GDPR and DLT: Whose data is it?

Brave New Coin    2018-06-19 17:00:00

The introduction of the General Data Protection Regulation in Europe raises some critical questions about Distributed Ledger Technology. At the top of the list: Does GDPR really apply to DLT, and is it even enforceable?

There has certainly been a sufficiency of discussion about blockchain and cryptocurrencies over the past several years, covering things such as investment safety and whether they are actually currencies. But the introduction of the General Data Protection Regulation in Europe has introduced some unanswered questions about the foundation technology for all this, Distributed Ledger Technology.

The DLT Approach to Data

There is no shortage of definitions of how DLT works, but we can use this one:

“Distributed ledger technology (DLT) is a digital system for recording the transaction of assets in which the transactions and their details are recorded in multiple places at the same time. Unlike traditional databases, distributed ledgers have no central data store or administration functionality. In a distributed ledger, each node processes and verifies every item, thereby generating a record of each item and creating a consensus on each item's veracity. A distributed ledger can be used to record static data, such as a registry, and dynamic data, i.e., transactions.”

According to the UK Government Chief Scientific Adviser:

“[D]istributed ledgers are inherently harder to attack because instead of a single database, there are multiple shared copies of the same database, so a cyber-attack would have to attack all the copies simultaneously to be successful. ... But this is not to say that distributed ledgers are invulnerable to cyber-attack, because in principle anyone who can find a way to ‘legitimately’ modify one copy will modify all copies of the ledger. So ensuring the security of distributed ledgers is an important task and part of the general challenge of ensuring the security of the digital infrastructure on which modern societies now depend.”

This is indicative of most of the discussion of the vulnerabilities of DLT, in that it focuses on the technology’s resistance to altering a data record. Because there are many copies of a single record, all presumably protected by encryption and keys, the general conclusion is that it is very hard to modify all the records at once.  What is not so clear is what happens if one or more of the records is out of sync with other records of the same transaction.

In that case, is there some foolproof way to determine which record(s) prevail, and which are assumed to be false? Or do we face the situation where, since we don’t have agreement between all the nodes, we freeze the record until we can resolve the disparity? Think about that event in a highly volatile market, for example. And we have already seen multiple instances of nefarious behavior in the cryptocurrency space, so we should already be aware of the possibility of hacking DLT data.

The GDPR Approach to Data

The GDPR views this data as something of an asset, which appears to be owned by some person, either natural or institutional. Although the rule itself never mentions data ownership, the obligations owed to data subjects by controllers and processors (C/Ps) are exactly the same as if the subjects owned the data. The subjects can instruct the C/Ps what to do with the data (within boundaries) and the C/Ps have the same obligations of care and protection as if the data had monetary value. Given that each record of a transaction must contain data components identifying the parties, it appears clear that any DLT records of transactions done by EU natural persons are subject to the GDPR. Since the nature of DLT is to have multiple (perhaps hundreds) of records of every transaction, there will, by that logic, be up to hundreds of copies of personal data regulated by GDPR.

But what does GDPR say that is applicable to DLT data? A lot, as it turns out. To begin with, Article 5 requires that the data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

GDPR differentiates between the responsibilities of data controllers and processors. It says in Article 4 that a controller “determines the purposes and means of the processing of personal data,” while a processor “processes personal data on behalf of the controller.” So, one of the GDPR questions regarding DLT is: Which of the nodes would be construed to be a controller, and which would be processors? Since GDPR says that the controller is responsible to the data subject for the actions of the processor, presumably whoever introduces the transaction into the DLT is the controller – and is responsible to the data subject for the processors.

Then, Article 14 requires:

  • Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
  • (a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
  • (b) the contact details of the data protection officer, where applicable;
  • (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • (d) the categories of personal data concerned;
  • (e) the recipients or categories of recipients of the personal data, if any;
  • (f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation. (emphasis added)
  • Of course, the GDPR has multiple opt-outs, such as:
  • Paragraphs 1 to 4 shall not apply where and insofar as:
  • the provision of such information proves impossible or would involve a disproportionate effort.

For DLT, is each node that is not a controller deemed to be acting as the controller’s representative? Assuming that each node does not receive the personal data from the subject, do these requirements apply to every instance of the data? What constitutes disproportionate effort?

