 Hi So I'm Alexandra Jenna Pulu as I told you yesterday I come from the blockchain and society policy lab from the University of Amsterdam and Today, I'm going to talk to you about How are we applying data protection rules on distributed architectures and on the blockchain? so before before I start some preliminary remarks about Well decentralized technologies, so Developing developing decentralized technologies at scale has always been the the holy grail of the ideals of decentralization for organizing social structures and Blockchain technology is the latest example of that of that effort. This has been shown for example late lately At the decentralized a web summit that happened here a couple of weeks ago So everyone is looking at how blockchain technology will help eliminate unnecessary intermediaries Solve the problem of trust Etc. So The problem that arises with data protection is that by trying to have Specific specific the specific goal of Solving trust and going away with Unnecessary intermediaries and enhancing individual user agency There is there is a conceptual incompatibility with with the GDP with the GDPR in general data protection rules So on the one hand we look to the same goal, which is enhancing control of users user agency and giving them back control of that over their data, but The way that the technology of the law try to approach this problem is completely different so on the one hand we have Decentralization giving more autonomy on the users creating a distributed user base But on the other hand the law what what ended up doing is that it ended up identifying few central actors Who would be liable? About how they process data how they control Users data and also by giving more power to users through express consent through the power to to withdraw consent and by Reinforcing their agency so are these two are these two? applications of enhancing individual autonomy of Completely incompatible or is there any way to find a way to make blockchain applications compliant with the GDPR? Another thing that we need to Remember is how we identify different actors in the in on the blockchain so We identify by the way that they control and process Data and that is either by their role in the architecture in the technological infrastructure or They're also their role in the decision-making processes of when and how and if are we going to process this data? by combining these two features both technological and governance role then we can lead read a Legal qualification and of course the obligations that come with that legal qualification To start off with examining whether the GDPR is also Is compliant on blockchain technologies? We have to first of all go with definitions. So which data we're talking about blockchain technology is technology that It's basically a distributed database that runs worldwide. So Necessarily it needs to be compliant to some extent with data protection data protection laws first of all we have Data that are stored on the blockchain Plain takes data, but those are kind of unnecessary and they are not very very often Lee used and Then a data that referred to the transactions. How are the the data? Stored on the blockchain. They're either well the metadata the hashes and Encrypted personal data so for example public keys So Yeah, what does the law say about this data? The law the GDPR makes a distinction between anonymous data and pseudonymous data So anonymous data are not do not fall under the scope of the GDPR, but pseudonymous data do What does that mean? How are the definitions? Put in the in the GDPR So anonymous data are only the data that are impossible to identify or to lead to an identifiable Natural person while pseudonymous data are personal data that can no no longer be directly attributed to a natural person But with combining different information that can be held by for example third parties They can lead to the identification of Of a natural person of the the subject of the personal data What does that mean for a blockchain data so The article 29 working party, which is what you would call your right now you would call it European data protection officer Has given opinions about anonymization. What does that mean? How do we? How can we read reach anonymization those are? They are it's an instrument or that helps interpret interpret the law So they're not by per se legally binding by they help guide the decisions of especially European courts So the article 29 working party on anonymization has said that processing of personal data should be should irreversibly prevent identification and By that statement that means that hashing and a symmetric cryptography. So public keys cannot fall under that category of Anonymization because for example An analogy would be think about dynamic IPs That the court of the Court of Justice of European Union has said that even if The the necessary information is held by the internet service provider That is enough to qualify the dynamic IP as a pseudonymous data and not as an anonymous Data so similarly for hashing and a symmetric cryptography They fall under the category of pseudonymous data and that obviously as you can understand Poses a very a very big problem for all blockchains Why because well There are some data that we simply cannot put off change that we cannot do without it some of the personal data That are on the blockchain are absolutely necessary for the function if of the blockchain data, for example, there's there can be no Blockchain if we do not have a hashing of blocks. That's the that's the idea behind the whole the whole technology And also this is one aspect that is very problematic for the blockchain and the second aspect is the fact that the it's an append only an append only distributed database that Makes it impossible to eliminate eliminate data and so that means that a lot of data that have been Qualified as anonymous now, but they will stay on the blockchain forever Maybe with the advertisements of technology they will be Well re identified in the future with other technological processes. So that also poses a second problem with The data that will store on the blockchain This is not a new problem, this has been discussed for quite a while now there are some technical solutions that have been applied because of the one positive one positive aspect of People that are of the technical people that are working on a blockchain application is that they are very privacy aware So they are looking to build privacy and hashing technologies in their in their blockchain to begin with so the most simple the most simple solution that that People offer is