 Hello, my name is Michelle. I'm really excited to be here and to talk about personal data blockchain and privacy and This is really a topic that I truly love and So this is not legal that is I am an attorney Just a little bit background about me. I Was an attorney at PayPal and before that I worked at a few Different companies. I used to draft a lot of privacy policy work a lot on data and also Immersion technologies such as AI blockchain and Internet of things including sensors And I know that we're focusing on blockchain today, but I will chat a little bit about AI and IOT as well There are and we're gonna go over some of the basic principles of Privacy that I think everyone knows Now and then we're gonna talk about some laws in California and also in Europe And then we're gonna go or go dive into blockchain and the intersection of data Privacy and blockchain So there are seven principles of privacy Since we're in Germany, I think every one of you guys know this I think it's really important to understand the concept because when you're building products and when you're working on data It's kind of nice to architect your system around it and There are noticed choice on where transfer security data integrity SS and Recourse enforcement and liability So with noticed Do you want to tell your community and or user? When before you use your data How your data will be used most of it is a privacy policy on to your website and And if you're repurposing the data is also important to let your community know before You we use our data so that they know what the perp the new purposes Especially for health data. I was just having a conversation With someone about how the health community or the science community wants to contribute their data To help science research However, how do we encrypt that data? And allow the person to share only what they want to share And of course and choice is important and with choice. It's really opting out You know allowing your consumer to opt out and Also opt in if it includes sensitive information. What is sensitive information? Right? So health data Trade unions Spiritual religious beliefs or some examples of sensitive information and you know because people or insurance company can do things to you What once they have that information and so it's really important to allow people to opt in and then of course our transfer and I think with when you're building a startup or a company you use You have different partners and You work with different company from You know and you have different vendors they might have that data especially in the age of AI and Edge computation and Sensors so how are they using the data remember when another party is using the data you really can't control that and You don't know what they're doing with that data, right? So you want to make sure that in your agreement with them that everything is cleared and you set good Expectations and make sure that they comply with the law because you could be liable, right? Another principle is really security and how are you protecting your data a lot of the breaches is Insider, right? So someone in the company basically may compromise the data So how are you protecting it? What kind of software are you using? What kind of hardware are you using? What kind of password system are you building in to? To your security procedures and measures And then of course is data integrity so with fake news and a lot of fake videos It's the information this is information you have all day authentic Could someone modify that rate especially when we're talking about blushing and how that preserve integrity Is it centralized? So with integrity Data integrity and do you allow your users and community to go in and collect that data? How long are you keeping it? What is the purpose? And if you are aggregating data all those information? Identifiable and that's very important right because with metadata and AI and There are situations where you don't see the name or the address or their email However, you can tell who is it and so we should be careful about that And I'm always referring to the naps the Netflix case where there was a mom who was I Think she was homosexual So with without her information people could kind of tell so I think we need to be sensitive about Metadata and even if the information is aggregated to make sure that is clean and that the person is not identifiable And then of course is assess Who has access to that to that information? Is it reasonable? So when consumers want what? Want a record of what you keep about them? Do you let them know and can they actually read it and understand it? And can they amend or delete those information? So really thinking so when you think about some of these big companies today? I Would not name them, but if you go and look at your data, can you really understand what they have about you probably not? It's kind of segmented as pursed You can't really tell and even if you could tell what else do they know about you and how are they identifying you? You really don't know their judgment about you and how they profile you even if you know What you have given to them or what they keep about you? We course enforcement liability is if your partner is breaching the data or you know, and you really need to have them as a partner What are you gonna do? How are you letting people How are you like rectifying the situation if there's a data breach? And How are you working with government officials? So those are really really important So I'm gonna go over a few health and data laws and focus on the US and and So this is HIPAA I Remember when I was a working at eBay in about early 2000 HIPAA and the Child Privacy Act just kind of came out and I think now data has become even more important So it's 1996 which is about right it protects because the internet came out around that time At least publicly it protects personal and