EU Blockchain Observatory and Forum Workshop on GDPR, data policy and compliance (08.06.2018, Brussels)
Introduction(s)
The morning session was opened by Olivier Micol (DG Just, Head of Unit) with an introduction about the fundamental principles and rules of the EU General Data Protection Regulation (GDPR). The instrument – which is the result of a long negotiation among stakeholders and institutions – came into force on 25 May 2018. Before examining the interactions between blockchain and data protection within the EU legal framework, it is crucial to elucidate the key concepts and principles set out in the GDPR.
Central to the GDPR are the concepts of accountability and controllership. The data controller (or the joint controllers) has(ve) duties to safeguard the respect of data subjects’ rights. The legal instrument specifies six conditions under which data processing is legitimate1; the absence of at least one of these conditions makes the processing illicit. Another important principle is that of data minimisation: the purpose of the processing must be specified from its beginning, and the data should be deleted when no more required for the specified purpose. The data must also be accurate and correct: if necessary, data subjects are now granted tools to request its amendment. Moreover, specific rules are provided for the transfer of data to third countries.2
Crucial for the effectiveness of the GDPR is the possibility for individuals to enforce the rights provided therein. To this aim, in each country a Data Protection Authority (DPA) is established. This is an independent authority in charge of enforcing the GDPR rules, without prejudice to any rights or remedies to which individuals may be entitled in their national jurisdiction. In addition, to ensure a harmonic interpretation and application of the GDPR, the European Data Protection Board acts as central interlocutor for the DPAs.
1. Blockchain and GDPR (Michèle Finck)
After the brief but essential overview of the GDPR core rules and principles, Michèle Finck took the stage to highlight the major points of tension between the European legal instrument on data protection and blockchain technology.
The GDPR, she noted, has a twofold objective: to ensure free movement of personal data within the EU; and to protect fundamental rights, conferring on data subjects more control over personal data. In pursuing these goals, the instrument, drafted more than two years ago, assumes that the data is stored and processed in centralized databases. On the contrary, Blockchain technology – at least in its permissionless version – is a system for decentralized collection, storage and processing of data. Given its peculiar architecture, several provisions of the GDPR fall short when applied in this context.
A first question to be addressed is whether the GDPR is at all applicable when data is stored on distributed ledger technologies with no central party having exclusive control over it. The answer, according to Michèle Finck, is simple: GDPR applies whenever personal data is at stake, unless it is anonymized.3 As on blockchains data is generally not anonymous but only pseudonymous, the GDPR applies.
Data stored on blockchains can be classified in two main categories: (i) transactional data, such as messages and transactions of various kinds occurring among users; and (ii) public keys: users’ personal identifiers. The latter unquestionably qualify as personal data.
After clarifying the applicability of the legal instrument, Michèle Finck proceeds by stressing out the shortcomings of the GDPR when applied in a blockchain context:
- The complexity of identifying the data controller, especially at the protocol layer (easier at the application layer);
- The impracticality of complying with the prohibition of processing data in third countries, where no equivalent protections are in place;
- The uncertainty about the factual application of the principle of data minimization;
- The enforceability of the right to amend and (of) erasure of personal data in tamperproof blockchains;
- The enforceability of the protection against automated processing of personal data.
The optimistic conclusions relate to the concept of “data sovereign” as a shared objective of both blockchain-based projects and communities. Notwithstanding the current technical obstacles to data protection, the technology is still immature and could be further developed to better fit privacy requirements. In the future, there could and should be a greater techno-legal interoperability: blockchain could be deployed to ensure data protection by design and to combine privacy with transparency. Indeed, what is needed is a strong cooperation between stakeholders for the further development of the technology and for a proper, tailored interpretation of the GDPR.
2. BCDiploma (Alexis Berolatti)
The second speaker, Alexis Berolatti, presented its project “BCDiploma”: an application that “dematerializes” the issuance of school diplomas ensuring authenticity of data and confidentiality of information through blockchain technology. With a simple click, users can display their degrees’ attestation. The platform ensures the reliability of the certification and of the issuer thereof. All information is, in fact, previously verified by the company and embedded in the Ethereum public blockchain; when needed, the student can exhibit their education records without revealing additional, unnecessary information.
The concerned data are the name of the student, date and place of birth, degrees, and other personal information. Hence, the solution requires personal data processing activities, regulated by the GDPR. Under this legal instrument, the legal basis for the processing is the students’ consent, whereas the objective is to allow students to share their certified data with third parties. The party responsible for the data processing is not the company providing the platform, but the diploma issuer (i.e. the school).
The solution ensures compliance with the GDPR as it deploys a safe encryption algorithm and a 3-keys assembly which ensures high standard security and possibility of erasure. It is, in fact, possible to make data unreadable by deleting one of the three keys. Moreover, the application impedes data exploitation and provides access and dissemination control.
Notwithstanding the pragmatic and innovative approach of the BCDiploma solution, the storage of personal data on the blockchain – even if hashed or encrypted – keeps raising some concerns. For instance, if the encryption ever gets broken, the data would remain immutable and publicly accessible on the Ethereum blockchain, certainly causing violations of data protection rights.