to store most of the data blockchain but off-chain But as as I've said before this is not possible for a lot of types of personal data So we need to find ways to create privacy enhancing technologies and this also exists in a lot of ways so As your knowledge proof have been mentioned a lot of times or maybe creating a ring signatures or other Technologies that have been proposed especially by some cryptocurrencies However, when we talk about privacy enhancing technologies that could lead to anonymization Is there going to be a standard? Are we going to standardize? Specific technologies that we all agree lead to anonymization or are we just keep Are we just going to keep a list that needs to be continuously updated as a suggestion because even if it's simply a list That means that it would not be it would not be legally binding in any way and Secondly, when we're going to standardize technologies Who is going to standardize them that poses problems on the governance side of? of blockchain technologies and communities, so Do you have any legal solutions for that? Officially no officially there is no there's no legal solution to to adopt this this problem, but What has been what has been proposed is the fact that? We need to accept that some of the data that are circulating on the blockchain are essential on the functioning to the blockchain and What we need to remember is they are the application of a lot of rights that are given to data subjects are relatively are relative to the the applicable technology so depending on the limits of the technology that Where the the data subject? Goes to claim the the application of the rights This these rights are going to be enforced according to the limits of the of the of the technology So taking taking in consideration the fact that this specific data is essential to the functioning of the blockchain could lead to a possible solution Adopt a lot of the two blockchain standards is something that has also been Proposed but this is highly unlikely specifically because it took us a lot of years and a lot of negotiations to reach to the the enforcement of European Regulation, so this is something that I don't think is going to happen So some of the consequences With this with this proposed solutions is first of all the data minimization that I mentioned here is the obligation to take Technical technical the necessary technical measures to control and process as as little personal data as possible and But that could mean that if we accept that there are some privacy enhancing technologies that could be applied And if we standardize those technologies, does that mean that users who would have the right to turn to the blockchain technology? developers and because they didn't use a more or less or the specific new technology that creates a more a Better application of data minimization obligations and also that would mean When data we're not anonymous data that are stored forever on the blockchain If they become pseudonymous because of because of the advanced advancement of technology What does that mean for user rights? Do the do the do the users need to consent about the data that would that would? Processed a while ago and how do what are what are the obligations of the actors that are? related to to that specific blockchain and that leads us to the second part of this presentation, which is Yeah, blockchain actors and GDPR compliance You've probably heard again of those terms So what are the the two main actors that the GDPR creates for data processing is we have article 4 of the block of the GDPR? data controllers are the people the institutions the actors that determine The purposes and the means of the processing of personal data. So there are the the people that are in charge of the decision-making processes and About processing and collecting personal data and the data processors that are simply processing the personal data on behalf of the controller So here I'm going to take a very a very very simple Example of a blockchain technology is not at all representative of what actually happens But this is just for the sake of the of the discussion to give you some of the examples of the Of the problems that would arise so we're going to examine those those actors that More or less exist on on blockchains. We have nodes full nodes Simple nodes. We have the miners. We have the developers that create the the blockchain and of course different third parties. We have Exchanges we have wallets. We have decentralized applications, etc so Can we find any liability to any of those actors? Let's start with the miners. What do the miners do? So the miners are going to verify transactions are going to add blocks on the blockchain Are they? controllers Well, they they do validate Submitted data. So they do Participate in the in the processing of the personal data But however, they do not determine the means and purposes of the block of the of the processing of the personal data So they are not alone. They did not take autonomous decisions about How the blocks are validated and how the processing is being done, but are they processors? so so The the French data protection authority that Neil recently gave a publisher report about GDPR compliance and the in the blockchain and said that the miners could be data processors Processing personal data, but that poses a problem of who is the controller for whom are they? Are they processing those personal data and what is the relationship between those two actors? Developers so the developers let's say I always take the example of the of the Bitcoin Blockchain so they define how the data is processed through by by maintaining the protocol. Are they controllers? Yeah, so They could be considered to determine The means and purposes of the product of the processing, but they are not alone in that process They are always bound by the consensus and that and the by technological requirements and So they do not remain autonomous in how they they they determine the means and the processes of Of the processing of the personal data and also that could mean that if we actually believe that the developers are data controllers that that could lead to Applications about all open source developers. Are they all data controllers? Can they all be liable under the GDPR? Next we have the third party. So we have as I told you exchanges wallets digitalized applications, etc So they analyze blockchain data for commercial purposes Let's say an ICO for example They could qualify as data controllers for the data that they request for the users again think of the ICO example all the public keys that they that they