Download raw (12.8 KB)
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Blockchain & Society</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- <link rel="stylesheet" type="text/css" media="screen" href="main.css" /> -->
<!-- <script src="main.js"></script> -->
<style>
@font-face {
font-family: "SansGuilt";
font-style: normal;
font-weight: normal;
src: url('fonts/SansGuilt/SansGuiltMB.otf');
}
@font-face {
font-family: "SansGuilt";
font-style: italic;
font-weight: normal;
src: url('fonts/Cormorant_Garamond/CormorantGaramond-Italic.ttf');
}
@font-face {
font-family: "CormorantGaramond";
font-style: normal;
font-weight: normal;
src: url('fonts/Cormorant_Garamond/CormorantGaramond-Regular.ttf');
}
body {
background: black;
color: white;
font-family: "SansGuilt";
font-size: 140%;
}
h1,h2,h3,h4,h5,h6 {
font-family: "CormorantGaramond";
font-weight: normal;
}
h1 {
font-size: 200%;
margin-left: -2em;
}
h1:before {
display: inline-block;
margin-left: -2.25em;
margin-right: .25em;
width: 2em;
height: .5em;
background-color: white;
content: "";
}
h2 {
margin-bottom: 0;
}
p {
line-height: 1.25;
margin-top: 0;
margin-bottom: 1em;
}
.content {
max-width: 30em;
margin: auto;
}
ul {
padding: 0;
}
li {
list-style-type: none;
}
li:before {
content: "― ";
}
.abberation {
position: relative;
float: left;
margin-top: .5em;
margin-left: -5em;
margin-right: .5em;
width: 7em;
position: sticky;
top: -4em;
}
.abberation:nth-of-type(even) {
float: right;
margin-right: -4em;
margin-left: .5em;
}
.abberation img {
max-width: 100%;
max-height: 100%;
}
.abberation img:first-child {
position: absolute;
}
</style>
</head>
<body>
<section class="content">
<h1>EU Blockchain Observatory and Forum
Workshop on GDPR, data policy and compliance
(08.06.2018, Brussels)
</h1>
<h2>
Introduction(s)
</h2>
<p>
The morning session was opened by Olivier Micol (DG Just, Head of Unit) with an introduction about the fundamental principles and rules of the EU General Data Protection Regulation (GDPR). The instrument – which is the result of a long negotiation among stakeholders and institutions – came into force on 25 May 2018. Before examining the interactions between blockchain and data protection within the EU legal framework, it is crucial to elucidate the key concepts and principles set out in the GDPR.
</p>
<p><section class="abberation">
<img src="patterns/white-2-autotrace.svg">
<img src="patterns/white-2-potrace.svg">
</section>
A first clarification that is important for the discussion is that – due to the ECJ’s broad interpretation of “personal data” – pseudonymous data are covered by the GDPR, while only anonymous data fall outside its scope. Therefore, to avoid possible violations, businesses should refer to privacy authorities as to what is considered a valid anonymization technique.
</p>
<p>
Central to the GDPR are the concepts of accountability and controllership. The data controller (or the joint controllers) has(ve) duties to safeguard the respect of data subjects’ rights. The legal instrument specifies six conditions under which data processing is legitimate1; the absence of at least one of these conditions makes the processing illicit. Another important principle is that of data minimisation: the purpose of the processing must be specified from its beginning, and the data should be deleted when no more required for the specified purpose. The data must also be accurate and correct: if necessary, data subjects are now granted tools to request its amendment. Moreover, specific rules are provided for the transfer of data to third countries.2
</p>
<p>
Crucial for the effectiveness of the GDPR is the possibility for individuals to enforce the rights provided therein. To this aim, in each country a Data Protection Authority (DPA) is established. This is an independent authority in charge of enforcing the GDPR rules, without prejudice to any rights or remedies to which individuals may be entitled in their national jurisdiction. In addition, to ensure a harmonic interpretation and application of the GDPR, the European Data Protection Board acts as central interlocutor for the DPAs.
</p>
<h2>
1. Blockchain and GDPR (Michèle Finck)
</h2>
<p>
After the brief but essential overview of the GDPR core rules and principles, Michèle Finck took the stage to highlight the major points of tension between the European legal instrument on data protection and blockchain technology.
</p>
<p>
The GDPR, she noted, has a twofold objective: to ensure free movement of personal data within the EU; and to protect fundamental rights, conferring on data subjects more control over personal data. In pursuing these goals, the instrument, drafted more than two years ago, assumes that the data is stored and processed in centralized databases. On the contrary, Blockchain technology – at least in its permissionless version – is a system for decentralized collection, storage and processing of data. Given its peculiar architecture, several provisions of the GDPR fall short when applied in this context.
</p>
<p>
A first question to be addressed is whether the GDPR is at all applicable when data is stored on distributed ledger technologies with no central party having exclusive control over it. The answer, according to Michèle Finck, is simple: GDPR applies whenever personal data is at stake, unless it is anonymized.3 As on blockchains data is generally not anonymous but only pseudonymous, the GDPR applies.
</p>
<p>
Data stored on blockchains can be classified in two main categories: (i) transactional data, such as messages and transactions of various kinds occurring among users; and (ii) public keys: users’ personal identifiers. The latter unquestionably qualify as personal data.
