最有看点的互联网金融门户

最有看点的互联网金融门户
全新的互联网金融模式国际资讯监管与政策

当区块链遇见欧盟的通用数据保护条例(GDPR)

全新的互联网金融模式国际资讯监管与政策

当区块链遇见欧盟的通用数据保护条例(GDPR)

通用数据保护条例(GDPR)是由欧盟制定的全面、严格的个人数据隐私法律框架,于2016年通过,经过两年的过渡期后,现已于5月25日正式生效。该条例是自1995年以来对欧盟数据保护法的首次重大改革。

GDPR的目标是在欧洲范围内建立统一的数据监管框架,并加强个人对其数据存储和使用的控制。据隐私权专家国际协会(IAPP)预测,全球财富500强企业或将花费近80亿美元,以确保其符合GDPR的标准。但这对区块链来说意味着什么?

GDPR最初由欧盟委员会于2012年提出,最初侧重于云服务和社交网络,当时还没有区块链的存在。乍一看,人们可能会认为GDPR和区块链之间存在直接矛盾。例如,在GDPR中提出的许多原则中存在的“可删除权”与不变的性质是相反的,而不变的性质恰好是区块链技术的核心。假设这个矛盾存在,就引出了一个问题:在纯粹的分散式区块链系统中,谁是负有责任的数据处理者?

尽管如此,区块链与GDPR其实也有很多共同的目标。两者都旨在分散对数据的控制,并调和中央服务提供商和终端用户之间的权利不平等问题。一个很有前景的研究途径是将可信硬件和区块链结合。在公共区块链上,数据在网络中的所有机器上都可以复制和共享。这使得交易数据和隐私的删除成为用户的噩梦。近期包括因特尔SGX在内的一些研究已经开始探索如何可以提供安全和保密的数据存储和隐私。

将可信计算与公共区块链结合在一起意味着可以保护数据隐私免受外部威胁的影响,并将其存储在链外,而区块链则充当最终裁决的角色来决定谁有访问数据的权限。由于智能合约意味着不再需要信任集中服务提供商,因此用户可以通过区块链和可信硬件的结合拥有完全管理数据权限,即可将数据的控制权和隐私权归还给用户。

The General Data Protection Regulation (GDPR), a sweeping and stringent European Union (EU) wide legal framework for personal data privacy, became effective on May 25. Ready or not, this framework is going to drastically transform the business of any digital venture. The International Association of Privacy Professionals (IAPP) forecast that at least 75,000 privacy jobs will be created as a result, and that Fortune's Global 500 companies will spend close to $8 bln in order to ensure they are compliant with the GDPR. But what does this mean for the blockchain?

The GDPR’s goals are: to create a uniform data regulation framework within Europe, and to strengthen individuals’ control over the storage and use of their personal data. It was adopted in 2016, and after a two-year transition period, is now in force.

Obligations and rights

The GDPR introduces new procedural and organizational obligations for "data processors" - including corporate as well as public entities, and gives more rights to “data subjects” - the term it uses for individuals.

Public and private organizations, when left to themselves, tend to accumulate data even before knowing what they will do with it, sort of "gold rush" in personal data acquisition. The GDPR goes against this habit by specifying that data processors should not collect data beyond what is directly useful to their immediate interaction with consumers. In effect, the data harvest should be “adequate, relevant and limited to the minimum necessary in relation to the purposes for which they are processed” (Article 39 of the GDPR).

Besides setting out what is or isn’t allowed, the GDPR also specifies organizational guidelines that data processors will need to adopt from now on. For instance, their technological architecture will have to erase by default consumer data after using it - "privacy by design".

Secondly, any entity considered to be a “data nexus” will be required to have a Data Protection Officer (DPO) responsible for managing compliance with the GDPR. This DPO will be under the legal obligation to alert the supervisory authority whenever a risk to data subject's privacy arises (Article 33).

Data subjects, on the other hand, will be better informed on how their private data is stored and processed (Article 15). They will, for instance, have the right to ask for a copy of the information companies held about them. Furthermore, data processors have to inform the data subjects in details about the processing of the data, and how it is shared or acquired.

Besides transparency, the GDPR provides citizens more control on how their data is used. Article 17 lists conditions under which they will be able to request the deletion of their data from business databases, or the so called "right of erasure".

As Sarah Gordon and Aliya Ram remarked in the Financial Times however, "ultimately, the impact of GDPR will depend on whether individuals decide to exercise the greater powers the rules give them". When is the last time you refused your consent to Facebook’s privacy policy?

A loaded gun with global reach

The GDPR imposes extremely hefty fees for companies not abiding by it. Furthermore, its reach goes far beyond the EU.

