TechGDPR

Blockchain & DLT under the GDPR explained to the European Commission

Tuesday June 4th, 2019 by Silvan Jongerius

Today, I had the opportunity to present the key issues of Blockchain & DLT under the GDPR to a delegation of the European Commission in Berlin. Below is a summarised version of the issues I presented.

European Commission

1. Is the Opinion 05/2014 by Working Party 29 still valid?

Article 29 Working Party issued comprehensive guidance on Anonymisation Techniques in April 2014 (WP216), setting a high standard for the requirements of true anonymisation, and specifies what is to be interpreted as pseudonymisation – which is merely a method to reduce linkability of a dataset with the original identity of a data subject.

Many applications of DLT requires some verification data to be stored on-chain, which, depending on interpretation and the specific requirements can be seen as anonymous or pseudonymous.

During its first plenary meeting on May 25th, 2018 the European Data Protection Board (EDPB) endorsed a number of GDPR related WP29 Guidelines, but not “Opinion 05/2014 on Anonymization Techniques” by “Art. 29 Working Party”.

The EDPB should clarify whether this opinion by WP29 may be used as a guideline, or ideally issue new guidelines that allow for sufficiently protected pseudonymous data and verification hashes to be recognised as anonymous.

2. Clarification of distribution of responsibilities in a decentralised environment according to given roles under GDPR.

The architecture (or topology) of systems using DLT is vastly different from more traditional systems comprising of a client-server, or client-cloud architecture. The GDPR is clearly designed for a client-server architecture, with clear distinguishable rights and duties between a data controller, who is primarily responsible, a data processor, who processes data on behalf of a controller, and a data subject, of whom the personal data is being processed.

This is not translatable into blockchain or distributed ledger technology, where every node could play every role, not overseen by a central entity or system. Participants may have different roles under different circumstances, and may have multiple roles at the same time. In addition, the requirement of concluding a Data Processing Agreement in a public permissionless network is very difficult to fulfil, and other overarching measures may be required.

Clarification of the GDPR roles of the different actors within the blockchain ecosystem, under different circumstances is highly desirable to give innovators enough legal certainty to continue their efforts.

3. Clarification regarding deletion and rectification obligations.

Under Article 16 and 17 of the GDPR, data subjects have the right to have incorrect personal data corrected, and have their personal data that is no longer required erased.

This poses a problem when using DLT, that primarily derives its trust from its immutability. Because data, including personal data on DLT can not be rectified or erased, and many blockchains are public, the best practice so far is to not directly store personal data on a blockchain but only a verification value, also known as a hash, of some kind. However, as highlighted before, there is no current valid guidance on exact limits of anonymisation, so how this is to be applied remains unclear.

Technical approaches to resolve this problem exist, for example through the ability of nodes to restrict access to certain information, to only allow ‘keyed hashes’, which all have a unique key stored off-chain that can be deleted, or by using a mutable implementation of DLT, which unfortunately hardly ever helps us trust the technology as it relies on a trusted third party and should not be seen as a true solution. Which defeats the appeal of blockchain and DLT.

Within current practices using data backups in more traditional settings, it can also not be assumed that all personal data is effectively deleted, in particular from offline tape backups. It can also be questioned what the technically implementation of ‘deleting data’ in a traditional sense is: under most circumstances this is just ‘unlinking’ data, which can still be recovered.

Further guidance, and more flexibility on the interpretation of deletion and rectification obligations, in particular in a blockchain environment, is requested.

4. Request to ensure future guidance takes the different blockchain and DLT architectures into account.

When the EDPB or other regulators are providing guidance on blockchain under the GDPR, it is essential to understand and consider the different blockchain architectures currently available, and possibly those of the future. A public permissionless blockchain, free to join, participate in and download for everyone, is vastly different from a private permissioned one, related technologies that are technically not blockchain but still fall within the scope of distributed ledger technologies, such as Tangle and Hashgraph, have yet another very different architecture requiring a different approach.

We’d like to urge the regulators and in particular the EDPB to take these fundamental differences into account when issuing further guidance.

Silvan Jongerius

Managing Partner

Silvan is Managing Partner at TechGDPR, a member of the privacy working group of the German Blockchain Association, leading the establishment of a privacy working group at INATBA, and represents the Berlin Blockchain Ecosystem as President of BerChain e.V.

One year of GDPR: GDPR enforcement and awareness
May 25th, 2019

Our first open GDPR Canvas workshop
May 21st, 2019

WiFi-Tracking and Retail Analytics under the GDPR
April 8th, 2019

How to develop Artificial Intelligence that is GDPR-friendly
February 28th, 2019

Is total privacy GDPR compliant? Zcash report shows how “Privacy by Design” handling of personal data gets us close.
February 5th, 2019

The GDPR + Blockchain: Reflecting back and looking ahead
January 8th, 2019

American Intern Meets the GDPR
December 12th, 2018

GDPR, Blockchain, and the Principles of Privacy by Design
December 3rd, 2018

The Limits of Blockchain Privacy and the GDPR
October 22nd, 2018

Blocks Ascending: The GDPR Checklist for Any Blockchain Project
September 17th, 2018

Artificial Intelligence (3)
Beyond EU (3)
Big Data (2)
Blockchain (9)
Court Cases (1)
Data Subjects (4)
DLT (1)
DPO (2)
European Commission (1)
GDPR Canvas (1)
GDPR Status (1)
IoT (4)
Privacy by Design (5)
Speaking (1)
Startups (1)
WiFi (1)
Workshop (1)
Big Data
GDPR Analysis
GDPR so far
gdpr workshop
gdpr year one
one year gdpr
open workshop
Retail Analytics
WiFi
WiFi-Tracking
June 2019 (1)
May 2019 (2)
April 2019 (1)
February 2019 (2)
January 2019 (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (5)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.