vast swaths of the digital ecosystem. But blockchain-based technologies, grouped together under the broad umbrella of “Web 3,” present an alternative method of structuring data transmission and storage. In Web 3, online networks and applications are generally decentralized, public, and immutable. In many instances, personal information traversing these networks is publicly available but not directly tied to an individual’s identity. These characteristics demand a reexamination of what data privacy means and how it should be regulated.
Several aspects of existing data privacy laws and legislative proposals are at odds with Web 3 networks and applications. One complication is that sufficiently decentralized systems do not have an easily sanctionable controller or processor of user data. Another is that because many of these networks are immutable, it is difficult if not impossible to delete personal information at the request of the user, as is required under most data privacy laws.
Advertising and attribution systems such as Spindl have already begun to appear in Web 3, so it is essential that the tension between data privacy laws and decentralized systems be addressed. In order to reconcile Web 3 and data privacy, policymakers should promote a sectoral approach to data privacy laws, with rules governing the appropriate flow of information for certain contexts.