In addition, Article 34 says, “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” This refers to a breach at any processor and must be reported by the controller. In other words, for every piece of data in the DLT subject to GDPR, one node will be designated as the controller; all other nodes will be processors. Thus, we presume that the processors owe certain levels of safety and reporting to the controller, and the controller owes that level of safety and reporting to the subject.

Questions to Be Answered

Obviously, there are several larger questions that need to be answered at the intersection of DLT and GDPR.

  1. Does GDPR really apply to DLT? On its face, the answer seems obviously yes. Nothing in the GDPR language exempts any particular kind of data or processing structure. But the structure of DLT appears to make the GDPR requirements fiendishly difficult to implement. In all likelihood, ESMA and/or the EC will have to issue a specific finding about this question.
  2. If GDPR doesn’t apply to DLT, what protections do DLT data subjects have against breaches? The whole purpose of GDPR was to afford data subjects specific protections against loss or misuse of their personal data. If GDPR is deemed not applicable to DLT, does that mean that some entity’s unilateral decision to adopt DLT in a particular business case means that its customers have de facto given up GDPR protection without knowing it?
  3. If GDPR does apply, which nodes are construed to be controllers, and which are processors? Is it as simple as who originated the transaction? How would the processor nodes know which node is the controller for each transaction? What is the mechanism for communication of: 1) controller identity, where data has been passed from one node to another, and 2) breach notification? Can the data subject hold the controller legally responsible for the actions of a processor node in the DLT?
  4. Does this mean that, in some cases, GDPR is essentially unenforceable? If the data structure of DLT means that portions of GDPR are unenforceable, or perhaps inapplicable, we may have a situation where natural persons have some data protection in one area and much less in another. If so, will service vendors have to inform data subjects that GDPR applies in this situation, but not in that one? If DLT becomes the structure of choice throughout the financial markets, will GDPR simply fade away?

Regulators have a reputation, perhaps well-earned, of effectively preventing the last problem they faced, but not necessarily the next one. DLT, at least as it is manifested in the financial markets, appears to have its own set of unknowns, and whether regulation will, at some point, have to address those, it is even now pretty clear that GDPR isn’t structured to do that.