are going to to publish the transactions are going to publish once they collect the funds and They are going to be responsible for all the data that they store off-chain However Regarding the on-chain data still we need to find if they could also be the processors But they do not they do not that does not appear to be the case think for example A decentralized application that runs on the on the Ethereum blockchain Does that mean that it we will qualify the third party as a data controller and then the if you're The theorem foundation the theorem blockchain Foundation as a data processor, but there is no contract contractual relationship between the two So that also seems quite problematic very unlikely to happen Finally we have well almost finally we have the full node So we we take the example of the full nodes because they are there once a download the whole blockchain the download the blocks and the Transactions the very and the verify them against consensus rules again Similarly, there has been a there has been a proposal that they could be That they could be considered as joint controllers So all the nodes all the full nodes could be considered as the people that take the decisions About how the process the processing of the personality that's going to happen However, there is no contractual relationship between the nodes and they all act individually But and also They cannot be considered as individual controllers because they are Similarly as the developers they are subject to the rules that are the design rules that are created by the developers So this is like a very simple Relationship Finally We have the users so a user that just simply goes to To make a transaction on the blockchain They could be This they could be data controllers and data subjects at the same time So data subjects that have control of their data because they can use their private key They are bound by the consensus of the blockchain and so They cannot be they cannot be even though they are they could they can be subject To be considered as data controllers for their own data They cannot be considered data controllers for the data When they participate on the full network. So that again means that they do not they cannot be qualified as data controllers in general for all blockchain data so Conclusions first of all the as all lawyers are going to say in this in this case is that it depends everything depends on the blockchain Everything depends on the governance of the blockchain. Are we examining? On the on the third part this perspective, are we examining whose personal data are we examining? So we need to look at the specific governance structure of a given blockchain on the specific use case and also the specific data personal data that are at stake and Finally the GDPR principle of controllership So how we identify those actors could be rethought again given the fact that one A lot of personal data are essential for the functioning of the blockchain and to that We're talking about an architecture that was not thought of when the GDPR was was being discussed and Was being enforced at the end of May. So Yes, that's all. Thank you Thank you very much that are really important kind of essential questions that were addressed here. I Still have the feeling it is not clear, right? I mean this is as often Unfortunately, it is not clear so far other other questions Over there Maybe you can wait until the microphone Thank you for your talk One of the aspects of the GDPR that I think you didn't cover your presentation is the article on chapter 5 about transfer of personal data To third countries, which is something that for example in a public blockchain If you are, you know processing something data might be processed by someone that it's outside the EU I do you have any comment on that? Well the so the specific problem about enforcing the GDPR is specifically exactly what you said is that once you have either a node a user a minor a company that Processes data that refer to a European citizen Then the GDPR applies to the whole blockchain. So this goes both ways goes to either taking taking the data outside of two to third countries or also Even when one individual from the blockchain is part of the of an EU Country or processing data that refer to to to any EU citizen so that's that's Yeah, that's the big problem actually Does this means that if I'm a company that is going to process this data for European citizens I am automatically obliged to use a private blockchain Well, I know all my miners are inside the EU So, yeah, the different the difference between permission and permission less Blockchain is that in a permission blockchain you can actually control that so that means that you it's much more easier to identify the actors in You have a specific miners you have specific parties identified people that That take part in the decision-making processes. So in that case Applying being compliant to the GDPR is easier But in the public blockchain as you would say the permission in the permissionless one. This is where a lot of problems Occur because there is no way to of knowing how to enforce Hi, you started off by a definition and that definition contained two words natural person I was wondering have you done any thinking on unnatural persons thinking of AI agents literature? Like deep mind recites itself, I think so just wondering if the law had thought of unnatural persons and consequences of well Yeah, we're talking about natural persons because personal data referred to the data subjects and that means individual people So though those are the data that we protect and we do not protect data that refer to an AI So that was that's that's the that's the yeah, that's a meaning behind natural persons Can you can wait for the mic, please. Thank you I have a rather uncomfortable comment to make and that is That's such a thing as a permission to blockchain does not exist Because a block blockchain is by definition decentralized and immutable Which means a permissioned blockchain is not a blockchain, but an encrypted ledger It's just a comment to my knowledge. There is no official definition of the blockchain So that is to be determined. Yes There are some definitions about a blockchain. There's a lot and that is it has no single one though Properties and being decentralized and permission Decentralized and immutable are five of the central definition points of a blockchain. I mean, yeah We could say permission distributed ledger. Yes, if that makes you more comfortable. Yeah All right further questions Otherwise, I think we have deserved at first you have deserved a big applause