Privacy Talk with Dr. Matthias Artzt, Senior Legal Counsel at Deutsche Bank AG: What is the technical solution to mitigate the data protection risk on blockchain?
This interview is talking about data transfer and blockchain law.
Kohei is having great time discussing with privacy regulation with Dr. Matthias Artzt.
This interview outline:
- What does Transfer Impact Assessment require the BCR companies?
- Why does adequacy devisions guarantee safeguard?
- What is the tension of blockchain under data protection regulation?
- What is the technical solution to mitigate the data protection risk on blockchain?
- Message to listeners
My next question is about in relation to the SCC. Some of the companies tried to choose the BCR, Binding Corporate Rules. The few of the Japanese companies have tried to do that as well, but thing is, BCR is also a requirement of the TIA, transfer impact assessments. So how does it actually work from the European perspective?
- What does Transfer Impact Assessment require the BCR companies?
Matthias: It’s a very good question. And it’s a tricky one as well. In my practice many large companies have established Binding Corporate Rules.
The question arises whether a Transfer Impact Assessment is applicable to BCR: It is clearly the position of the EDPB that Schrems II applies to BCRs as well.
That means that companies that transfer personal data originating from the EU under the BCRs may need to perform a transfer impact assessment and put in place additional safeguards in the same manner as companies that are relying on Standard Contractual Clauses for their data transfers.
This potentially undermines one of the key reasons why companies opt for BCRs in the first place, namely, to create a transcontinental zone within their organization. However, companies relying on BCRs even if they are approved, may need to perform a case-by-case risk analysis of the particular cross-border data flow.
Kohei: I see, yeah, it’s very challenging. The company even got approved that they have to need additional requirements to prove this protecting consumer, so that it’s important notice for the companies to work for this challenging situations.
I also very interesting theme about the adequacy decisions, especially in between the Europe and Japan has been adequacies treaty right now. I was reading the guidelines of the EDPB which is also the requirements whether in bilateral data transferring whether they have the adequacy baseline in each of them.
So when it comes to the what is the consideration the specific all data transfers from Europe to Japan based on the adequacy requirements?
- Why does adequacy devisions guarantee safeguard?
Matthias: Yeah. When I was talking about the third country data transfer, I was only referring to countries in third countries without having adequacy decision.
So the European Commission has launched a series of adequacy decisions, for Canada and most recently South Korea and for Japan as well, which dates back to 2019. When determining adequacy for Japan the European Commission also factored in the APPI, which has been subject to some overhauls over the last years APPI stands for Act on the protection of personal information.
You have a very strong data protection authority in Japan which was also vital for granting adequacy. Interestingly, data exporters based in Japan must adhere to similar rues when transferring personal data of EU individuals outside Japan.
It is worth to note that there is a treaty between EU and Japan in place which came into effect in Feb 2019 and which stipulates additional guarantees in order to safeguard EU personal data which is being transferred to Japan.
In a nutshell, if European companies want to transfer EU personal data from the EU to Japan, you don’t need to put in place the standard contractual clauses because Japan has received adequacy. Onward transfers from Japan to other countries outside Japan follow their own rules, with a view to the APPI and applicable treaties. So that’s not a big thing to transmit personal data from the EU to Japan.
Kohei: I think it’s very important to the trusted each of the safeguard level is in the same, especially the country level this it’s a very big advantage for the enterprise. is not just to to to take care of any big costs in the burdens to prove that they are in a safeguard, that’s a very great advantage in between Europe and in Japan.
So we have to continue through the wolk in on the the protections issues against of the intrusion, the some of the consumer rights. It’s very important issues right this moment.
Matthias: Japan is the safe country and there’s no need to put in place the standard contractual clauses. Second, this is the most important thing, you don´t have to conduct a transfer impact assessment. It goes the same route when it comes to transferring personal data from Germany to France, so you only have to put in place a data protection agreement.
