Analysis: Legal issues of blockchain within the framework of the EU's General Data Protection Regulation (GDPR)

Author: Luo Tao

Editor's Note: The original title was "Legal Issues of Blockchain under the GDPR Framework"

 

The digital wave is sweeping the globe, and more and more enterprises are using technology to completely change the performance or tentacles of enterprises. Data, as the foundation of digital transformation, is essential for enterprises. According to the survey, in the global data breach incidents, industries with a high incidence of violations: retail accounted for 16.7%; finance and insurance accounted for 13.1%; medical institutions accounted for 11.9%. (Trustwave Global Security Report 2018). These industries are the pioneers of digital transformation. Development and risk coexist, and the protection of data in the digital process has become a top priority for enterprises.

• About 42% of Bitcoin has not had any on-chain transactions in the past 2 years, or has become an important driving force for the rise in the price of coins
• Beware of replay attacks! PoC2 + Hard Fork Upgrade Risk Tips
• Xiaomi establishes industry-finance big data company to continue expanding blockchain and other businesses

The Cybersecurity Law of the People's Republic of China, which came into effect on June 1, 2017, emphasizes the protection of infrastructure and personal information. The "Information Security Technology Personal Information Security Specification" implemented on May 1, 2018, from the level of national standards, clarified the compliance requirements for enterprises to collect, use and share personal information, and specified the privacy policy and personal information management specifications for enterprises direction. The EU's General Data Protection Regulation GDPR, which came into effect on May 25, 2018, has been called the "strictest ever" regulation in the European Union, and has already had a huge impact:

• Google and Facebook, respectively, received European Union fines of € 3.9 billion and € 3.7 billion on the effective date of the GDPR. Apple, Amazon, LinkedIn and other companies also face lawsuits from privacy regulators.
• After the GDPR came into effect, the Chicago Times, Los Angeles Times and many other US media sites in Europe shut down their servers.
• Many Internet companies such as WeChat Overseas and Sina Weibo International have updated their privacy policies to users in Europe and requested reauthorization. QQ stopped some international version services and will launch a new version to prompt users to upgrade. Both Air China and China Eastern have updated the privacy terms of their APP and official website.
• Haier and Huawei have already hired a dedicated team to deal with the new regulations.

Applicability

The GDPR applies not only to organizations located within the European Union, but also to organizations outside the European Union that provide goods or services to or monitor their data to EU data subjects. That is, as long as an organization processes and stores the personal data of data subjects residing in the European Union, regardless of where the company is located, it will be subject to GDPR.

2. Data related parties

• Data subject: A subject that enjoys data rights. The natural person pointed to by personal data is the data subject.
• Controller: An obligatory subject refers to a natural person, legal person, or other group who, alone or with others, determines the purpose and method of processing personal data
• Data processor (processor): an obligatory subject, representing a controller, a natural person, legal person, or other organization that processes personal data
• Third party: refers to other parties without any authorization to the "Personal Data"

3. Personal data definition

"Any information that points to an identified or identifiable natural person", for example: basic identity information: name, address and ID number …

Network data: location, IP address, cookie data and RFID tags …

Healthcare and genetic data; biometric data such as fingerprints, irises, etc .; ethnic or ethnic data; political opinions; sexual orientation.

4. Data processing definition

"Means any action performed on personal data or collections of personal data"

5. Data processing principles

Ensuring data security throughout the data life cycle

• Data collection: The collection purpose is clear and legal, and the data subject agrees to authorize
• Data processing: The processing process is legal, transparent, and guaranteed
• Storage: safe and confidential, storage period is strictly limited

6. Data subject rights

● Right of permission ● Right of access ● Right of correction ● Right to restrict processing

● Right to object ● Right to portability ● Right to be forgotten ● Right to inform

It can be seen that the "personal data" protected by the GDPR includes any relevant information that can be identified directly or indirectly by reference to an identifier. In addition, GDPR's protection of the rights of data subjects is also very strict, not only stipulating that data subjects have rights such as "data forgotten rights" and "data portability rights", but also stipulating that those responsible for violating GDPR may face the highest risks. High fines of 4% of global annual turnover.

The distributed data storage method of the blockchain makes it impossible to delete the saved data effectively. It seems that it has irreconcilable conflicts and contradictions with the right to be forgotten about personal data. Although Article 17 (2) of the GDPR stipulates that when the data subject requests the deletion of his personal data, the data control subject should consider the technology of the data deletion and the cost of implementation, take reasonable steps (including technical means), and notify The data subject, but whether the technical characteristics of distributed storage that cannot be tampered with can be a reason for not complying with the GDPR, it is still an open question.

In addition, GDPR and the blockchain also have conflicts on the subject of data protection responsibility.

It is generally possible to distinguish who is responsible for the protection of personal data on the private chain, but it is not reasonable to use the nodes on the chain as the responsible body for personal data protection in a completely decentralized public chain. Due to the restrictions of its background, the GDPR has shown a certain lag in the face of technological development. The lack of consideration of distributed data storage is not included in the GDPR legal framework to clearly regulate it. In practice, problems such as the applicability of laws will inevitably arise.

However, it is impossible to delete the data on the blockchain. Does it mean that the blockchain is not compatible with GDPR?

We think it can be analyzed from the following perspectives:

1. From the perspective of the purpose, the effect of deleting data is to prevent the data controller from collecting, recording, organizing, storing, modifying, using, disclosing or disseminating the data through the actions of deletion and destruction. Or indirectly identify the purpose of the subject of the right. In other words, if a certain technology can be used to make the recorded data fail to identify the subject of rights and constitute personal data under certain circumstances, the same effect of deleting data can be achieved.

As far as current blockchain technology is concerned, zero-knowledge proofs combined with smart contracts are expected to achieve data anonymity, and there are also opinions that it is possible to technically respond to the modification and deletion of personal data through a layered architecture or data off-chain.

2. From the perspective of the counterparty to the right, the decision of the data controller needs to be clarified. The controller determines the purpose and method of processing personal data, who is the controller of the personal data in the blockchain, and also an important factor to be considered by the data rights subject when exercising the right to be forgotten. Under the blockchain distributed system, blockchain companies can be controllers, miners can be controllers, and even consumers can be controllers. In the case of changing controllers, blockchain technology can play a good auxiliary role and help protect data.

It can be seen that blockchain and GDPR are not antithetical. From the point of view, both parties are working hard to achieve social trust and data protection. Blockchain technology can help achieve access authorization for subdivided data through encryption keys, and can also provide a basis for the sharing and migration of personal data. GDPR targets data, while blockchain targets technology. Therefore, even in a distributed blockchain application scenario, as long as the content of data information is involved, it may be included in the scope of GDPR adaptation. On the other hand, due to the extensive characteristics of blockchain application scenarios, compared to the single protection of GDPR, the applicability of the two in specific data application scenarios also needs specific cases to be practiced and explored.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!