GDPR Michle le Finck Max Planck Institute for Innovation & - - PowerPoint PPT Presentation

BLOCKCHAINS AND THE GDPR

Michèle èle Finck Max Planck Institute for Innovation & University of Oxford

 General Data Protection Regulation  Dual objective: (i) facilitate the free movement of p. data in the EU: and (ii) give data subjects more control over their personal data  Designed for data silos (GAFA platforms)  Presumption of what a database is: central collection, storage and processing of data

THE GDPR

 Decentralized collection, storage and processing of data on public, permissionless blockchains.  Decentralized collection: everyone can add data  Decentralized processing: transactions are processed by miners / validators  Decentralized storage: nodes store data

BLOCKCHAINS AS A DATABASE

Where data is anonymous: GDPR does not apply, where it is pseudononymous, GDPR does apply!! Anonymous data: where PD has been processed to ‘irreversibly prevent identification’. PD is ‘any information relating to an identified or identifiable natural person’ (aka the ‘data subject’)

An identifiable natural person is a person that can be ‘identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or on or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person’

GDPR: SCOPE OF APPLICATION

 Transactional data

Transactions, messages etc

 Public keys

Personal identifiers on a blockchain

PERSONAL DATA ON A BLOCKCHAIN

Data can be stored on a blockchain in three different manners:  In plain text (impracticable, expensive, rare) PD remains PD  In encrypted form (can be reversed, linked w other identifiers) Encryption as a two-way function, data can be unlocked: mere pseudonymous data = personal data  Hashed to the blockchain (cannot be reverse-engineered) Nonetheless PD due to linkability, esp. where input values known)  Personal data added to a blockchain remains personal data, GDPR applies

IS BLOCKCHAIN DATA PERSONAL DATA?

 Difficult determination of who is subject to obligations inherent to GDPR  Prohibition of extra-EU processing of data  GDPR obligation of data minimization  GDPR right to amendment of personal data  GDPR right of erasure (the ‘right to be forgotten’)

APPLYING THE GDPR TO BLOCKCHAINS

 Most if not all blockchains are currently incompatible with the GDPR  Blockchain as an immature technology  Greater techno-legal interoperability in the future?

CONSEQUENCES

michele.finck@ip.mpg.de @finck_m

THANK YOU!