看涨:0
看跌:0
热点快讯
13分钟前
新西兰交易所Cryptopia建议用户不要将资金存入旧的Cryptopia地址
据ambcrypto报道,新西兰的加密货币交易所Cryptopia向所有用户发送邮件表示,“100%承诺”重新开放他们的业务平台,并建议用户不要将资金存入旧的Cryptopia地址,因为交易所有新的钱包。此外邮件还表示,将退还所有在安全漏洞期间丢失资金的客户。据此前报道,Cryptopia在2019年1月遭到两次黑客攻击。
币世界
18分钟前
Canya联合创始人:比特币目前主导率应超过80%
据bitcoinist报道,根据去中心化区块链服务平台Canya联合创始人John-Paul Thorbjornsen的研究,他认为比特币目前50%左右的市值占比并不真实。他建议,需要包括一些流动性或每日交易量,以更好地反映比特币目前的主导地位。他的研究围绕帕累托法则(二八定律),即80%的影响来自20%的原因。根据他的计算,比特币目前的主导率应超过80%。
陀螺财经
18分钟前
昆明广播电视台与中国移动云南公司昆明分公司签署战略协议,将发挥区块链等技术
据昆明广播电视台消息,3月22日上午10点,昆明广播电视台与中国移动云南公司昆明分公司举行5G战略合作协议签署仪式,双方战略协议合作标志着昆明广播电视台与中国移动云南公司昆明分公司将更加发挥5G、在数据、人工智能、区块链、物联网为引领的新一代信息通信技术,加快推进人人通信、物物相联、人机互联,在生产、生活、生态等全领域合作探索5G等新一代信息技术为核心的数字经济应用、数字经济业态和数字经济发展模式,全力打造智慧昆明等。
币世界
38分钟前
OKEx暂停XLM充提
据OKEx公告,OKEx于2019年3月23日00:00暂停XLM的充值提现,待钱包升级完成后开放。
币世界
38分钟前
加拿大数字货币交易所CoinField在测试网上提供130多个基于XRP的交易对
据ambcrypto报道,加拿大数字货币交易所CoinField在推特上表示,130多个数字货币已经整合到测试网中,在通过评估和安全审查后,将添加到CoinFieldEX,并为其提供基于法币和XRP的交易对。
币世界
48分钟前
Bitwise报告:95%的BTC交易量是由不受监管的交易所伪造的
据CNBC报道,Bitwise本周公布的一项分析显示,在分析了CoinMarketCap上交易量最大的81家数字货币交易所后,发布报告称,BTC日均交易量总计为60亿美元,其中只有2.73亿美元是真实的,95%的BTC交易量是由不受监管的交易所伪造的。
币世界
1小时前
币世界24小时行情梳理:BTC持续在3990美元附近横盘 主流币普涨
今日BTC持续在3990美元附近横盘,曾两次触及4000美元。火币现报3995.48美元,涨幅0.57%。 1. 全球数字货币市场总市值现报1400.48亿美元,环比增长1.06%;24小时成交量报302.82亿美元,环比下降15.92%。 2. 主流币表现如下:ETH暂报136.73美元(+1.93%)、XRP暂报0.31美元(+1.08%)、BCH暂报157.92美元(+4.99%)、BSV暂报66.50美元(+2.73%)、LTC暂报59.32美元(+1.94%)、ETC暂报4.88美元(+5.60%)、EOS暂报3.62美元(+0.82%)。 3. 24小时市值前百币种涨幅前三:ADA(+18.99%)、NULS(+17.64%)、XTZ(+16.48%);市值前百币种跌幅前三:AGI(-5.84%)、XLM(-5.61%)、CWV(-3.54%)。 4. 24小时资金流入前五个币种:ETH(+3852.86万美元)、LTC(+1312.65万美元)、BTC(+1000.53万美元)、EOS(+742.87万美元)、BCH(+638.28万美元);24小时资金流出前五个币种:OKB(-427.09万美元)、QTUM(-364.97万美元)、DASH(-358.10万美元)、HT(-153.78万美元)、HSR(-67.72万美元)。 5. 24小时OKEx净流入2.56亿美元,币安净流入2089万美元,火币全球站净流入175.39万美元。 (注:价格涨跌幅均以24H计算)
币世界
1小时前
加拿大监管机构签署咨询文件 避免加密领域操纵行为
据Bitcoin Exchange Guide消息,加拿大证券管理人员和加拿大投资行业监管组织签署一份联合咨询文件,名为“拟议的加密资产交易平台框架”,主要目标之一是避免加密领域操纵行为。加拿大的加密货币投资者和爱好者可以与当地监管机构分享他们对如何监控加密领域的想法。
币世界
1小时前
瑞士联邦委员会启动区块链法律磋商
据cointelegraph报道, 根据3月22日发布的官方新闻稿,瑞士联邦委员会已开始就区块链发展的联邦法律进行调整。
陀螺财经
1小时前
以太坊未确认交易12432笔
据Etherscan.io数据显示,当前以太坊未确认交易为12432笔,网络仍然较为拥堵。以太坊全网算力为148.026TH/s,当前挖矿难度1849.36TH,交易处理能力为7.8TPS。