health data. It applies to Cover entities health plan health care health care provider and Claren house and also who you disclose it to and It basically allows you to have your data your health records if you request it So what is health protected information? It's basically your identifiable your identifiable health information your past presence or feature physical or mental health and who provides that health care and How much you paid for those services? So those are some of the health record you're allowed to Disclose to yourself if you requested it to certain health care provider and It the issue with that is that If it's aggregated data you can still share it so there's an exception there public intros and benefit activities and limited data set. So if you Have aggregated data if they use aggregated for public intros and benefit you can still disclose it without Consent and then also what is the way that you protect those data? You're recommended to have a privacy officer I think sometimes as a startup you really don't have the funds to do that in the beginning But if your companies are heavily relied on data is kind of important to have one I certainly work with privacy data officer before and I think I think it's super awesome However, when you're small and you're a founder, I think it's really important to really think and at least make an attempt to understand the concepts and principles So there's training so training your staff there's safeguards there's mitigation and then there's a whole process So it's important to have a privacy policy for external Your customers your consumers and the users but also to have a process for the internal Which is really your team your staff and and how your vendor will share that information? And There's all healthy Penalty for breaching it and it goes up every time it is valid and I think I think it's good. I think it deters Healthcare providers so that they won't breach our data And I think it's even better if they give us the terms before they perform perform the procedures or any kind of health procedures So I'm going to talk about the California Consumer Privacy Act. This is really restricted to California and It's really important because it's very light the GDPR And it applies to and this is effective on January 1 2020. So in a few months It's very Important because it in a way it defines all it has a list of all the data that companies's businesses need to really think about and It applies to any companies that have customers in California So GDPR applies to everyone all the businesses that have Consumers or users in Europe This one applies to anyone that has customers in California. It applies online as well as physical businesses and There is a minimum requirement that you have to make revenues over gross revenues have to be over 25 million You basically received Sell or share personal information of 50,000 or more consumer or you make 50% or more revenue from sell personal information So there is a threshold for that so if you don't if your business is not mainly to sell data or You don't have that amount of consumer data and you make less than 25 million the the law does not apply to you So what is personal information? So for the first time I've seen personal information defined in very very In a very detailed detailed way. So it includes social security number biometric identifiers your location so that is all your all the IP addresses your browsing history that includes your avatar your sound your your Your video data any You know tracking special tracking devices Behavioral and profound data is very important because there are companies out there that does behavioral analysis of you from the beginning of the internet and They know what you will buy what you will buy next how much you would pay for it and they sent you targeted at and They have a digital copy of you And especially with AI. So I thought that was really cool that they have it there Since your data, you know, well include VR AR And then all the all the tracking data and the biometric identifiers are going to be include all the IOT sensors So for the first time all the data everything about us what we do is gonna well That is in the definition of personal information So with CCPA what is really cool about it is that you know in California? We have a lot of person meaning the US a lot of protects children with The California Consumer Protection Act it basically says that if you're you're 13 or 16 years old Your parents consent is required and You basically have the right to opt in so if you have Users are between that age and you even if you're not intended to target against them But that's them, but you know that they're using the site You know one of the best practices is to have a different landing page for them And and because they need to help they need to opt in so that is very different from from a little bit of the other laws and regulations And of course you have to disclose to your consumer and There's actually there's a You know if this applies to you you basically have to have a special paragraph I mean this should be part of your privacy policy and also You need to have a disclosure a link on your website that is conspicuous So basically like very out there so that they really know and they could out out And the CCPA also talks about their party transfers as well and so Consumers can request their data just like GDPR and there must be consents and also so people can also opt out and When you you also have an you have to have an agreement with your vendors and partners about how they're using the information So these are some of the compliance mechanism and they're described There you have to provide totally telephone and website address on your website It must be within 40 days five days of request You have to update you should update your privacy policy and there there should be a do not sell my