《欧盟议会:《区块链与通用数据保护条例》(Blockchain and the General Data Protection Regulation)报告.pdf》由会员分享,可在线阅读,更多相关《欧盟议会:《区块链与通用数据保护条例》(Blockchain and the General Data Protection Regulation)报告.pdf(120页珍藏版)》请在三个皮匠报告上搜索。
1、STUDY Panel for the Future of Science and Technology EPRS | European Parliamentary Research Service Scientific Foresight Unit (STOA) PE 634.445 July 2019 EN Blockchain and the General Data Protection Regulation Can distributed ledgers be squared with European data protection law? Blockchain and the
2、General Data Protection Regulation Can distributed ledgers be squared with European data protection law? Blockchain is a much-discussed instrument that, according to some, promises to inaugurate a new era of data storage and code-execution, which could, in turn, stimulate new business models and mar
3、kets. The precise impact of the technology is, of course, hard to anticipate with certainty, in particular as many remain sceptical of blockchains potential impact. In recent times, there has been much discussion in policy circles, academia and the private sector regarding the tension between blockc
4、hain and the European Unions General Data Protection Regulation (GDPR). Indeed, many of the points of tension between blockchain and the GDPR are due to two overarching factors. First, the GDPR is based on an underlying assumption that in relation to each personal data point there is at least one na
5、tural or legal person the data controller whom data subjects can address to enforce their rights under EU data protection law. These data controllers must comply with the GDPRs obligations. Blockchains, however, are distributed databases that often seek to achieve decentralisation by replacing a uni
6、tary actor with many different players. The lack of consensus as to how (joint-) controllership ought to be defined hampers the allocation of responsibility and accountability. Second, the GDPR is based on the assumption that data can be modified or erased where necessary to comply with legal requir
7、ements, such as Articles 16 and 17 GDPR. Blockchains, however, render the unilateral modification of data purposefully onerous in order to ensure data integrity and to increase trust in the network. Furthermore, blockchains underline the challenges of adhering to the requirements of data minimisatio
8、n and purpose limitation in the current form of the data economy. This study examines the European data protection framework and applies it to blockchain technologies so as to document these tensions. It also highlights the fact that blockchain may help further some of the GDPRs objectives. Concrete
9、 policy options are developed on the basis of this analysis. STOA | Panel for the Future of Science and Technology AUTHOR This study was written by Dr Michle Finck at the request of the Panel for the Future of Science and Technology (STOA) and managed by the Scientific Foresight Unit, within the Dir
10、ectorate-General for Parliamentary Research Services (EPRS) of the Secretariat of the European Parliament. ADMINISTRATOR RESPONSIBLE Mihalis Kritikos, Scientific Foresight Unit (STOA) To contact the publisher, please e-mail stoaep.europa.eu LINGUISTIC VERSION Original: EN Manuscript completed in Jul
11、y 2019. DISCLAIMER AND COPYRIGHT This document is prepared for, and addressed to, the Members and staff of the European Parliament as background material to assist them in their parliamentary work. The content of the document is the sole responsibility of its author(s) and any opinions expressed her
12、ein should not be taken to represent an official position of the Parliament. Reproduction and translation for non-commercial purposes are authorised, provided the source is acknowledged and the European Parliament is given prior notice and sent a copy. Brussels European Union, 2019. PE 634.445 ISBN:
13、 978-92-846-5044-6 doi: 10.2861/535 QA-02-19-516-EN-N http:/www.europarl.europa.eu/stoa (STOA website) http:/www.eprs.ep.parl.union.eu (intranet) http:/www.europarl.europa.eu/thinktank (internet) http:/epthinktank.eu (blog) Blockchain and the General Data Protection Regulation I Executive summary In
14、 recent years, there has been ample discussion of blockchain technologies (or distributed ledger technology DLT1) and their potential for the European Unions digital single market. A recurring argument has been that this class of technologies may, by its very nature, be unable to comply with Europea
15、n data protection law, which in turn risks stifling its own development to the detriment of the European digital single market project. The present study analyses the relationship between blockchain and the GDPR, so as to highlight existing tensions and advance possible solutions. It looks into deve
16、lopments up until March 2019. 1. Blockchain technology In essence, a blockchain is a shared and synchronised digital database that is maintained by a consensus algorithm and stored on multiple nodes (computers that store a local version of the database). Blockchains are designed to achieve resilienc
17、e through replication, meaning that there are often many parties involved in the maintenance of these databases. Each node stores an integral copy of the database and can independently update the database. In such systems, data is collected, stored and processed in a decentralised manner. Furthermor
18、e, blockchains are append-only ledgers to which data can be added but removed only in extraordinary circumstances. It is important to note that blockchains are a class of technology. Indeed, there is not one version of this technology. Rather, the term refers to many different forms of distributed d