陀螺财经
1小时前
人民银行长沙中支换帅张奎履新 曾推动央行应用区块链技术
据湖南财经消息,3月22日,中国人民银行长沙中心支行迎来新任行长——此前担任中国人民银行南京分行党委委员、副行长张奎,正式履新长沙中支。从公开信息看,张奎是典型的学术型银行家,其分管和研究范围包括支付清算、金融科技、区块链等。 2017年,张奎曾在《金融电子化》杂志社发表名为《构建以分布式系统为核心的央行服务平台》的论文。同年,他还在《金融纵横》杂志发表了《人民币冠字号码流转试点与货币数字化应用场景的调查与思考——区块链技术应用》的文章。
币世界
1小时前
比特币全网未确认交易2906笔
据btc.com数据显示,目前比特币全网未确认交易数量为2906笔,比特币全网算力为47.85EH/s,24小时交易速率为2.88txs/s。截至目前比特币全球均价为4050.73美元,最近24小时涨幅为0.33%。
陀螺财经
1小时前
新模式,新玩法,首创数字货币拍卖交易平台Yes将于明日9:00开启注册送币活动
数字货币拍卖交易平台Yes将于3月23日9:00起开启注册送币活动,注册账号即送100 YES币,价值10 USDT。注册时附加赠送礼物口令226394可额外获得价值1 USDT到20 USDT的YES币。(请到平台个人中心兑换,有效时间12小时)
陀螺财经
2小时前
郑砚农:应客观求是地看待区块链等科技和它所面临的应用场景
据消费日报消息,国务院发展研究中心世界发展研究所原秘书长郑砚农表示,要客观求是地看待新兴的科技和它所面临的应用场景。区块链在2018年前后的火爆,究其原因是那一阶段以区块链为底层技术的比特币涨到了巅峰,而后来随着比特币等数字货币的跌落,又有人说区块链是庞氏骗局,“只有站在更高的视野和更广阔的应用场景去衡量不可篡改性、去中心化、智能合约、分布式计算这些引发价值转移的技术应用,乃至由此会给社会生活和思维方式带来的改变,才算是客观对待”。
币世界
2小时前
Seed CX交易所与新加坡技术提供商Hydra X合作
据CoinDesk消息,美国芝加哥加密货币交易所Seed CX于3月21日宣布,已与新加坡交易基础设施技术提供商Hydra X合作。此次合作将使Seed CX能够将其平台与Hydra X的交易平台Sigma整合,目前正处于测试阶段。测试完成后,Seed CX用户将能够在Sigma平台上查看价格、交易和投资组合,并且可以进行法定货币与加密货币间的交易。此前消息,Seed CX获得贝恩资本(Bain Capital Ventures)领投其B轮投资,主要面向机构投资者。
币世界
2小时前
人大教授宋华:随着区块链等技术发展 金融科技赋能供应链金融
据中国经营网消息,中国人民大学商学院教授宋华认为,随着区块链、云计算等技术的快速发展和介入,金融科技赋能供应链金融,对破解传统供应链金融发展难题起着关键作用。
币世界
2小时前
USDT占比特币交易比重达80.64%
据cryptocompare数据显示,目前比特币交易情况按照交易币种排名,排在第一的是USDT,占比为80.64%;排在第二的是美元,占比为8.28%;排在第三的是QC,占比为2.62%;排在第四的是欧元,占比为2.39%;排在第五的是韩元,占比为2.02%。
陀螺财经
2小时前
FCoin将于明日开放ZEC提现
FCoin官方发布公告,将在明日开放ZEC(Zcash)提现。
币世界
2小时前
虚拟货币价格急挫导致栢能集团2018年图像显示卡的销售额放缓
据格隆汇消息,栢能集团(01263.HK)公布,其2018年纯利降18.5%至2.71亿港元。图像显示卡仅录得增长率1.5%,原因在于虚拟货币价格急挫后,市场渠道上图像显示卡库存过剩,加上NVIDIA于2018年度下半年宣布推出新GPU后,上一代图像显示卡的销情放缓,导致图像显示卡的销售额于2018年度下半年急剧放缓。自有品牌图像显示卡分部收入达48.856亿港元,同比增长4.7%。收入增长与过去数年比较有所放缓,主要由于经历本年初虚拟货币价格急挫,市场渠道上图像显示卡库存过剩(包括新卡及二手卡)所致。供ODM/OEM使用的图像显示卡业务订单23.88亿港元,同比减少4.4%,主要由于来自区块链应用及平台客户的订单大幅减少所致。
币世界
2小时前
IBM区块链副总裁Jesse Lund:World Wire基于SWIFT开发的标准
据AMBCrypto消息,IBM负责区块链和数字货币业务的副总裁Jesse LundJesse Lund在接受采访时表示,World Wire基于SWIFT开发的标准。SWIFT“是一个消息传递平台”,而IBM提供的消息“就像SWIFT一样”。此外,其坦言,IBM在Word Wire中的角色是“网络运营商”和基础设施提供商。此前消息,IBM计划进一步扩大其基于Stellar的跨境支付系统World Wire,并与6家银行签署协议,通过支付网络World Wire助力银行发行稳定币。
币世界