</p>
<p>
<section class="abberation">
<img src="patterns/white-4-autotrace.svg">
<img src="patterns/white-4-potrace.svg">
</section>
Another important distinction regards the form in which data can be stored on blockchains, namely as plain text, encrypted or hashed. The former clearly does not prevent potential GDPR violations if personal data is concerned; and, anyway, it is costly, inefficient, and therefore very unusual. Furthermore, the higher degree of confidentiality ensured by encryption and hashing does not represent a safe harbor from data protection liability. Given that encrypted data may always be reversed and hashes can be linked to the data they have been derived from, these techniques do not guarantee anonymity but merely pseudonymity. Consequently, encrypted or hashed personal data stored on a blockchain fall within the scope of the GDPR.
</p>
<p>
After clarifying the applicability of the legal instrument, Michèle Finck proceeds by stressing out the shortcomings of the GDPR when applied in a blockchain context:
</p>
<ul>
<li>The complexity of identifying the data controller, especially at the protocol layer (easier at the application layer); </li>
<li>The impracticality of complying with the prohibition of processing data in third countries, where no equivalent protections are in place; </li>
<li>The uncertainty about the factual application of the principle of data minimization; </li>
<li>The enforceability of the right to amend and (of) erasure of personal data in tamperproof blockchains;</li>
<li>The enforceability of the protection against automated processing of personal data. </li>
</ul>
<p>
<section class="abberation">
<img src="patterns/white-3-autotrace.svg">
<img src="patterns/white-3-potrace.svg">
</section>
The analysis of GDPR requirements and blockchain technical features leads to pessimistic and optimistic conclusions. The former are based on the acknowledgment of the apparently irresolvable incompatibilities between data protection rules and blockchain. First and foremost, in a blockchain scenario, we lack tools to identify the subject of GDPR obligations and, consequently, to enforce data subjects’ rights. Confusion comes from the terminological uncertainty around the concept of “erasure”, a GDPR requirement which seems to be problematic for the inherent immutability of blockchains. Moreover, it is unclear whether hashing – the most common method used to achieve confidentiality of blockchain data – could ever be considered an anonymization technique. On top of this, it must be noted that most blockchain-based projects are, so far, not compliant with GDPR requirements. Therefore, it is legitimate to question, on one hand, whether DLTs could threaten data protection in the EU and, on the other, if the current legal uncertainty about the application of the GDPR could hinder innovation.
</p>
<p>
The optimistic conclusions relate to the concept of “data sovereign” as a shared objective of both blockchain-based projects and communities. Notwithstanding the current technical obstacles to data protection, the technology is still immature and could be further developed to better fit privacy requirements. In the future, there could and should be a greater techno-legal interoperability: blockchain could be deployed to ensure data protection by design and to combine privacy with transparency. Indeed, what is needed is a strong cooperation between stakeholders for the further development of the technology and for a proper, tailored interpretation of the GDPR.
<h2>2. BCDiploma (Alexis Berolatti)</h2>
<p>
The second speaker, Alexis Berolatti, presented its project “BCDiploma”: an application that “dematerializes” the issuance of school diplomas ensuring authenticity of data and confidentiality of information through blockchain technology. With a simple click, users can display their degrees’ attestation. The platform ensures the reliability of the certification and of the issuer thereof. All information is, in fact, previously verified by the company and embedded in the Ethereum public blockchain; when needed, the student can exhibit their education records without revealing additional, unnecessary information.
</p>
<p>
The concerned data are the name of the student, date and place of birth, degrees, and other personal information. Hence, the solution requires personal data processing activities, regulated by the GDPR. Under this legal instrument, the legal basis for the processing is the students’ consent, whereas the objective is to allow students to share their certified data with third parties. The party responsible for the data processing is not the company providing the platform, but the diploma issuer (i.e. the school).
</p>
<p>
The solution ensures compliance with the GDPR as it deploys a safe encryption algorithm and a 3-keys assembly which ensures high standard security and possibility of erasure. It is, in fact, possible to make data unreadable by deleting one of the three keys. Moreover, the application impedes data exploitation and provides access and dissemination control.
</p>
<p>
Notwithstanding the pragmatic and innovative approach of the BCDiploma solution, the storage of personal data on the blockchain – even if hashed or encrypted – keeps raising some concerns. For instance, if the encryption ever gets broken, the data would remain immutable and publicly accessible on the Ethereum blockchain, certainly causing violations of data protection rights.
</p>
</section>
<script>
document.addEventListener('scroll', function (e) {
var max = 2.5, speed = 0.075;
document.querySelectorAll('.abberation img:first-child').forEach(function (img) {
var rotation = ('rotation' in img.dataset) ? parseFloat(img.dataset.rotation) : 0;
var direction = ('direction' in img.dataset) ? parseInt(img.dataset.direction) : 1;
var delta = (Math.random() * speed) * direction;
rotation = Math.max(-max, Math.min(rotation + delta, max));
if (rotation === max) {
direction = -1;
} else if (rotation === -max) {
direction = 1;
}
img.style.transform = 'rotate('+rotation.toString(10)+'deg)';
img.dataset.rotation = rotation;
img.dataset.direction = direction;
});
});
</script>
</body>
</html>