Dissertation article notes

Dissertation – Literature Notes

Matthias Berberich and Malgorzata Steiner, “Blockchain technology and the GDPR - how to reconcile privacy and distributed ledgers?” – Available on HeinOnline Note – that this article is from 2016 and so some of the information may be slightly dated. This article opens with some useful knowledge that will be applicable in my own intro: (own words) Since its conception through the distributed ledger, Bitcoin, blockchain technology has surpassed initial expectations as to the potential of its capabilities and today’s applications are not solely confined to ‘cryptocurrencies’ (e.g. smart contracts). Suggests that blockchain has ‘three constituting elements’: • Append only database (i.e. continually expanding) and ‘persistent’ – meaning that all transactions, once stored on the chain, cannot be removed i.e. it is immutable. • It is a distributed, peer-to-peer ledger. This means that all nodes in the network hold a full copy of the blockchain on their systems and work as verifiers of transaction for the network. This reliance on nodes means that blockchain systems are not centralised by any single entity/ natural person. • Blockchain is, by its very nature, a network of encryption in that for a successful transaction, there must be use of private and public keys. Territorial Scope GDPR applies where a data controller/processor has an establishment within the EU, regardless of whether the actual processing takes place within EU or not. It can also apply to the processing of personal data, even where the controller/processor is not situated in the EU (Art 3(1) gdpr): • But the data subjects are situated in the EU • Where processing is related to goods or services being offered to EU residents (recital 23 for determining factors) • ‘Or tracking the behaviour of data subjects within the EU’ Notes that the question of ‘who is the data controller’ is something that will arise when considering the territorial scope of the GDPR and whether it catches blockchain systems – is every node a data controller? If not, how is a single node determined controller over the large quantity of other ones. Personal Data ‘Personal data’ defined under Art 4(1) GDPR i.e. info must be of identified/ identifiable (natural) person. The authors submit that in relation to Personal data, Art 4(1) replaces Art 2 of the 1995 Data Protection Directive and as such, they expect much the same issue to arise i.e. what constitutes data as being identifiable or not. Touches on the interpretation of identifiable i.e. ‘means reasonably likely to be used’ (recital 26 GDPR +DPD). Also references the case of Breyer – dynamic IP addresses case. Suggests the predominant factor in deciding whether the GDPR catches blockchain systems is determining if personal data is being used. Highlights that even when data is sufficiently encrypted, it will not disregard the GDPRs scope over blockchain. This is because ‘pseudonymised’ data is still capable of identifying persons when used in conjunction with additional data e.g. exchanges (third parties) require identification of parties so they have access to credit card details and proof of residence. This used in conjunction with encrypted terms would deem that person identifiable. Data Controllers The article suggests that data contollers are essential to the effective distribution of rights and obligations under the GDPR. It is suggested that the controller retains the implementation of several key functions e.g. right to erasure, security breach notifications, system rules and enforcing sanctions. Without a defined controller, these rights would not be able to be enforced. The difficulty with this, in relation to blockchain, is the differing effects of hosting a public or private blockchain. Whilst issues surrounding private blockchains and the GDPR are seemingly solvable (to an extent), the issues surround private blockchain’s compatibility with GDPR seem extensive. It is easier for the controller to be identified in closed networks as these are usually created by private institutions for the internal transfer of assets etc. e.g banks. The article touches on ‘nodes’ as controllers, which it disputes on the basis that no single node can qualify as a controller as effectively, they are interdependent on one another for the whole network to function properly – no single node has effective control of the network. Equally, it submits that the other option, that all nodes are controllers is not the correct interpretation. Problems of identification of nodes arises in both cases, particularly with single nodes as controllers – what happens if the controller cant be identified? Conversely, if all nodes are controllers and even if they could all be identified, how does one enforce it upon hundreds or thousands of users? Privacy by Design Article 25 GDPR sets out the guiding principles for achieving ‘Privacy by Design’. These principles are introduced so as to address privacy concern regarding personal data. Art 25 – requires data controllers to implement effective measures in order to protect these principles (e.g. minimisation, pseudonimisation). The authors seem to think that blockchain systems are unable to comply with the principles stipulated in Art 25. A paradox is evident and requires further interpretation by the EU – on one hand, blockchain features such as ‘never-ending’ storage and a lack of central authority, could go against some of the principles such as data minimisation and accountability. Conversely, these features effectively create the resilient and secure nature of blockchain systems and could be considered to be in line with the Art 25 principles. It is suggested that these problems could be, at least partially, resolved in favour of blockchain compliance with GDPR by the creation of new PbD technology. The article then lists a few ways this could be done: • Eliminating ways of identifying pseudonymised data e.g. by adding ‘noise’ to obfuscate transactions amongst others. • Combining ‘on-chain’ and ‘off-chain’ data solutions i.e. personal data is kept, securely off chain and the purpose of the blockchain is merely to provide the effective link between the transaction and the data kept off chain.

The right to be forgotten: