This visitor publish by Laura E. Jehl was co-written by Robert A. Musiala Jr. and Stephanie Malaska of BakerHostetler. Views expressed are these of the authors and don’t essentially mirror these of BakerHostetler or its purchasers .This yr, we’re witnessing the convergence, and maybe the collision, of two highly effective new forces in knowledge privateness: the European Union Basic Information Safety Regulation (GDPR) and the emergence of blockchain-based privateness options. As blockchain know-how companies proceed to construct new options, listed here are 5 key takeaways they need to take into accout in regards to the GDPR.Private DataThe GDPR applies to “private knowledge,” which is outlined as “any data regarding an recognized or identifiable pure particular person (‘knowledge topic’).” A “knowledge topic” is a “pure particular person … who might be recognized … by reference to an identifier … particular to the … cultural or social id of that pure particular person.” Furthermore, private knowledge explicitly consists of “on-line identifier[s],” together with IP addresses.Takeaway #1: Basically, virtually any piece of knowledge that may help in studying one thing about somebody is more likely to be thought-about private knowledge.Below the GDPR, private knowledge even consists of knowledge that has undergone “pseudonymization,” which means that the information has been processed such that it “can now not be attributed to a particular knowledge topic with out using extra data.” Encryption is taken into account to be a extremely efficient technique of pseudonymization, and “public keys” on a blockchain that are related to off-chain private knowledge are additionally more likely to be thought-about “pseudonymized.” Whereas the GDPR prefers encrypting knowledge to realize pseudonymization, that encryption alone doesn’t take away the underlying knowledge from the definition of non-public knowledge and, due to this fact, doesn’t serve to keep away from GDPR necessities.Takeaway #2: If private knowledge saved off-chain can simply be linked to a public key utilized in a blockchain resolution, the general public key could be very more likely to be thought-about knowledge that has achieved a state of pseudonymization however continues to be regulated as private knowledge topic to the GDPR. The place private knowledge has been pseudonymized and the extra data wanted to attribute the information to a pure particular person is “not accessible,” the GDPR signifies that the information could also be thought-about “nameless data” or “rendered nameless.” As a result of the GDPR solely regulates private knowledge, something thought-about nameless is thus exempt from the GDPR, which “doesn’t … concern the processing of such nameless data ….” This provision suggests a path to evolve blockchain options with the GDPR: If the blockchain structure is designed such that public keys match inside the definition of nameless data — by making certain that any off-chain private knowledge is securely encrypted, and decryption shouldn’t be accessible to allow re-association with the general public key — processing of public keys could also be exempt from the GDPR’s necessities, together with the correct of erasure. Takeaway #3: Preserving the flexibility to have public keys deemed nameless beneath the GDPR is arguably probably the most essential situation of concern for any firm leveraging blockchain know-how and coping with private knowledge. Controller vs. ProcessorEntities topic to the GDPR have totally different obligations primarily based on whether or not they’re deemed a “Controller” or a “Processor” of non-public knowledge. Normally, a Controller “determines the needs and technique of the processing of non-public knowledge,” whereas a Processor “processes private knowledge on behalf of the controller.” The dedication of whether or not an entity acts as a Controller or a Processor is activity-specific, not entity-specific. Which means, in several contexts, the identical entity could also be deemed a Controller, a Processor, or each a Controller and Processor. Controllers, because the entities figuring out the means and functions of the processing, have considerably extra obligations beneath the GDPR than do Processors. Most significantly, Controllers have the accountability for implementing requests from people who need their private knowledge deleted, amended or transferred. Takeaway #4: Firms leveraging blockchain know-how ought to design their techniques in order that they keep away from figuring out how and why knowledge is processed, and thus keep away from being deemed an information Controller.The Rights of Information Topics and the Lawful Foundation of Processing DataThe GDPR offers knowledge topics numerous rights with respect to Controllers of their knowledge. Chief amongst these are the rights to knowledge portability (i.e., the correct to take your knowledge with you), rectification (i.e., the correct to amend any incorrect knowledge) and erasure (i.e., the correct to be forgotten). Normally, these rights might be exercised on the request of the information topic, though there are exceptions to some rights in sure instances, corresponding to when the information is being processed or retained pursuant to a authorized obligation. The obligations of knowledge Controllers to facilitate knowledge topics’ rights differ primarily based on the lawful foundation beneath which the information is processed. The processing of EU private knowledge have to be supported by one in all six authorized bases, in response to the aim of the processing. These bases are:Consent. Consent by the information topic to a number of particular functions.Contract. Mandatory for the efficiency of a contract.Authorized Obligation. Mandatory for compliance with a authorized obligation to which the information Controller is topic.Public Curiosity. Mandatory for the efficiency of a activity carried out within the public curiosity.Very important Pursuits. Mandatory for the safety of the important pursuits of the information topic.Official Pursuits. Mandatory for the professional pursuits of the Controller or a 3rd occasion, until overridden by the elemental rights and freedoms of the information topic.As a result of consent could also be withdrawn at any time, requiring deletion of any private knowledge collected on the premise of that consent, it isn’t an advisable or dependable foundation for processing private knowledge that shall be entered onto a blockchain. Equally, whereas private knowledge could also be collected and processed pursuant to the efficiency of a contract, if that contract is terminated or expires, the lawful foundation for processing ends and the information have to be deleted. Alternatively, knowledge collected to adjust to a authorized obligation is probably going exempt from the correct of erasure.Takeaway #5: Understanding the relevant lawful foundation or bases for processing knowledge — particularly any relevant limitations or exceptions to knowledge topic rights beneath that foundation — and designing your system accordingly are essential to constructing GDPR-compliant blockchain options.Avoiding a CollisionUltimately, whether or not these two forces are on a collision course has but to be decided. Avoiding a collision would require some favorable interpretations by EU regulators to make sure that the GDPR doesn’t deprive the EU and EU knowledge topics of the advantages supplied by blockchain know-how. A call by EU officers that public keys utilized in appropriately designed blockchain options don’t themselves represent private knowledge would go a good distance towards reconciling blockchain know-how with the GDPR. Even when such a dedication is made, customers of blockchain options ought to monitor whether or not technological developments, particularly in knowledge storage or encryption, would have an effect on or change such a dedication. At this essential second, it’s crucial that blockchain companies perceive the GDPR’s framework and take a proactive stance, growing applied sciences and authorized positions that fastidiously account for the GDPR’s necessities.As these two highly effective forces proceed to emerge and take impact, EU regulators and blockchain technologists alike would do properly to keep in mind that the GDPR and blockchain-based options share many basic targets, corresponding to the correct of people to manage their very own knowledge and the minimization of knowledge sharing. To reveal the compatibility of blockchains and the GDPR, these ideas needs to be leveraged to the best extent attainable in blockchain resolution architectures. The Closing Phrase: With the correct technical structure and authorized evaluation, corporations can harness the advantages of a blockchain whereas making certain that knowledge saved on a blockchain is compliant with GDPR necessities.The views expressed on this article are these of the authors and never essentially these of BTC Inc. or Bitcoin Journal.
This text initially appeared on Bitcoin Journal.