Last week, the Spanish Government approved the draft bill for the New Data Protection National Law. It did so, after publication of GDPR in the EU Official Journal in May 2016, it will come into force on May 25, 2018.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.
Although the main principles of data privacy remain in this new regulation, many changes have been introduced, and a new legal framework is about to be stablished.
An official data: EU-28 accounts around 15% of the world’s trade in goods. Boosting ecommerce in the EU, a recent european economic policy, aims to erase those limitations (like geoblocking) that may stop ecommerce growth in the eurozone. Added to it, the European ecommerce report for 2017 shows how markets are growing at an average 30% pace. So its reasonable to believe that Europe is currently, among United States and Asia, one of the most attractive markets, and the fact that the GDPR has increased its territorial scope is a one big concern.
This new regulatory framework will apply not only to data processing carried out by organisations operating within the EU, but to organisations outside the EU which offer goods or services to individuals in the eurozone as well, which may be, more or less, every company operating through ecommerce in the world. No matter size or resources, compliance with the GDPR seems pretty much necessary.
We must take into account that in the last three years, authorities have imposed severe penalties for data protection infringement: Facebook had to pay 1.2 million euros for not informing users in a lawful way (using vague expressions…etc), Google was fined with a 900,000 euros penalty for not being explicit enough on the purposes of the processing for which personal data was intended. So, if the scope of this new regulation has not impressed you, then have a look at the penalty system: up to 4% of annual global turnover or €20 Million (whichever is greater) is the maximum fine that can be imposed for the most serious infringements.
Now, given that the GDPR will very much apply to any potential e-trader, there are new principles which are quite interesting. Interesting from my own, Blockchain-biased point of view, at least. I’ve been defending the marriage between Data protection compliance and Blockchain for a while now, and the more time I spend reading and working in this expertise, the more convinced I am about the potential benefits that decentralized technologies (public Blockchains), can bring to this space.
Overall, in general terms, companies covered by the GDPR will be more accountable for their handling of people’s personal information, and these are (in my opinion) the biggest changes:
PRIVACY BY DESIGN
At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically — ‘The controller shall […] implement appropriate technical and organisational measures..in an effective way […] in order to meet the requirements of this Regulation and protect the rights of data subjects’. (article 23).
It is a fact that decentralized technologies, in their strict terms, avoid and erase the traditional “honey pots” that centralized companies like Google were holding with user’s personal data.
DATA PORTABILTY
GDPR introduces data portability — the right for a data subject to receive the personal data concerning them, which they have previously provided and have the right to transmit that data to another controller. Data controllers, sets forth the GDPR, should be encouraged to develop interoperable formats that enable data portability (article 20).
Would projects suchs as Uport enable secure data portabilty via personal identity profiles that grant or deny access depending only on the user’s decision?
OK: It doesn’t remove the need for trust in 3rd parties but instead users choose the 3rd parties they want to trust, but even that is quite a progress.
RIGHT TO BE FORGOTTEN
A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. (Article 17 — right to erasure).
I’ve had several discussions with legal colleagues about whether Blockchain can not be used for data protection matters as it does not allow data erasure to be executed. As we know, one of Blockchain’s intrinsic characteristics is immutabilty — Once data is embedded, it cannot be altered without that amendment being approved by other nodes in the network. That’s a fact. Erasing data from a block would result in uncountable forks, so we can just forget about it.
But then again, could we make use of permissioned blockchains, private nodes or DLTs? Furthermore, eventhough I’m aware that the GDPR talks about “erasing” data, could we reach a point where the European Court of Human Rights, judging a specific case, ruled that, for instance, erasing the keys that grant access to some piece of data in a Smart Contract, would still be in accordance with the regulation? This would be suit both, Blockchain technology and GDPR compliance.
And last, but not least, I believe Accenture’s editable Blockchain will surely have a function to enable data erasure in a practical, convenient way. And even though I’m a great open source believer, that would mean a hell of a business opportunity.
DIGITAL SELF-SOVEREIGN IDENTITY
Christopher allen wrote about Self Sovereign Identity adressing the following challenge: having the ability of digital identity to enable trust while preserving individual privacy. Self sovereignty can be thought of as “a concept where the individual has ultimate control over their identity and is the final arbiter of who can access and use their data and personal information” — John Lilic ( ConsenSys). Thus, owning and controling one’s own data.
If we take a look at the GDPR, we can sense a strong will of user empowerment. Portability, right to be forgotten, consent for data processing…At the same time, blockchain is becoming a mainstream technology, not only in new born sectors (like decentralized software protocols), but in traditional ones to (DLT’s and banking sector). Is it, then, weird to think that higher standards regarding data protection and blockchain usage is a natural symbiosis?
