Impact of Emerging Technologies on EU Data Protection Law

The Impact of Emergent Technologies on the Formulation of EU Data Protection Law A Case Study of Distributed Ledger Technology Zihao Li, PhD Candidate in CREATe, School of Law

Table of Contents 1. Introduction The impact of emerging technologies to data protection (DP) law; Why choose blockchain as a special case study? 2. What is blockchain and what is the impact on DP law? Definition in technology and law; The Positive and Negative sides of blockchain from data protection perspective; A bottom-up data protection regime; A personal data free flow regime; 3. How to take advantages and mitigate disadvantages of DLT in context of GDPR? Legal guidance in data protection law; Code of conduct and certificate; Privacy by design and by default.

Introduction Introduction Although the data protection law as a new type of law developed in recent decades and is intended to regulate the information society, the development of emerging technologies has brought great challenges and also opportunities to the data protection (DP) law. For example, Big Data, Cloud Computing and Distributed Ledger Technology (Blockchain), from different extent, challenges the legal concept, scope and enforcement of DP law. (e.g. Dichotomy of data controller/processor, the right to be forgotten and portability etc.)

Why choose blockchain as a special case study? Why choose blockchain as a special case study? Blockchain as a new kind of data-storage mechanism; There are hypes and also innovation both; In order to better regulate and adapt to such emerging technology, it s important to investigate what is the blockchain really meaning in legal and tech perspective; On the formulation of data protection law, blockchain not only broke the current rules, but also bring new opportunities as a Privacy-Enhancing-Technologies (PTEs). So it is also worthwhile to explore the relationship between DLT and DP law.

What is the definition of blockchain in Law? What is the definition of blockchain in Law? It is important to clarify the definition of blockchain for lawyers. Otherwise, it may lead to misunderstanding. However, there is no general definition, but there are some examples. State of Arizona, USA bill HB2417 defines blockchain technology as follows: Blockchain technology means distributed ledger technology that uses a distributed, decentralized, shared, and replicated ledger, which may be public or private, permissioned or permissionless, or driven by tokenized crypto economics or tokenless. The data on the ledger is protected with cryptography, is immutable and auditable, and provides an uncensored truth. (highlight added)

What is Blockchain and why it works? What is Blockchain and why it works? Technically, blockchain and such distributed ledger technology (DLT) is not a new technology. It is a combination of several existing technology. Technically, DLT is a digital database that is shared and synchronized, maintained through a consensus algorithm and stored on multiple nodes. It incorporate in asymmetric encryption, hash function and P2P network. Essentially, DLT intends to accomplish through replication. There are frequently numerous points gathering data to support these types of databases. In the internal of the chain, every node, in theory, stores an integral copy of the database and can update the database.

What blockchain can bring for data protection? What blockchain can bring for data protection? Negative: Blockchain may be hard to be Positive: DLT can be designed as a data governance tool to achieve the objectives of data protection law so called code as law . Blockchain could establish a symmetrical information platform without third-party endorsement to establish new trust. Blockchains can be designed to enable data- sharing without the need for a central trusted intermediary, they offer transparency as to who has accessed data, for which reason and legal basis. Data integrity and security will be guaranteed. It could render individual to control over their data and know what happens and it is traceable. compliance with GDPR. In the DLT-based database, there are a variety of nodes and actors involved, how to specifically define the data controller or processor? Who should enforce the data subject claimed rights? Given the technological nature of DLT, how to achieve the implementation of GDPR stipulated rights? E.g. right to be forgotten and right to rectification.

Users rights and GDPRs mechanism in DLT Users rights and GDPR s mechanism in DLT Right to be Forgotten: the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (i) personal data are no longer necessary[ ] (ii) the data subject withdraws consent [ ] (iii) data subject objects to the processing[ ] (iv) the personal data have been unlawfully processed; (v) personal data have to be erased for compliance with a legal obligation in other law (vi) personal data have been collected in relation to the offer of information society services Right to Rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement . (Art. 16 GDPR )

Why it is tough to implement under DLT? Why it is tough to implement under DLT? DLT are append-only and tamper-resistance ledgers which means that the data integrity can be ensured but harder to modify and delete existing data because of following reasons: In the context of DLT-based database, the data subject cannot easily identify any or all of data related to themselves in a DLT s full nodes. Thus, how to ascertain the mistaken could became harder than before. Pursuant to Article 19 of GDPR (data controller must notify each data receiver). However, due to the amount of the nodes, this responsibility seems impossible under DLT. How to achieve the modification and rectification? Because DLT is append-only database, any deletion or rectification could be tough. Even some of the nodes could accept changes, the rectification is unable to be recognised if the majority of nodes did not change the data.