19、atabase that present much variation in their technical and governance arrangements and complexity. This also implies, as will be amply stressed in the analysis below, that the compatibility between distributed ledgers and the GDPR can only be assessed on the basis of a detailed case-by-case analysis
20、 that accounts for the specific technical design and governance set-up of the relevant blockchain use case. As a result, this study finds that it cannot be concluded in a generalised fashion that blockchains are either all compatible or incompatible with European data protection law. Rather, each us
21、e of the technology must be examined on its own merits to reach such a conclusion. That said, it is easier to design private and permissioned blockchains in a manner that is compatible with EU data protection law than public and permissionless networks. This is because participants in permissioned n
22、etworks are known to another, allowing for the definition, for example, of contractual relationships that enable an appropriate allocation of responsibility. Furthermore, these networks are, in contrast to public and permissionless networks, designed in a way that enables control over the network, s
23、uch as to treat data in a compliant manner. Moreover, there is control over which actors have access to the relevant personal data, which is not the case with public and unpermissioned blockchains. 2. The European Unions General Data Protection Regulation The European Unions General Data Protection
24、Regulation (GDPR) became binding in May 2018. It is based on the 1995 Data Protection Directive. The GDPRs objective is essentially two-fold. On the one hand, it seeks to facilitate the free movement of personal data between the EUs various Member States. On the other hand, it establishes a framewor
25、k of fundamental rights protection, based on the right to data protection in Article 8 of the Charter of Fundamental Rights. The legal framework creates a number of obligations resting on data controllers, which are the entities determining the means and purposes of data processing. It also allocate
26、s a number of rights to data subjects the natural persons to whom personal data relates that can be enforced via-vis data controllers. 1 Various definitions of blockchain and distributed ledger technology exist, and some of these stress different technical features of these respective forms of data
27、management. Given the nature of this study and the lack of definitional consensus the terms are used synonymously. STOA | Panel for the Future of Science and Technology II 3. The tension between blockchain and the GDPR In recent years, multiple points of tension between blockchain technologies and t
28、he GDPR have been identified. These are examined in detail below. Broadly, it can be argued that these tensions are due to two overarching factors. First, the GDPR is based on the underlying assumption that in relation to each personal data point there is at least one natural or legal person the dat
29、a controller whom data subjects can address to enforce their rights under EU data protection law. Blockchains, however, often seek to achieve decentralisation in replacing a unitary actor with many different players. This makes the allocation of responsibility and accountability burdensome, particul
30、arly in light of the uncertain contours of the notion of (joint)-controllership under the regulation. A further complicating factor in this respect is that in the light of recent case law developments, defining which entities qualify as (joint-) controllers can be fraught with a lack of legal certai
31、nty. Second, the GDPR is based on the assumption that data can be modified or erased where necessary to comply with legal requirements such as Articles 16 and 17 GDPR. Blockchains, however, render such modifications of data purposefully onerous in order to ensure data integrity and to increase trust
32、 in the network. Again, the uncertainties pertaining to this area of data protection law are increased by the existing uncertainty in EU data protection law. For instance, it is presently unclear how the notion of erasure in Article 17 GDPR ought to be interpreted. It will be seen that these tension
33、s play out in many domains. For example, there is an ongoing debate surrounding whether data typically stored on a distributed ledger, such as public keys and transactional data qualify as personal data for the purposes of the GDPR. Specifically, the question is whether personal data that has been e
34、ncrypted or hashed still qualifies as personal data. Whereas it is often assumed that this is not the case, such data likely does qualify as personal data for GDPR purposes, meaning that European data protection law applies where such data is processed. More broadly, this analysis also highlights th
35、e difficulty in determining whether data that was once personal data can be sufficiently anonymised to meet the GDPR threshold of anonymisation. Another example of the tension between blockchain and the GDPR relates to the overarching principles of data minimisation and purpose limitation. Whereas t
36、he GDPR requires that personal data that is processed be kept to a minimum and only processed for purposes that have been specified in advance, these principles can be hard to apply to blockchain technologies. Distributed ledgers are append-only databases that continuously grow as new data is added.