Kohei: Awesome. So, the next topic is a different angle that’s I’ve been working at the blockchain space, it almost three and four years so far. On the last session we came on together, there was the topics of the blockchain and GDPR that is very important.
We try to partitioning in such as the word, Web3 of the new trend that we are trying to chase in the how the technology migrated into the real scene in especially the data space. So the next question about the GDPR on a blockchain. So what are the tensions between data protection of blockchain technology in this moment?
- What is the tension of blockchain under data protection regulation?
Matthias: Enforcement of data subject rights is cumbersome in practice:
First of all, there is the right to access data written onto the blockchain.
The problem is: In a public blockchain a controller, once identified, is factually unable to access data submitted to the blockchain since the data is typically encrypted or hashed. That makes it impossible to determine whether the related data is personal or not and whether the data relates to the individual who is raising the data access request.
The most prominent issue is the right to modify or delete data.
At first glance, it is impossible to alter or delete personal data once submitted to the blockchain due to the immutability of information submitted to the ledger. That is the key feature of blockchain that what is on the ledger it remains there.
We will see in a little while that this is not the end of the story and there is one technique which renders those requests GDPR-compliant. That technique is a walk around to enable controllers to comply with the right to erasure, better known as the right to be forgotten.
Another war zone between GDPR and blockchain is the limited number of legally defined roles. GDPR has predefined roles such as controller, processor, joint controller. That does not match the various tasks associated to blockchain players alike oracles, users, developers, wallets, governance bodies. In a — public and I want to stress public — blockchain context, it’s not an easy thing to identify a controller.
Many players have a role to play which is not always in line with the definition laid down in the GDPR. Not everybody who is operating in a blockchain environment can be deemed as a controller. Chances are that this operator belongs to the blockchain network only.
With that, you have to crack on the factual circumstances case-by-case in order to determine what the related participant in a blockchain environment is actually doing and whether his operation can be associated to either a controller role or processor role under the regime of the GDPR.
And this is what I elaborated on in greater detail in the Handbook of Blockchain Law which I have co-authored and edited in 2020.
And again: One of the key features of blockchain is that all information written one the ledger is immutable. This clashes with the principles of data minimization and purpose limitation, the latter is the backbone of all advanced data privacy regimes round the globe.
What does this mean in the blockchain context? The blockchain continuously processes personal data by storing it. Please note that storing is a processing activity. The issue becomes critical when personal data which has been submitted to the blockchain is not needed any more. I call it legacy data. That issue becomes relevant once a processing activity which involves personal data has been completed.
For example, customer complaint management via blockchain. Once the complaint of an individual has been settled, there is no need to keep that data onto the blockchain any more. But you cannot take that set of data off due to the immutability of all information written on the blockchain.
Same applies to the data minimization given the ever-growing nature of data bases and its replication in a blockchain network where each node stores a full copy of the data.
This is something which you have to thoroughly assess in the case you want to leverage a blockchain solution for your particular business case. You should consider what should be done or must be done with personal data which is not needed any more.
The issue boils down to treating the so called legacy data. Hashing or encryption is a great measure but you should note that hashing or encrypting personal data does not convert personal data to non-personal data.
Kohei: Yeah, I totally agree then. It’s crushing the decentralized data has the technically issues at this moment. That is not easy to overcome then just choosing any other solutions. It’s essentially decentralized the mindset has been conflicting between centralized rules. So there is a lot of the challenge for the blockchain people but as well as the regulatory signs to solve the issues, or the new technical developments
In terms of the clears of this issues in this moment, so what is the solution? What is the technical choice to to mitigate the data protection risk in this technical thing?
- What is the technical solution to mitigate the data protection risk on blockchain?
Matthias: Good question. I think there are a couple of things you should consider. First, you may leverage smart contracts: its algorithm may determine what volume of data is being stored in order to ensure data minimization; smart contracts may help execute data subject right requests of individuals who envisage to access their data or get them deleted.