Uncertainty of Legal Concepts and Principles Uncertainty of Legal Concepts and Principles Who is Data Controller: Due to the storage mechanism in DLTs, every nodes could store the data of the ledger partially or wholly. The scale of nodes is very large even spread all over the world. Thus how to decide the controller (joint-controllers) and processor notion in GDPR? Also it may cause the jurisdiction issues. Data Minimization: as one of the principles of GDPR (Article 5 (1)(b) GDPR ), this is supposed to mitigate data storage and usage to secure personal data. In context of DLT, data are replicated to achieve the transparency and integrity. If there is new element added into DLT database, it will be permanently remained on the chain. It is a growing database, which increase with each additional block and accumulate more data.

A Bottom A Bottom- -up Data Protection Regime up Data Protection Regime MyHealthMyData, EU Horizon 2020: the project use blockchain technology to create a medical application where data subjects/patient can allow, refuse and withdraw access to their data according to different cases of potential use. BeepTrace, University of Glasgow: An effective contact tracing solutions to cope with outbreak of COVID-19 pandemic. This research presents a blockchain-enabled privacy-preserving contact tracing scheme, where they propose to adopt blockchain bridging the user/patient and the authorized solvers to desensitize the user ID and location information. Compared with traditional contact tracing solutions, this approach shows higher security and privacy friendly. Therefore, such design could provide data subjects with more control over their personal data. After guarantee of the right to access & object, users can self-determine how to use their personal data in where by whom and at when through this bottom-up data protection regime.

Boost personal data free flow Boost personal data free flow Based on the twofold objectives of data protection law, DLT can be designed to enable data- sharing without the need for a central trusted intermediary and also offer transparency to each stakeholder when personal data is flowing in Digital Single Market. Similar mechanisms could be designed to allow data-sharing solutions in other sectors, e.g. Internet of Things (IoTs). Such mechanism can increase the data flow for different industries and foster the establishment of data marketplaces.

How to take pros and mitigate cons? How to take pros and mitigate cons? More specific legal guidance (especially to GDPR) is urgent needed in context of DLTs; Establish certainty in many pivotal concepts: (joint-) controller, erasure, rectification and case law. Codes of conduct and certification mechanisms may play a more crucial role under DLTs; Both can typify the spirit of EU data protection regulation and also cater to the development of new tech. Privacy and data protection by design and by default; As a malleable technology, DLTs is still in the fast development and easy to be influenced.

References References Mich le Finck, Blockchain Regulation and Governance in Europe (Cambridge University Press 2018) Bill HB2417 State of Arizona https://www.azleg.gov/legtext/53leg/1r/bills/hb2417p.pdf Bacon J et al (2018), Blockchain Demystified: A Technical and Legal Introduction to Distributed and Centralised Ledgers 25 Richmond Journal of Law and Technology 1, 62 European Parliament (July 2019) Report on Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law? (QA-02-19-516-EN-N) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Case C-434/16 Nowak [2017] EU:C:2017:994 Primavera De Filippi, The Interplay Between Decentralization and Privacy: The Case of Blockchain Technologies (2016) 9 Journal of Peer Production. David Siegel, Understanding The DAO Attack (2016) Coindesk, available: https://www.coindesk.com/understanding-dao-hack-journalists. Lukas Marx, Storing Data on the Blockchain: The Developers Guide, Malcoded (2018) https://malcoded.com/posts/storing-data-blockchain/ Article 29 Working Party, Opinion 05/2014 on Anonymisation Techniques (WP 216) 0829/14/EN, 20. Acar G (9 April 2018), Four cents to deanonymize: Companies reverse hashed email addresses https://freedom-totinker.com/2018/04/09/four-cents-to-deanonymize- companies-reverse-hashed-email-addresses/ Vitalik Buterin, Privacy on the Blockchain (Ethereum Blog, 15 January 2016) <https://blog .ethereum.org/2016/01/15/privacy-on-the-blockchain/> (hereafter Buterin, Privacy on the Blockchain ) accessed 13 March 2020. Case C-210/16 Wirtschafsakademie Schleswig-Holstein [2018] EU:C:2017:796, Case C-25/17 Jehovan todistajat [2018] EU:C:2018:551 Commission Nationale Informatique et Libert s (September 2018), Premiers l ments d analyse de la CNIL : Blockchain, 8-9 https://www.cnil.fr/sites/default/files/atoms/files/la_blockchain.pdf. Martinez J (10 September 2018), Dispelling Myths: How a Pruned Ethereum Node Can Fully Verify the Blockchain https://medium.com/coinmonks/how-a-pruned- ethereum-node-can-fully-verify-the-blockchain-bbe9f29663ed.

Thank you for listening! Any Questions?