personal information link on your website It is enforced by the California Attorney General With penalty So as you can see This looks very familiar to to everyone here and it basically Steps it up a little bit regarding the definition of what personal information is And Has additional application to children because normally is 13 and under so they basically you know from 13 to 16 there's special requirement and They want to make sure that disclosure is conspicuous And you know the violations will be enforced There there is a concept there regarding incentives and discrimination so if someone if a consumer doesn't want to use the website because of their privacy concern and You basically cannot discriminate them you can provide incentive So like a different kind of services and good, but you cannot By discriminate discriminate them by changing different prices quality and services So for example, if I wanted to opt out of a website because I don't want to share my data But you know, there's nothing there except I can log in You know or there might be minimal products that might be okay, however, they want me to charge You know like five bucks or something, you know when it's free, you know, then that's a little bit there may be discrimination So this is a concept that I think you know might be You know and disgust in the future, you know about what is discrimination? What are considered incentive and How are different levels of services and I Mean how do how do we as even creators of a website and consumer ball technology How do we? Provide that and comply with that. So I have some best practices for every everyone here One one thing that we could do is have a separate homepage for a California consumer However, is that a slippery slope? Do we need a homepage for every state in every country? You know consent from children 13 or 16 before cookies and pixel data Do we need like to delegate different resources just to comply with children? Who are 13 to 16? How do we do that? Even if we want to? And How do we get their consent? So, you know, if they opt out disabled cookies and pixel data If if there are children if there's a way, you know, and if they're not lying, right? Sometimes children lie about their age to have access especially gaming Or certain, you know, like certain social media sites, you know, they might be under 13 So or or, you know, 17, you know, so it's really important that we identify age Or not provide the website before we Know their age So I'm going to talk a little bit about GDPR. I think the community here knows it since we're in Europe There's a privacy regulation That protects the private life of different individuals and then there's also the GDPR just kind of go really fast on this because You know, I think everyone here knows GDPR It's May 25 2018 Is to protect our personal data And it gives us control over data It's consistent across your opinion and we have 72 hours to verify with data reaches so when you think about blockchain and We are supposed to have control over our data, right? And is intended to also protect data so that those would not be tempered with and I just kind of want you to really think about The technology and the consensus layer The blockchain layer And as well as the intention of data portability And then also the right to be deleted and forgotten, right? Because if the blockchain is immutable How can we be forgotten and deleted if we can't even issue chargebacks and we can't delete information Since blockchain is public Can we provide consent and access right when we buy Bitcoin some data about us are posted on the website You know, we can pretty much stock someone We know certain data about them. And so GDPR is consent about I think these are pretty Simple so you need to have consent you need to have, you know, provide The purpose of it and parental consent is a minor You can withdraw your consent. You have you can't basically die and Be deleted and there's always debates about, you know, are you really deleted from the servers and phone backups archives? And can you be deleted if your information is on the blockchain? Probably not right and even on servers are you know, you're really dead and you know, if you actually die You know what happens to that information, right? I'm like even if you physically die What does Facebook and other companies do with with your data? There's also exceptions of course for GDPR So That is important to know and one of the one of the exceptions is always, you know, like a public interest for safety the government Have authority, right There's some legitimate interest with it and here I just want to note that is Centralization, right? So, you know, we have a government that basically protects our data and gives us these laws You know with blockchain the whole idea of decentralization is that we can control and protect our data and and there's an open governance So how do we balance that? Is that the right thing to do it and protect our personal data or should we govern ourself? And what is what is really public interest and legitimate interest? I Have some best practices for GDPR To have a personal data and breach record sure privacy by design as you know Is you know, how do you design your your structure your your system so that it keeps In your personal data as little as possible In a short amount of time just as necessary to process that data There's a concept called privacy by default as well by default as well You know, it's really regarding the structuring of you know, how what kind of consumer data do we need? Do we need everything to make the system work? How long should we keep it? You know, what is really the absolute minimum? So again data protection officer, which is our policy officer, you know your controller Impact assessment is really your data policy analysis analysis And have a breach register so it's keeping track of your breaches and