EU-GDPR And Facebook‘s Libra – (No) Match In Heaven?
Did Facebook understand the challenges EU-GDPR imposes for blockchain technology?
The cryptocurrencies are becoming increasingly important. Now, the social media giant Facebook intends to bring its own cryptocurrency Libra on the market. It has now been one year since the General Data Protection Regulation of the European Union (hereafter GDPR) came into effect. This regulation aims to strengthen privacy and personal data protection in the EU countries by giving private persons more control over their data. At first view, some GDPR provisions seem in direct conflict with the fundamentals of blockchain technology, and may even be intrinsically incompatible with what the new GDPR rules seek to uphold.
Special Features Of The Libra Project
In addition to the most well-known cryptocurrency Bitcoin, there are currently more than 2000 cryptocurrencies with a total market capitalization of more than 300 billion US-Dollars. What special features will the new cryptocurrency Libra bring with it?
According to the prognosis of the Frankfurt Blockchain center, there is the possibility that the new cryptocurrency Libra could be one of the top 3 cryptocurrencies for over a night. It can be assumed that, depending on assumptions, Libra would quickly reach a market capitalization of $ 250 billion in the first quarter of 2020. It would also make Libra a major short-term buyer of government bonds, as Libra would have to buy large-scale financial assets such as government bonds to ensure Libra token coverage.
This predicted strength of the Stablecoin Libra is due to Libra running on its proprietary and scalable Libra blockchain, backed by a reserve of assets. It gives the Stablecoin its intrinsic value and also mitigates volatility fluctuations. These assets consist of a basket of bank deposits and short-term government securities, which are held in the Libra Reserve for each Libra issued.
The new cryptocurrency will be led by a non-profit Swiss consortium called the Libra Association. The founding members of the consortium are Mastercard, PayPal, Visa, Stripe, eBay, Coinbase, Andreessen Horowitz, and Uber.
Like the other cryptocurrencies, Libra is based on its own Libra Blockchain. To address a global audience, Libra Blockchain is implemented through open source software. The real peculiarity of this blockchain is that it operates initially as a blockchain requiring approval and subsequently becomes a non-approval blockchain. It has been designed to allow anyone to build on it and rely on billions of people in their financial affairs. Blockchains are either subject to approval or approval – depending on who can run a validator node. In a blockchain requiring an authorization, a license must be granted to operate a validator node. In a license-free blockchain, anyone can run a validator node that meets the technical requirements. The Libra network will be in future non-approval blockchain to ensure that Libra is genuinely open and always operated in the best interests of its users
The Move is a new programming language for implementing custom transaction logic and so-called Smart Contracts in the Libra Blockchain. As Libra is to be used by millions of people one day, safety is a top priority in the design of Move. The design of Move leveraged intelligence from past security incidents with smart contracts. Of course, this new language makes it easier to write code that meets the author’s intentions, reducing the risk of unintentional bugs and security incidents. In particular, Move is designed so that no assets can be cloned. The Move enables “resource types” that limit digital assets to the same properties as physical assets: a resource has only one owner, it can only be used once, and the creation of new resources is limited. Move also simplifies automatic evidence that transactions have specific characteristics, such as: For example, a payment only changes the account balance of the payer and the recipient. By prioritizing these properties, Move contributes to the security of the Libra Blockchain. Because the development of critical transaction code is more comfortable, Move can safely implement the governance policies of the Libra ecosystem (for example, the management of the Libra currency and the network of validator nodes). The Move accelerates the future development of the Libra Blockchain Protocol and all the financial innovations that are developed with it. Over time, it is expected to allow developers to create contracts themselves to support the development and validation of Move.
To safely store transactions, data in the Libra Blockchain is protected by hash trees-data structures that are also used by other blockchains, and that detect any change to existing data.
Another technical peculiarity of this new blockchain is that this blockchain, unlike earlier blockchains that are created as a collection of transaction blocks, is a single data structure that tracks the history of transactions and states over Time.
Libra Project In Tension With Privacy
Since the middle of last year, the GDPR, which ensures the right to erasure in Art. 17, applies in EU member states. For blockchain the most controversial GDPR mandate is the “right to be forgotten” by article 17, giving individuals the right to request that their data be removed from a record. Because of its decentralized character with immutable blockchains, data, however, cannot be deleted. Blockchains are designed to last forever. That puts blockchain in direct opposition to the GDPR. The new European data protection law raises several questions and in particular the compatibility of the GDPR and the essential feature of blockchain, which practically forgets nothing. According to the present point of the law is the ratio of this standard to the actual nature of the blockchain, which stores the operations gaps, classified as critical. At this time, there is no case law on this topic. In addition to the GDPR, Regulation (EU) 2018/1807 also provides a framework for the free circulation of non-personal data in the European Union, which, according to the legislature, aims to allow the free movement of data other than personal data to be better implemented at Union level, since this objective cannot be sufficiently achieved by the Member States because of their scope and effects.
Facebook is addressing the data protection challenges with Calibra – a new digital wallet that consumers can use to send, save or spend Libra. According to the developers, Calibra should not share account information or financial information with Facebook, Inc., or other third parties without the customer’s consent. Only a few exceptions are allowed. For example, Calibra customer account information and financial data are not used to improve the targeting of the Facebook, Inc. family of products. The exceptions mentioned above are designed to comply with laws and to provide users with basic functionality. Calibra uses the data of Facebook, Inc. to comply with regulations to protect the accounts of customers to minimize risks and prevent criminal activities.
