Axel Beelen takes a look at how blockchain and data protection regulation can be reconciled.
- What is GDPR?
- What are the basic principles of GDPR?
- Can personal data on the blockchain (and thus application of GDPR) be avoided?
- How does data minimisation pitch in?
- How does pseudonymisation pitch in?
- Who has what role in a blockchain setup? controller, joint controller,...
- How would rights of data subjects work?
The context was the second (2019) edition of the Computational Law and Blockchain Festival (#CLBFest), Brussels' node.
2. Axel BEELEN, Data lawyer
2
The GDPR song (82 818
views!!)
https://youtu.be/6i5WuBbf
hss
Talking about Law could be fun
(sometimes)
3. GDPR: MAIN POINTS
25th May 2018
Evolution not a
revolution
A balance between
data protection and
the free movement
of personal data
Extraterritorriality application
(Very) broad definition of personal data and processings
Six principles and six legal grounds
Rights of the data subject (DS)
Obligations towards the data controller (DC) and the data processor (DP)
More powers to the data protection authorities (DPA) & EDPB
HIGH FINES
Axel BEELEN, Data lawyer
3
5. BLOCKCHAINS : A DE FACTO INTERNATIONAL
DISTRIBUTED TRUSTED INFORMATION TECHNOLOGY
Immutability
and
Irreversibility
(append-only
ledger)
Decentralized,
P2P and
Distributed (no
single point of
failure)
Permissioned
(private) or
permissionless
(public)
Can also be
programmed to
trigger
transactions
automatically
(smart
contracts)
Axel BEELEN, Data lawyer
5
6. TENSIONS: HOW THE
GDPR APPLIES TO
ECOSYSTEMS WHERE
THERE IS NO SINGLE,
CENTRALIZED
PLATFORM?
The
identificatio
n and
obligations
of DC and
DP
The
(de)anonymi
sation of
personal
data
Tensions
The exercise
of some data
subject rights
Axel BEELEN, Data lawyer
6
Born to kill
GDPR
7. FOLLOWING MICHÈLE FINCK
“Blockchains are authenticity solutions that do not, in
themselves, provide any privacy guarantees so that
for data sovereignty objectives to be achieved, they
must be combined with additional mechanisms.”
Axel BEELEN, Data lawyer
7
8. IDENTIFICATION AND OBLIGATIONS OF DC AND
DP
Axel BEELEN, Data lawyer
8
Most of the times, DC & DP can
be identified and comply with
their respective obligations
But, there are also cases where it
is difficult, and perhaps
impossible, to identify a DC,
particularly when blockchain
transactions are written by the
DS themselves
9. ANONYMISATION OF PERSONAL DATA
Axel BEELEN, Data lawyer
9
Still no consensus on what it takes to
anonymise personal data to the point
where the resulting output can potentially
be stored in a blockchain network
Deanonymization techniques can unravel
the identities of people involved in
blockchain-based transactions
10. THE EXERCISE OF SOME DATA SUBJECT RIGHTS
Axel BEELEN, Data lawyer
10
If personal data is
recorded in a blockchain
network, it may be
difficult to rectify or
remove it.
Defining what can be
considered erasure in the
context of blockchains is
still under heavy discussion.
11. FOLLOWING MICHÈLE FINCK
“We conclude that public keys as well as the transactional data
stored on blockchains will often qualify as personal data.
Where blockchain use cases are caught by the GDPR, its
various substantive rights come to apply. ”
Axel BEELEN, Data lawyer
11
12. ENFORCING SUBSTANTIVE DATA PROTECTION RIGHTS
ON BLOCKCHAINS
Axel BEELEN, Data lawyer
12
Rights of DS Transactional data Public key
Data
Could be ok if
stored off chain
NOK
Right to
Amendment
Could be ok if
stored off chain
NOK
Right to Access
Could be ok if
stored off chain
NOK
Right to be
Forgotten
Could be ok if
stored off chain
Could be ok if…
Data Protection
Design and Data
Protection by
Default
Could be ok if
stored off chain
Data controller Joint controllers Data processor
The data subject
for a professional
activity the
network users)
Infrastructure layers
- The Blockchain
system - The
Blockchain
consortium
The protocol
developers
The developers Smart contract
developers
The miners
altogether? Likely
no
A Miner
The smart contract
publishers?
Person holding the
private key of a
smart contract
14. RECOMMENDATION 1
Start with the big picture of your project:
how is user value created, how is data
used and do you really need blockchain?
Compliance should be easier on a
permissioned ledger
Axel BEELEN, Data lawyer
14
15. RECOMMENDATION 2
The re-use of the public key enables individuals to be singled out by
reference to their public key
Avoid storing personal data on a blockchain!!
Axel BEELEN, Data lawyer
15
16. RECOMMENDATION 3
Make full use of data obfuscation,
encryption and aggregation
techniques in order to “anonymise”
data.
Collect personal data off-chain
Article 29 Working Party (now
replaced by the European Data
Protection Board) in its Opinion
05/2014:
Threshold for data to qualify as anonymised is very
high
Hashing may still leave some small possibility of a
successful brute force attack (pseudonymous
data).
Axel BEELEN, Data lawyer
16
17. RECOMMENDATION 4
Continue to innovate, and be as clear
and transparent as possible with users
Other projects explore how
blockchain could be used to support
the GDPR (see IBM doc)
Axel BEELEN, Data lawyer
17
Follow the news, innovation is daily and worldwide!