the information is going to be really really important And then we talk about blockchain Blockchain has certain characteristics as well. So it has hashes of transactions or groups of transaction So those are basically protected by cryptography. It's supposed to be very secure But I really think about some of the systems around that though Are it changes on the blockchain? Why are they always hacked? You know, because when we think about blockchain, we really think about public ledger But we forgot that around the ecosystem there are other things like it changes, you know Basically that keep all the money or they protected or they secure. How are they do? How are they? Keeping protecting our data, you know, are they compliant? You know KYC, AML regulations and laws And So there's also public yet private, you know, it's not it's not anonymous, right? There's certain information that's public. There's certain information. That's private So what should be public and what should be private? We don't really have a consensus about that, right? We have privacy laws that again tell us What what information how what how information is defined as personal and sensitive, but you know, does it? Tell us what is public and private and it thinks really something that the community has to think about especially in science and health Immutable records so the records we cannot change, you know, we can't even have charge backs We can't correct and delete them. How do we do it, right? We have private keys and public keys You know, that's more of an asset. So that protects it somewhat, right? So you need your private keys to go in and get certain information For assets, but is that it's not enough. Is that like our password? I wanted to talk a little bit about the current PCI standards And that that regards to more of financial data, you know Because I think health and financial data is really important and when we're talking about blockchain We're talking about currency and currency is money, right or funds And I think it's kind of important to at least understand some concept of what the Financial industry thinks about when they think about personal data and how to handle personal data as we're building the blockchain ecosystem So we have a secured network. So we think about firewalls and password and how to protect them We think we think about cardholder data how they're stored and how we're transmitting them So storage and transmission of blockchain, I think it's it's pretty secure, right? However, not on exchanges Software, antivirus and other security system and application. So we think about Software we think about access we think about transmission and then We also think about people right most of the beaches are actually inside of that. So who has access to that information How are the people that it do we do diligence to everyone? I mean in this space There's a lot of fraud, you know, who is real and who is not how do we identify them and what kind of processes? Who do we hire? Do I have they done? You know, have you done a criminal background check on them? Right, and I think it's kind of important to really answer those questions especially in a new industry Access control need to know you need ID physical assets, right? you know, can you can use special IDs to Provide on smart contracts will on the sensor to let people to to allow people to restrict access to certain locate physical location Information security to have a training for your staff. I've cut contractors as well as employees How is your monitoring and testing on your network? You know and you know when is there any like emergency use cases? Or things that you test out so you know what to do when there is a breach I think that's very important, but these apply to like current systems of financial data Not blockchain per se, but I just want to make sure that we've reached a gap That we know what the current situation is like and then think about the newer technology and how that could be applicable So when we talk about blockchain, you know, how do we Delete stuff when everything is when we can't change record Can we really be forgotten and what is the? What is the balance between data integrity and privacy so on the blockchain you can't change record So there is integrity, but yet, you know when you make a mistake is really hard to correct and Privacy is just half right It doesn't protect everything And then when we think about security on the blockchain, it's secured by cryptography However, really think about the partnering Technology and vendors. How are they? You know, how are they protecting their data? You have security smart contract audits audits, you know, you have exchanges, right? And you have other data set with AI. How are those information? Protected so I think it's really important to understand that and there is public blockchain and permissioned blockchain Permissioned blockchain or basically private blockchain And I usually recommend more of a hybrid model because I think user data should be protected And if they're stored on a permissioned blockchain or on, you know, a private storage database It might be better and to really separate certain information and Consensus right it's supposed to be trust list at the same time. It's not completely trust list And Do we do, you know count and who could we trust right all those is it centralized? Or is it concentrated? I think those are really important questions and then also data sharing if you form an association with a hundred members And they basically run a node. Do all those are those information shared? Do they have access to that information and how are they shared? Right and it's kind of important because you know if we have a company that has a history of misusing our data And beyond their privacy policy beyond anything that we can imagine and they have a member of a hundred Companies and each company has different