Cyber Laws : National and International Perspective.
Data protection by design and by default on the blockchain
1. {
Data protection by
design and by default
on the blockchain
TILTing2019 - 17 May 2019
Alexandra Giannopoulou
Blockchain and Society Policy Lab
Institute for Information Law (IViR)
University of Amsterdam
2. Immutability of the blockchain
Transnational processing
Some personal data processing is
essential for the functioning of
blockchains
Dessine-moi une blockchain…
3. Blocks containing transactions
Metadata
Encrypted personal data
Hashed personal data
What do we store on the
distributed ledger?
4. Article 25 GDPR Data protection by design and by default
1. Taking into account the state of the art, the cost of implementation and the nature,
scope, context and purposes of processing as well as the risks of varying likelihood
and severity for rights and freedoms of natural persons posed by the processing, the
controller shall, both at the time of the determination of the means for processing
and at the time of the processing itself, implement appropriate technical and
organisational measures, such as pseudonymisation, which are designed to
implement data-protection principles, such as data minimisation, in an effective
manner and to integrate the necessary safeguards into the processing in order to
meet the requirements of this Regulation and protect the rights of data subjects.
1. The controller shall implement appropriate technical and organisational measures
for ensuring that, by default, only personal data which are necessary for each
specific purpose of the processing are processed. That obligation applies to the
amount of personal data collected, the extent of their processing, the period of their
storage and their accessibility. In particular, such measures shall ensure that by
default personal data are not made accessible without the individual's intervention
to an indefinite number of natural persons.
5. Not at odds conceptually because …
Blockchains and DPbD
Asymmetric encryption is a basic component and essential feature of
blockchains, contributing to giving the technology the value it has today
7. • Where does this awareness stem from?
However…
Crypto (as in encryption not in currency) communities imp
8. • Where does this awareness stem from?
The inherent goal of the PETs is to avoid re-identification of
parties and transactions
However…
Crypto (as in encryption not in currency) communities imp
9. • Where does this awareness stem from?
The inherent goal of the PETs is to avoid re-identification of
parties and transactions
• What about other features of data protection by design?
However…
Crypto (as in encryption not in currency) communities imp
But…
11. Escape the surveillance machine!
Trust the technology’s features but what about user control?
12. Escape the surveillance machine!
Trust the technology’s features but what about user control?
Respect for data protection
principles
Respect for data
subjects’ rights
13. Privacy-enhancing technologies emerging on
the blockchain
Zero-knowledge proof
Ring signatures
Taproot “scriptless scripts”
Which design features? Which standards?
Governance!
Technology to the rescue!
14. Waiting on blockchain case law to form
guidelines and interpretations?
How about liability?
Is there a conciliation
point in sight?
Decentralization is seen as the architectural guarantee of censorship resistance, and a safeguard against the coercive influence of any centralized, top-down force
Multifaceted concept that goes beyond the aspect of confidentiality but that is often constrained within the limits of the pseudonymization goals.
I think it is safe to say that the current privacy enhancing technologies that are being applied in blockchain technologies are mainly a result of the high privacy-awareness of what used to be the crypto community (crypto as in encryption and not as in cryptocurrencies).
PETs have always quite predominantly been used as a means to make information harder to be linked to a natural person and in that sense, they are becoming popular because blockchains attribute a big role in reinforcing encryption techniques and technologies that focus on unlinkability.
So, conceptually, a lot of similarities with the privacy by design broader theoretical context of protection. However, insufficient for the breadth of the data protection by design principles and what they imply.
I think it is safe to say that the current privacy enhancing technologies that are being applied in blockchain technologies are mainly a result of the high privacy-awareness of what used to be the crypto community (crypto as in encryption and not as in cryptocurrencies).
PETs have always quite predominantly been used as a means to make information harder to be linked to a natural person and in that sense, they are becoming popular because blockchains attribute a big role in reinforcing encryption techniques and technologies that focus on unlinkability.
So, conceptually, a lot of similarities with the privacy by design broader theoretical context of protection. However, insufficient for the breadth of the data protection by design principles and what they imply.
I think it is safe to say that the current privacy enhancing technologies that are being applied in blockchain technologies are mainly a result of the high privacy-awareness of what used to be the crypto community (crypto as in encryption and not as in cryptocurrencies).
PETs have always quite predominantly been used as a means to make information harder to be linked to a natural person and in that sense, they are becoming popular because blockchains attribute a big role in reinforcing encryption techniques and technologies that focus on unlinkability.
So, conceptually, a lot of similarities with the privacy by design broader theoretical context of protection. However, insufficient for the breadth of the data protection by design principles and what they imply.
I think it is safe to say that the current privacy enhancing technologies that are being applied in blockchain technologies are mainly a result of the high privacy-awareness of what used to be the crypto community (crypto as in encryption and not as in cryptocurrencies).
PETs have always quite predominantly been used as a means to make information harder to be linked to a natural person and in that sense, they are becoming popular because blockchains attribute a big role in reinforcing encryption techniques and technologies that focus on unlinkability.
So, conceptually, a lot of similarities with the privacy by design broader theoretical context of protection. However, insufficient for the breadth of the data protection by design principles and what they imply.
So the same principles that applied to the former cryptosavvy communities that were trying to develop technology that escape ubiquitous surveillance state mechanisms and technologies deployed by these institutions.
This is a rather good stepping stone in the current highly ambivalent state of comformity of blockchains with data protection law. As it has been illustrated firstly by Michele Finck and by other academics, data protection rules are hard to reconcile within the realm of decentralized technologies. How can the tools available from the PETs be used to contribute to a better comformity with GDPR predominantly.
In that sense, one could say that the blockchain’s reverts to trust in the technology’s ability to protect from reidentification and no on reinforcing the control aspect of individuals.
So the same principles that applied to the former cryptosavvy communities that were trying to develop technology that escape ubiquitous surveillance state mechanisms and technologies deployed by these institutions.
This is a rather good stepping stone in the current highly ambivalent state of comformity of blockchains with data protection law. As it has been illustrated firstly by Michele Finck and by other academics, data protection rules are hard to reconcile within the realm of decentralized technologies. How can the tools available from the PETs be used to contribute to a better comformity with GDPR predominantly.
In that sense, one could say that the blockchain’s reverts to trust in the technology’s ability to protect from reidentification and no on reinforcing the control aspect of individuals.
So the same principles that applied to the former cryptosavvy communities that were trying to develop technology that escape ubiquitous surveillance state mechanisms and technologies deployed by these institutions.
This is a rather good stepping stone in the current highly ambivalent state of comformity of blockchains with data protection law. As it has been illustrated firstly by Michele Finck and by other academics, data protection rules are hard to reconcile within the realm of decentralized technologies. How can the tools available from the PETs be used to contribute to a better comformity with GDPR predominantly.
In that sense, one could say that the blockchain’s reverts to trust in the technology’s ability to protect from reidentification and no on reinforcing the control aspect of individuals.