Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

20190316 - CLBFest - GDPR & Blockchain - Axel Beelen


Published on

Axel Beelen takes a look at how blockchain and data protection regulation can be reconciled.

- What is GDPR?
- What are the basic principles of GDPR?
- Can personal data on the blockchain (and thus application of GDPR) be avoided?
- How does data minimisation pitch in?
- How does pseudonymisation pitch in?
- Who has what role in a blockchain setup? controller, joint controller,...
- How would rights of data subjects work?

The context was the second (2019) edition of the Computational Law and Blockchain Festival (#CLBFest), Brussels' node.

Published in: Education
  • Be the first to comment

20190316 - CLBFest - GDPR & Blockchain - Axel Beelen

  2. 2. Axel BEELEN, Data lawyer 2 The GDPR song (82 818 views!!) hss Talking about Law could be fun (sometimes)
  3. 3. GDPR: MAIN POINTS 25th May 2018 Evolution not a revolution A balance between data protection and the free movement of personal data Extraterritorriality application (Very) broad definition of personal data and processings Six principles and six legal grounds Rights of the data subject (DS) Obligations towards the data controller (DC) and the data processor (DP) More powers to the data protection authorities (DPA) & EDPB HIGH FINES Axel BEELEN, Data lawyer 3
  4. 4. Axel BEELEN, Data lawyer 4
  5. 5. BLOCKCHAINS : A DE FACTO INTERNATIONAL DISTRIBUTED TRUSTED INFORMATION TECHNOLOGY Immutability and Irreversibility (append-only ledger) Decentralized, P2P and Distributed (no single point of failure) Permissioned (private) or permissionless (public) Can also be programmed to trigger transactions automatically (smart contracts) Axel BEELEN, Data lawyer 5
  6. 6. TENSIONS: HOW THE GDPR APPLIES TO ECOSYSTEMS WHERE THERE IS NO SINGLE, CENTRALIZED PLATFORM? The identificatio n and obligations of DC and DP The (de)anonymi sation of personal data Tensions The exercise of some data subject rights Axel BEELEN, Data lawyer 6 Born to kill GDPR
  7. 7. FOLLOWING MICHÈLE FINCK “Blockchains are authenticity solutions that do not, in themselves, provide any privacy guarantees so that for data sovereignty objectives to be achieved, they must be combined with additional mechanisms.” Axel BEELEN, Data lawyer 7
  8. 8. IDENTIFICATION AND OBLIGATIONS OF DC AND DP Axel BEELEN, Data lawyer 8 Most of the times, DC & DP can be identified and comply with their respective obligations But, there are also cases where it is difficult, and perhaps impossible, to identify a DC, particularly when blockchain transactions are written by the DS themselves
  9. 9. ANONYMISATION OF PERSONAL DATA Axel BEELEN, Data lawyer 9 Still no consensus on what it takes to anonymise personal data to the point where the resulting output can potentially be stored in a blockchain network Deanonymization techniques can unravel the identities of people involved in blockchain-based transactions
  10. 10. THE EXERCISE OF SOME DATA SUBJECT RIGHTS Axel BEELEN, Data lawyer 10 If personal data is recorded in a blockchain network, it may be difficult to rectify or remove it. Defining what can be considered erasure in the context of blockchains is still under heavy discussion.
  11. 11. FOLLOWING MICHÈLE FINCK “We conclude that public keys as well as the transactional data stored on blockchains will often qualify as personal data. Where blockchain use cases are caught by the GDPR, its various substantive rights come to apply. ” Axel BEELEN, Data lawyer 11
  12. 12. ENFORCING SUBSTANTIVE DATA PROTECTION RIGHTS ON BLOCKCHAINS Axel BEELEN, Data lawyer 12 Rights of DS Transactional data Public key Data Could be ok if stored off chain NOK Right to Amendment Could be ok if stored off chain NOK Right to Access Could be ok if stored off chain NOK Right to be Forgotten Could be ok if stored off chain Could be ok if… Data Protection Design and Data Protection by Default Could be ok if stored off chain Data controller Joint controllers Data processor The data subject for a professional activity the network users) Infrastructure layers - The Blockchain system - The Blockchain consortium The protocol developers The developers Smart contract developers The miners altogether? Likely no A Miner The smart contract publishers? Person holding the private key of a smart contract
  14. 14. RECOMMENDATION 1 Start with the big picture of your project: how is user value created, how is data used and do you really need blockchain? Compliance should be easier on a permissioned ledger Axel BEELEN, Data lawyer 14
  15. 15. RECOMMENDATION 2 The re-use of the public key enables individuals to be singled out by reference to their public key Avoid storing personal data on a blockchain!! Axel BEELEN, Data lawyer 15
  16. 16. RECOMMENDATION 3 Make full use of data obfuscation, encryption and aggregation techniques in order to “anonymise” data. Collect personal data off-chain Article 29 Working Party (now replaced by the European Data Protection Board) in its Opinion 05/2014: Threshold for data to qualify as anonymised is very high Hashing may still leave some small possibility of a successful brute force attack (pseudonymous data). Axel BEELEN, Data lawyer 16