data, right? One has where you go to one has what you purchased You know and the other one is might be a payment provider that basically knows exactly your the time you buy things what you buy Where you're going to and And it might they might consist of non-pocket, right that has your donation history and what kind of things you like All the data, you know that they have about you What are they going to do with it right and what do they have your health data along with that? So now they have your writing history your health data your e-commerce data And you know all your trans payment transaction You know and and what are their inter agreement deals, right? So if that association is run by a big company with lots of users with a lot of money You know is there any inter agreements inter company agreements that you don't know about right and how are they shared and And then also validation or knows as you as you know, they have authority to prove or disapprove your transaction What can they see and is there is there a balance between data sharing versus privacy? You know you think that your information is private But you know with the amount of association and notes, you know Doesn't it sound like it's worse than the current situation, right? Because now you now you basically deal with the merchant or you work with a digital wallet that Allows you to pay for something and then you're done But here it seems like it has a lot of players in the system that is outside of the chain Interesting and important topic and talk. Are there any questions? No questions So then I have one myself So there's this vision in the blockchain world like yesterday. We had like ocean protocol Where you where you can bring the compute to the data Instead of the data to the compute like today, you have a few data You give it to Facebook and then they can do post-processing and stuff. Yeah, so there's like the ocean protocol they have the idea so we just like bring the algorithms there they train on the data and Just like get the training information from the data and like start something. I think you're aware of these concepts So I've been like talking to different people around data policy lately, right? So one company is basically making sure that the the health data. They're working with Health provider like and this is a real use case So they work with a health provider and they basically encrypts your data and make sure that nothing is Identifiable and is completely aggregated and secure and they work with researchers Scientists to make sure that they don't know anything about about you And this is with the blockchain. I think about that's really cool because it basically tracks everything However, there's also that balance with privacy. I also spoke with someone who one of the inventors of the internet And and when we talk a little bit about targeted of targeted advertising and The right to basically everything that you share with Facebook basically belongs to you and You can delete it. So it's traceable. So it's I thought that was really cool, you know You know, so if I say, you know, I like a green dress, right? And I don't want that to be out there anymore I can basically delete that and it pulls that data from face from face. I thought that was awesome So I think I think that blockchain also allows for data portability In a way because I think once we have the technology for identity, right and identity Includes MLK YC and other information about you. I think the feature Could be could be, you know, you give me controls about I can share it out with you It's not on different platform, right? So my my ratings and social ratings could be, you know, here's Facebook. Here's Twitter. Here's LinkedIn Here's my information and this is me, right? And I could say yes. No LinkedIn, you know, okay No Facebook Twitter. This is okay, you know, and I think we need to build Technology that allows us and care and be conscious about about us and the control is from within It's not from, you know, the different platform Yeah Yeah Yeah, it's decentralized Maintaining our own key in a wallet or like, as you said, like identity. Yeah, yeah Yeah, it allows us to delete from the inside out and that's on different platform Okay. Yeah, thank you. Are there any other questions or? Any questions? Yep, okay Thank you for your talk. When comparing CCPA to GDPR Would you say that to enforce compliance? CCPA would also require Enforce anonymization techniques Yeah, I think CCPA for me is a little bit more detailed and the GDPR I Would I think I have like a number of best practices with me On my on my on my phone, but one of it is really Make sure that you have certain provisions in your contract with your vendor that cover The different privacy laws, you know, because I think we have confidentiality But we might not have Privacy right because most people have a privacy agreement and you know is referred to and people don't only think about breaches of Privacy and how how it is important, but I think now I think we need to basically go through every vendor contract and Make sure that they also agree to compliance of privacy and having like a provision about that and have some kind of Indentification of course, this is like general information and I'm not your lawyer and all that stuff Yeah, but I have a whole list and we can kind of talk about You know just different best practices Yeah, it has it has strong responsibilities it you know, it gives you a certain hour to respond and And just really certain information needs to be provided So I think with GDPR you categorizes it the information so with CCPA as well You know, they're just it's a little bit more detailed and you have to comply with a certain time It's effective on January 1 2020. So I think a lot of companies are beginning to To make sure that they comply with it Yeah, okay, then thank you. Thank you very much Thank you