According to the developers, pseudonyms should be possible in the Libra Blockchain. Users can use one or more addresses that are not related to their offline identity. Many users, developers, and regulators are familiar with this approach. The Libra Association will oversee the future development of the Libra Blockchain Protocol and Network and continue to explore new techniques that improve data protection within the blockchain, taking into account concerns about feasibility and scalability, as well as regulatory implications.
The possibility of introducing the pseudonyms corresponds to the approach in the law literature on the possible compatibility of the essence of blockchain with the GDPR. This approach is due to the modification of the right to erasure (Article 17 GDPR) into the right to pseudonymization (Scholtka/Kneuper Lokale Energiemärkte auf Basis der Blockchain-Technologie, in: IR 2019, 17 (20)).
Despite the planned progress on the possibility of using pseudonyms in the Libra Blockchain, experts in the field of data protection and computer science are expressing legitimate data protection concerns. If Facebook operates a node in the Libra network that validates transactions, it must have technically spoken access to transactional data. From this, a question can be derived as to whether the personal data which are still circulating are protected by European law. It is, of course, conceivable that Facebook does not use the data otherwise. However, from a technical point of view, Facebook has the option of looking at data volumes. Furthermore, there is a danger that data protection concerns may become dependent on the goodwill of Facebook. The data protection officers want to exclude even a limited possible dependency.
Much more complex in this context is the possibility that is established by creating the in-house cryptocurrency for Facebook. This is about the monitoring capabilities of Facebook, when the transaction data are systematically evaluated, the already enormous monitoring capabilities of Facebook will be even greater. Also, there is the possibility that Facebook overcomes the last hurdle to complete knowledge about its users if Facebook also receives information about the payment behavior of its users by the node.
As already mentioned, basically every blockchain technology conflicts with the regulations of the GDPR. Again, there are questions about the person responsible in the system of Libra Blockchain and their obligations under the GDPR. The Libra Blockchain will transform by operating as an admission-restricted and then a non-admission blockchain. In line with the view in the law literature, in the case of the non-admission blockchain and, in particular, the GDPR´s yardstick, each node that carries out a transaction (and thus distributes information to all other nodes) and/or its copy of the blockchain is entered Hash. He has a purpose of his own: participation in the network. It collects, records, arranges and stores personal data, if necessary, discloses it and can freely dispose of the data stored on its behalf. However, the achievement of the objectives of the GDPR is possible in the case of an admission-restricted blockchain. For this purpose, the legal analysis of the expression of the right to erasure in Article 17 and the possibility of restriction of the right to erasure with concerning protection objectives in Art. 23 GDPR. The GDPR already permits Member States de lege lata to repeal the right to erasure by resorting to the protection objectives set out in Article 23. Article 23 in conjunction with recital No. 73 of the GDPR confers on the Member States, in particular, the right to allow derogations from the rights of the interested parties for “keeping public registers for reasons of general public interest”. This opening clause can be used for many state blockchain applications. In comparison to classic server solutions, a blockchain basically opens up a significantly higher potential for preventing manipulation of the data structure. Insofar as the benefits so obtainable outweigh the personal interests involved, this may justify a restriction of the right to erasure by the Member States (Martini/Weinzierl: Die Blockchain-Technologie und das Recht auf Vergessenwerden, in NVwZ 2017, 1251 (1256 f.)).
It results in a legitimate question. If the Libra Blockchain goes through its transformation into a free blockchain, would it then meet the requirements of the GDPR? Legal, as well as technical questions, meet here. The technical particularity of this blockchain, which already allows the pseudonymization, leads to the fact that the GDPR regulations may not be applicable if traceability is excluded from the beginning and thus no space for personal data is opened (compare: Bechtolf/Vogt: „Datenschutz in der Blockchain – Eine Frage der Technik“ in ZD 2018, 66 (69 f.)).
Conclusion And Outlook
In addition to the problems that blockchain technology creates for privacy law, there is an unimagined potential for its implementation of the privacy protection principle of privacy by design. This principle is now explicitly set out in article 25 GDPR. It standardizes that the person responsible takes appropriate technical and organizational measures to effectively implement data protection principles – such as data minimization – to comply with the requirements of the GDPR and to protect the rights of data subjects.
Today, consumers with internet access can use various useful services inexpensively or free of charge – from contact with families and friends to information sharing and start-ups. But when consumers want to send, save, or spend money, it gets complicated. Financial services are still inaccessible to many people worldwide. Nearly half of all adults worldwide do not have a bank account. This number is even higher, considering developing countries or women. The costs of this type of exclusion are high: nearly 70 percent of small enterprises in developing countries have no access to credit and migrants lose $ 25 million in transfer fees each year.
The social media giant pursues the goal to establish extensive transaction possibilities worldwide. The new technology and wallet Calibra will be equipped with a robust mechanism to protect money and data. Calibra also uses the same verification and anti-fraud devices used by banks and credit cards. Besides automated systems proactively monitor activities to detect and prevent fraudulent behavior. Users will also receive live chat support if, for example, they have lost their phone or forgotten their password. However, if a third party gains access to a user account and the user loses Libra, Calibra offers a refund.
It remains to be seen whether the predicted result will be achieved, and thus the blockchain technology can be used for further applications.