37、 In addition, such data is replicated on many different computers. Both aspects are problematic from the perspective of the data minimisation principle. It is moreover unclear how the purpose of personal data processing ought to be applied in the blockchain context, specifically whether this only in
38、cludes the initial transaction or whether it also encompasses the continued processing of personal data (such as its storage and its usage for consensus) once it has been put on-chain. It is the tension between the right to erasure (the right to be forgotten) and blockchains that has probably been d
39、iscussed most in recent years. Indeed, blockchains are usually deliberately designed to render the (unilateral) modification of data difficult or impossible. This, of course, is hard to reconcile with the GDPRs requirements that personal data must be amended (under Article 16 GDPR) and erased (under
40、 Article 17 GDPR) in specific circumstances. These and additional points of tension between the GDPR and blockchain are examined in detail below. This analysis leads to two overarching conclusions. First, that the very technical specificities and governance design of blockchain use cases can be hard
41、 to reconcile with the GDPR. Therefore, blockchain architects need to be aware of this from the outset and make sure that they design their respective use cases in a manner that allows compliance with European data protection law. Second, it will however also be stressed that the current lack of leg
42、al certainty as to how blockchains can be designed in a manner that is compliant with the regulation is not just due to the specific features of Blockchain and the General Data Protection Regulation III this technology. Rather, examining this technology through the lens of the GDPR also highlights s
43、ignificant conceptual uncertainties in relation to the regulation that are of a relevance that significantly exceeds the specific blockchain context. Indeed, the analysis below will show that the lack of legal certainty pertaining to numerous concepts of the GDPR makes it hard to determine how the l
44、atter should apply both to this technology and to others. In order to reach this conclusion, this report evaluates those aspects of European data protection law that have to date proven to be the most relevant in relation to blockchain. This includes the regulations territorial and material scope, t
45、he definition of responsibility though a determination of which actors may qualify as data controllers, the application of the core principles of personal data processing to blockchains, the implementation of data subject rights in such networks, international data transfers and the possible need fo
46、r data protection impact assessments. Whereas much of the debate has focused on the tensions between blockchains and European data protection law, the former may also provide means to comply with the objectives of the latter. 4. Blockchain as a means to achieve GDPR objectives It has been argued tha
47、t blockchain technologies might be a suitable tool to achieve some of the GDPRs underlying objectives. Indeed, blockchain technologies are a data governance tool that could support alternative forms of data management and distribution and provide benefits compared with other contemporary solutions.
48、Blockchains can be designed to enable data-sharing without the need for a central trusted intermediary, they offer transparency as to who has accessed data, and blockchain-based smart contracts can moreover automate the sharing of data, hence also reducing transaction costs. Furthermore, blockchains
49、 crypto-economic incentive structures might have the potential to influence the current economics behind data-sharing. These features may benefit the contemporary data economy more widely, such as where they serve to support data marketplaces by facilitating the inter-institutional sharing of data, which may in turn support the development of artificial intelligence in the European Union. These same features may, however, also be relied upon to support some of