For example: access requests must be considered as an event outside the blockchain. Oracles transmit those access requests to the blockchain and, subsequently, smart contract algorithms execute the request by decrypting data and providing the relevant information to the data subject concerned.
Second, hashing out is the most powerful technique if you do it in that order: Take legacy data from the blockchain and store it off-chain, anywhere outside the blockchain, for example in an excel sheet.
Then put an hash value as a placeholder onto the chain; then delete the legacy or reference data which you have transmitted off-chain onto the excel sheet. As a consequence, the hash value becomes a random string without any meaning.
It is worth to note that it is NOT possible to reverse engineer the legacy or reference data from the hash. Deleting the off-chain data from the external data base has a huge impact on the hash value itself which then converts into non-personal data.
That is the only way to comply with data deletion request. It is definitely complicated. But it is technically feasible. And it showcases that the statement that the blockchain technology is not in sync with data privacy principles is not entirely true.
However, to be compliant, necessitates that you have to crack on workaround by implementing hashing out techniques or leverage a smart contract algorithm.
This may help companies leverage blockchain solutions when processing personal data. This also falls into the realm of another key data protection principle, privacy by design.
Kohei: Awesome Yeah. That’s a very challenging a lot of things we have to be considered and in advance to take the choice of the blockchain technology. It was very easier in technical evolves in the market, but right now it’s an in conflict in between the real worlds, the based on the data protection regulations, as well as the some of the new regulation, such as ePrivacy such as the DSA, DMA.
A lot of regulations are coming into the European space that could be the conflicts in between new technical seen, but we have to consider to make a flourish over the new technical returns through of that. So there was a very great insight from your experience the Matthias there was a very being inspired for me.
So lastly, I’d like to ask you about the message to the listeners who want to know about the European perspective, what is the requirements in the data protection scene in this year or for the next decades and we are trying to change the mindset, not just to using a personal data but we have to take in balances, the protections and usages. So how we can do that?
- Message to listeners
Matthias: Yeah, I think it is very important to take data protection very seriously. Not only with regards to the very heavy sanctions regime. It can create a market advantage if you treat personal data in a legal and transparent manner, particularly by implementing privacy by design in order to reduce the impact on the rights of individuals as much as possible.
You can accomplish this goal by using pseudonymization or encryption measures from the outset. I think there will be no company which can afford to be incompliant and to be too sloppy when operating with personal data.
The GDPR is certainly a game changer. Alongside the GDPR the Schrems II requirements set out in the landmark ruling of the European Court of Justice are of utmost importance for companies which NOW have to take care of the data being transferred to third country service providers.
Putting the right clauses in place is not gonna be a paper exercise any more. Companies have to do much more than incorporating the Standard Contractual Clauses.
They have to assess and weight the risk exposure of the particular data transfer and, most importantly, document their risk analysis accordingly. Companies know that transmitting personal data to third country importers is most likely slippery ground and requires them to carry out a risk assessment. If you fail to do so and to safeguard the data flow they will be on the hook and face heavy sanctions similar to anti-trust penalties.
Since last year the data privacy world looks differently and they have to do more opposed to what they have done in the past. My advice is to take these risks associated with cross-border data transfers very seriously.
Kohei: Brilliant, it was very important as you mentioned that the company has to think in considerations before it is started data business the privacy first that’s gonna be the game changing right now then they have to invest in this scene.
And also we have to collaborate to cooperate together to make them more protective. The environments to put the customers will be uses can be in safe can be protected. That is our mission to commitment to prove that futures of the data society. So thank you for Matthias then coming today then having a great talks this times.I’m very appreciated it.
Matthias: It was a pleasure for me talking with you and sharing some insights.
Kohei: Awesome.
Matthias: Thank you.
Kohei: Thanks a lot.
Thank you for reading and please contact me if you want to join interview together.
Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!