19. Axel BEELEN, Data lawyer
19
Many projects try to be GDPR
“compliant” from the
beginning!
Monero achieves privacy using
Ring Confidential Transactions
and stealth addresses.
Ring signatures add “decoys”
to transactions without
exposing which coins were
really signed, effectively
mixing the coins.
Zcash : based on the Zerocash
protocol design. Zcash uses
shielded addresses to hide
transacting parties and zk-
snarks (a type of zero-
knowledge proof) to hide
transaction amounts.
Second layer
“centralized” privacy
solutions
(Blockstream side
chains)
A “privacy-enhancing and
scalable blockchain
protocol”.
It verifies that all
transactions are valid
without storing the
blockchain’s entire history.
Grin and Beam are its first
two implementations.
Transaction layer
privacy (via wallets
like Breeze,
Samourai and
Wasabi).
Solutions
sometimes focus
on transactional
data, sometimes
on the private
key personal data
issue.
20. FOCUS ON ZERO-KNOWLEDGE PROOF
Zero-knowledge
proof is a concept in
cryptography that
provides many
interesting
applications to
blockchain.
A zero-knowledge proof exists
where a prover A can prove
that he knows information X
to a verifier B without
communicating any other
information to B other than
the fact that A knows X.
Thus, prover A does not have
to share details, such as the
sender’s or recipient’s identity,
with verifier B. Consequently,
zero-knowledge proof
enforces anonymity in
transactions.
Axel BEELEN, Data lawyer
20
21. SPECIFICALLY ABOUT BITCOIN
Axel BEELEN, Data lawyer
21
While Bitcoin can support strong privacy,
many ways of using it are usually not very
private. With proper understanding of the
technology, bitcoin can indeed be used in a
very private and anonymous way.Around 2011 most casual enthusiasts
believed it is totally private; which is also
false. As of 2019 most casual enthusiasts
of bitcoin believe it is perfectly traceable;
this is completely false.
There is some nuance - in certain situations bitcoin
can be very private. But it is not simple to understand,
and it takes some time and reading (a lot of reading!).
https://en.bitcoin.it/wiki/Privacy
22. UPGRADING USERS PRIVACY IS ALSO AN IMPORTANT
TOPIC ON ETHEREUM
Axel BEELEN, Data lawyer
22
At the transaction level,
devs are making their way
into allowing the use
of private
transactions through the
Parity client network.
Following an other path
to privacy, the AZTEC
protocol teams make use
of zero-knowledge proofs
and in particular zk-
SNARKs in their protocol.
The devs at HOPR also
care a lot about privacy.
They think current
encryption in messaging
apps like Whatsapp or
Signal are not enough,
and the messaging app
that they are building not
only encrypts the
message itself, but makes
it hard to know who is
sending that message, the
size of the message, and
the IP addresses involved.
Privacy
23. EVOLUTIONS23
o On deletion and anonymisation (Austria, 5/12/2018) (//UK)
In a case that did not concern a blockchain, the Austrian data protection authority held that
anonymisation does not have to be proven to be perfect forever. It is sufficient that currently
there is no way to reverse it. Speculations on future technological developments do not have
to be taken into account. This anonymisation then equals deletion.
=> 'erasure' does not have to imply that data is literally deleted.
Making data permanently inaccessible without deletion produce the same result.
=> This is a positive move for the use of blockchains where privacy enhancing techniques
like hashing, zero knowledge proofs or encryption is used.
o CJEU (case C-582/14 P. Breyer) on 19 October 2016 relating to dynamic IP addresses:
disproportionate effort
o CNIL (FRANCE) & NAIH (HUNGARY)
24. Axel BEELEN, Data lawyer
24
Despite the plethora of options for enhancing privacy, these are all early stage
technologies (including MimbleWimble, Grin and Beam). Each have their own trade-offs
and, at this point, there is no clear answer to the best approach to privacy in crypto.
25. FOR THE DISCUSSION
Axel BEELEN, Data lawyer
25
But will it be possible to
(totally/partially) adapt
Bitcoin Blockchain?
Or do we have to recreate a total new
GDPRPSD2Mifid2etc. compliant
Blockchain?
• In translating all the laws into the
code
• It will require to allow future law-
technical modifications…
Blockchain can also be used as a
regulatory technology
• Ex: to directly collect VAT when an
economic action is perform
• It will prevent violations before they
even occur
Is it really possible?
Do we really want it?
Where is the flexibility and the humanity in
this algocratic system?
27. SOME DOC
Papers from Michèle FINCK (Max Planck Institute)
CNIL Guideline « Solutions for a responsible use
of the blockchain in the context of personal data”
The EU Blockchain Observatory and Forum Blockchain report
Primavera DE FILIPPI & Aaron WRIGHT: Blockchain and the Law
(The rule of code)
Articles published on Medium, The Verge, Circle, etc.
Axel BEELEN, Data lawyer
27
28. DATA LAWYER
o Axel BEELEN
o Linkedin/Twitter:
@ipnewsbe
o Telegram:
Belgium Blockchain
Belgium GDPR
o Email:
axel.beelen@ipnews.be
o Website: www.ipnews.be
28