Later On

A blog written for those whose interests more or less match mine.

Block chain: Is the GDPR out of date already?

leave a comment »

This is a bit Euro-centric, but it illustrates how decentralization is proceeding apace (as a comment, too, on my preceding post on the rise of the city-state). In general, decentralized systems (e.g., the internet) are more robust than centralized systems.

Kingsley Napley writes at

The General Data Protection Regulation (“GDPR”) amounts to a significant overhaul of existing data protection regulation and is designed to be ‘technology neutral’. However, how the GDPR will cope with emerging block chain technology and a move towards the decentralisation of data storage remains to be seen.

What is a block chain?

Block chain is the underlying technology behind platforms such as Bitcoin and Ethereum. Whilst block chains are best known for their use in the field of ‘crypto currencies’, they have a broad range of potential applications such as storing medical data, supply chain management or social networking.

The term ‘block chain’ has no single definition but it is generally used to refer to a way of recording transactions across a network of computers. Transactions sent to the network are grouped into ‘blocks’ which are time stamped and linked to the previous block. Linking each block to the previous block confirms the integrity of the chain all the way back to the first block. Information on the block is encrypted and protected through cryptography.

The block chain is stored on a network and no centralised ‘official copy’ exists. The process of adding transactions to the chain is performed by mining ‘nodes’. Mining is essentially a record keeping service whereby miners compete to collect in and verify transactions.

Who are the data controllers?

The GDPR continues to use the existing concepts of data controllers (who determine the purposes for which and the manner in which any personal data are to be processed) and data processors. In addition to introducing penalties for data processors, it imposes even more stringent obligations on the controller of personal data and drastically increases the potential penalties for non-compliance.

In a decentralised system where there is no individual entity in control of the data, it is difficult to identify who the obligations are placed upon and, even once the controller has been identified, enforcement does not seem feasible. For example, in the case of Bitcoin, the miners who verify transactions and build the block chain may be deemed to be the data controllers. Identifying each of these individuals (a recent study found that there are likely to be over 100,000) and then taking action against them is clearly not possible.

What laws apply to a data controller or data processor?

The GDPR seeks to extend the territorial reach of EU data protection law. The Regulation will apply to EU-based controllers and processors or entities processing an EU resident’s personal data in connection with goods or services offered to them or tracking the behaviour of individuals in the EU.

Applications of this technology are broad and in many cases it is simply not possible to ascertain the identity or the location of the data controller, data processor or even the data subject. In such a situation, determining the appropriate choice of law may not be straightforward and regulators may struggle to argue that they have the jurisdiction to take enforcement action.

How does this fit in with the right to be forgotten? . . .

Continue reading.

Written by Leisureguy

10 September 2017 at 11:32 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.