For companies, a visit from the data protection auditor might become even more scary than a visit from the tax inspector. An intentional, or repeated, non-compliance with the principles laid out by the GDPR will lead to a fine up to €20 mln or up to 4 percent of the annual worldwide turnover of the offender - whichever is greater. Rather than just relying on companies' DPOs to ring the alarm bell, regular data protection audits are also going to be carried out.

Even though stricto sensu, it only protects data subject within the EU, the GDPR's reach is, in practice, global. For a start, data processors located outside the EU that handle the personal information of EU residents will have to abide by it.

Also, the EU innovates in that it now ties data flows to trade flows: any country wanting to sign a trade deal with the EU will have to sign up to respecting GDPR. In the past decade, the USA has become the world economic police, fining banks huge amounts for not complying with its anti money laundering regulations. With the GDPR, will the EU become the world's data protection champion?

Is blockchain escaping the GDPR?

The GDPR was first proposed by the European Commission in 2012, with an initial focus on cloud services and social networks, at a time when blockchain was not a known word. Cloud services and social networks, at least in the pre-blockchain world, are organized mostly centrally: many data subjects interact with a unique server entity - the data processor/controller. Central management creates an easy single attack point for regulators. But how will the GDPR affect decentralized protocols such as public blockchains?

It is clear that given the thin line between pseudonymity and identification – the blockchain stores some potentially personal data - starting with one’s transaction history. It could as such fall into the scope of the GDPR.

At first glance, one might think there is a direct contradiction between GDPR and public blockchains.  For instance, among the many principles set out in the GDPR, the "right to erasure" appears to be particularly at odds with the immutable nature that, in common parlance, is at the core of the blockchain technology. Assuming for a moment this contradiction holds, this begs the question: who are the accountable data processors in a purely decentralized blockchain system?

All in all, articulating the logic of the GDPR and the blockchain, using the “data processor”/ “data subject” divide, seems difficult. No doubt a strenuous legal debate lies ahead.

Blockchain with GDPR?

Nevertheless, the the blockchain shares many goals with the GDPR. Both aim at decentralizing data control, and tempering the power inequality between centralized service providers - in part by suppressing these, in the blockchain mythos - and end users. While the original Bitcoin specification didn’t guarantee anonymity, many technological innovations, ranging from elementary tumblers to zk-SNARK applications, brought us closer to this ideal. This type of anonymity is probably not what the regulator is after however - are there solutions suggested by the blockchain which would be more easily accepted by the regulator?

One particularly promising research avenue is the combination of trusted hardware and blockchains. On public blockchains, all data is replicated and shared across all machines in the network. This makes transaction data deletion, and privacy, a nightmare for users. Recent research has begun looking into how “trusted computing enclaves", such as Intel SGX, could provide secure and confidential data storage and privacy.

Combining trusted computing with public blockchains means that the privacy of data can be protected from outside threats, and stored off-chain, with the blockchain acting as the final judge for who can access that data or not. Because smart contracts mean no longer having to trust centralized service providers, data rights can be managed exclusively via the blockchain and trusted hardware, by users; returning control and privacy of their data back to them. Several projects currently pursue this idea, in the hope it could transform the blockchain from a GDPR nightmare to a fairytale.

One such attempt is a joint effort of Imperial College London and Cornell University. Teechain, is a project which uses trusted hardware to enable secure and efficient off-chain transactions for a public blockchain. It takes an interesting step towards asking whether or not transaction privacy can be found on all public blockchains, not just those that provide anonymity by default. An alternative project, which also led to live demonstrations, is the collaboration between iExec and Intel initiated within the Enterprise Ethereum Alliance (EEA).

Are your favorite blockchain projects taking the necessary steps to adapt to this privacy law earthquake? If not, maybe it is time to implement products with “privacy by design” at their core. As always, constraints will breed creativity.


用微信扫描可以分享至好友和朋友圈

扫描二维码或搜索微信号“iweiyangx”
关注未央网官方微信公众号,获取互联网金融领域前沿资讯。

发表评论

发表评论

您的评论提交后会进行审核,审核通过的留言会展示在下方留言区域,请耐心等待。

评论

您的个人信息不会被公开,请放心填写! 标记为的是必填项

取消

区块科技研究与监管未央青年

27
总文章数

清华大学金融科技研究院旗下公众号(ID:BlockchainDirect)

瑞士和以色列将在区块链监管方面展开合作

Conor Malo... | 巴比特资讯 1天前

纽约大学在美国开设第一个加密货币专业

Ana Alexan... | 鸵鸟创投媒... 1天前

SparkLabs宣布将在美国成立首个区块链加速器,选址华盛顿

Jon Russel... 1天前

SEC:别以为用区块链就不必遵守会计准则

区块科技研究与监管 2天前

全球多家大型机构联合成立区块链大宗商品交易融资平台

Marie Huil... | 巴比特资讯 2天前

版权所有 © 清华大学五道口金融学院互联网金融实验室 | 京ICP备17044750号-1