  17. 17. RECOMMENDATION 4 Continue to innovate, and be as clear and transparent as possible with users Other projects explore how blockchain could be used to support the GDPR (see IBM doc) Axel BEELEN, Data lawyer 17 Follow the news, innovation is daily and worldwide!
  18. 18. Axel BEELEN, Data lawyer 18
  19. 19. Axel BEELEN, Data lawyer 19 Many projects try to be GDPR “compliant” from the beginning! Monero achieves privacy using Ring Confidential Transactions and stealth addresses. Ring signatures add “decoys” to transactions without exposing which coins were really signed, effectively mixing the coins. Zcash : based on the Zerocash protocol design. Zcash uses shielded addresses to hide transacting parties and zk- snarks (a type of zero- knowledge proof) to hide transaction amounts. Second layer “centralized” privacy solutions (Blockstream side chains) A “privacy-enhancing and scalable blockchain protocol”. It verifies that all transactions are valid without storing the blockchain’s entire history. Grin and Beam are its first two implementations. Transaction layer privacy (via wallets like Breeze, Samourai and Wasabi). Solutions sometimes focus on transactional data, sometimes on the private key personal data issue.
  20. 20. FOCUS ON ZERO-KNOWLEDGE PROOF Zero-knowledge proof is a concept in cryptography that provides many interesting applications to blockchain. A zero-knowledge proof exists where a prover A can prove that he knows information X to a verifier B without communicating any other information to B other than the fact that A knows X. Thus, prover A does not have to share details, such as the sender’s or recipient’s identity, with verifier B. Consequently, zero-knowledge proof enforces anonymity in transactions. Axel BEELEN, Data lawyer 20
  21. 21. SPECIFICALLY ABOUT BITCOIN Axel BEELEN, Data lawyer 21 While Bitcoin can support strong privacy, many ways of using it are usually not very private. With proper understanding of the technology, bitcoin can indeed be used in a very private and anonymous way.Around 2011 most casual enthusiasts believed it is totally private; which is also false. As of 2019 most casual enthusiasts of bitcoin believe it is perfectly traceable; this is completely false. There is some nuance - in certain situations bitcoin can be very private. But it is not simple to understand, and it takes some time and reading (a lot of reading!).
  22. 22. UPGRADING USERS PRIVACY IS ALSO AN IMPORTANT TOPIC ON ETHEREUM Axel BEELEN, Data lawyer 22 At the transaction level, devs are making their way into allowing the use of private transactions through the Parity client network. Following an other path to privacy, the AZTEC protocol teams make use of zero-knowledge proofs and in particular zk- SNARKs in their protocol. The devs at HOPR also care a lot about privacy. They think current encryption in messaging apps like Whatsapp or Signal are not enough, and the messaging app that they are building not only encrypts the message itself, but makes it hard to know who is sending that message, the size of the message, and the IP addresses involved. Privacy
  23. 23. EVOLUTIONS23 o On deletion and anonymisation (Austria, 5/12/2018) (//UK) In a case that did not concern a blockchain, the Austrian data protection authority held that anonymisation does not have to be proven to be perfect forever. It is sufficient that currently there is no way to reverse it. Speculations on future technological developments do not have to be taken into account. This anonymisation then equals deletion. => 'erasure' does not have to imply that data is literally deleted. Making data permanently inaccessible without deletion produce the same result. => This is a positive move for the use of blockchains where privacy enhancing techniques like hashing, zero knowledge proofs or encryption is used. o CJEU (case C-582/14 P. Breyer) on 19 October 2016 relating to dynamic IP addresses: disproportionate effort o CNIL (FRANCE) & NAIH (HUNGARY)
  24. 24. Axel BEELEN, Data lawyer 24 Despite the plethora of options for enhancing privacy, these are all early stage technologies (including MimbleWimble, Grin and Beam). Each have their own trade-offs and, at this point, there is no clear answer to the best approach to privacy in crypto.
  25. 25. FOR THE DISCUSSION Axel BEELEN, Data lawyer 25 But will it be possible to (totally/partially) adapt Bitcoin Blockchain? Or do we have to recreate a total new GDPRPSD2Mifid2etc. compliant Blockchain? • In translating all the laws into the code • It will require to allow future law- technical modifications… Blockchain can also be used as a regulatory technology • Ex: to directly collect VAT when an economic action is perform • It will prevent violations before they even occur Is it really possible? Do we really want it? Where is the flexibility and the humanity in this algocratic system?
  26. 26. Axel BEELEN, Data lawyer 26
  27. 27. SOME DOC Papers from Michèle FINCK (Max Planck Institute) CNIL Guideline « Solutions for a responsible use of the blockchain in the context of personal data” The EU Blockchain Observatory and Forum Blockchain report Primavera DE FILIPPI & Aaron WRIGHT: Blockchain and the Law (The rule of code) Articles published on Medium, The Verge, Circle, etc. Axel BEELEN, Data lawyer 27
  28. 28. DATA LAWYER o Axel BEELEN o Linkedin/Twitter: @ipnewsbe o Telegram: Belgium Blockchain Belgium GDPR o Email: o Website: 28