最有看点的互联网金融门户

最有看点的互联网金融门户
区块链国际资讯

通用数据保护条例(GDPR)和区块链:威胁还是机遇?

区块链国际资讯

通用数据保护条例(GDPR)和区块链:威胁还是机遇?

严厉而彻底的欧盟个人数据隐私法律框架——通用数据保护条例(GDPR),已于5月25日悄然生效。自从2016年首次颁布,经过两年的过渡期,这些条例现在正式生效了。不管你有没有准备好,这个法律框架将彻底改变整个数字经济领域。但对于区块链行业来说,这又意味着什么呢?

GDPR的目标是:在欧洲范围内建立统一的数据管理框架,并加强公民对其个人数据的存储和使用权。

新的权利和责任

GDPR给身为”数据处理方“的企业和公共部门引入了新的程序上和组织上的责任义务,并赋予了身为“数据主体”的个人以更多的权利。

无论是公共还是私人机构,在不受管束的时候,它们都倾向于在不知道如何处置个人数据的时候,就开始大规模积累用户数据,类似某种个人数据的“淘金”行为。然而,GDPR打破了这个习惯,指定数据处理方不得收集其与消费者直接交互过程中的非必要数据。执行中,数据的收集行为应该是“合理的,与目的相关的,最低限度的”(GDPR的第39条)。

首先,GDPR设置什么是允许的和不允许的,规定了从现在开始,数据处理方必须采用的组织行为准则。举个例子,公司的技术架构必须默认,在使用消费者数据后会将其删除。

其次,任何被认定是“数据中枢”的实体都必须有一个负责执行GDPR的数据保护官员(DPO)。这位数据保护官将在数据主体出现隐私风险时向监管当局发出警报,并承担相关法律责任(第33条)。

然后,数据主体也会更好的了解到他们的个人数据是如何被存储和使用的(第15条)。例如,个人有权向公司索取其所持有的属于他们隐私信息。此外,数据处理方必须在告知数据主体,数据获取和共享的细节方式。

另一方面,除了透明度之外,GDPR还赋予了公民更大的控制个人数据的权力。第17条明确了公民有权要求公司把其个人数据从数据库中删除,即所谓的“删除权”。

正如Sarah Gordon和Aliya Ram在《金融时报》上所言:“最终,GDPR的影响力取决于个人是否决定行使规则赋予他们的权力”。你什么时候拒绝过脸书网的隐私条款?

范围不止欧盟,影响波及全球

GDPR会对违规的公司征收巨额罚款,而且,它的触角远远超出了欧盟范围。

对于公司来说,被数据保护官员盯上可能比被税务稽查员盯上更可怕。故意的或重复的违反GDPR条例的公司将受到2千万欧元的罚款,或公司全球营业额的4%。公司不仅要面临数据保护官的警报,还要定期面临数据保护审计。

虽然从表面上看,GDPR仅仅保护的是欧盟公民的数据权利,但在实际操作中,它的影响却会波及全球。首先,位于欧盟之外的公司,如果涉及到处理欧盟居民个人信息,也必须遵守GDPR。此外,欧盟的创新之处在于,它现在将数据流与贸易流联系起来:任何想与欧盟签署贸易协定的国家都必须签署协议,遵守GDPR。

在过去的十年中,美国成为了世界经济的警察,对不遵守反洗钱规定的银行处以巨额罚款。有了GDPR,欧盟会成为全世界数据保护领导者吗?

区块链可以逃脱GDPR吗?

GDPR起初是由欧洲委员会在2012年提出的,最初关注的是云服务和社交网络,当时区块链还不是一个广为人知的名词。至少在前区块链世界中,云服务和社交网络主要集中在中心化组织中:许多数据主体有唯一的实体服务器——数据处理器/控制器。中心化组织很容易被监管,但是GDPR会如何影响分布式协议组织,例如公链呢?

大家很容易理解,考虑到假名和真实身份之间细微差别,区块链存储了很多潜在的个人数据,比如说个人交易历史,这样区块链就落到了GDPR的管辖范围。乍一看,人们可能会认为GDPR与公链之间存在着直接的矛盾。例如,在GDPR提出的许多原则中,“删除权”似乎与区块链技术的核心——不可篡改性的相冲突。假设这一矛盾暂时成立,这又引出了另一个问题:谁是一个纯粹分布式的区块链系统中的数据处理方?

总而言之,用“数据处理方”和“数据主体”的划分来阐明GDPR和区块链的逻辑似乎是困难的。毫无疑问,一场激烈的法律辩论就在眼前。

遵循GDPR的区块链?

然而,区块链与GDPR有许多共同目标。两者都是分散数据控制权,缓和中心服务提供商和终端用户之间的权力不平等。虽然原来的比特币协议并不能保证匿名性,但许多技术革新,从基本的翻转器到ZK-SNAGK技术,使我们越来越接近这个理想。然而,这种匿名性可能并不是监管机构所希望采取的——是否有更容易被监管者接受的区块链解决方案?

一个特别有前途的研究方向是可信硬件和区块链的结合。在公链上,所有的数据在整个网络的所有机器上被复制和共享,这使得交易数据的删除成为用户梦魇。最近的研究已经开始探索“可信计算飞地”如何能提供安全和保密的数据存储,如英特尔SGX。

将可信计算与公链相结合意味着数据的隐私可以被保护,免受外部威胁。数据被存储在链下,而公链作为裁决最终判断谁可以访问该数据。因为智能合约意味着不再需要信任中心化服务提供商,数据权限可以由用户通过区块链和可信硬件来专门管理,最终将数据的控制权和隐私权返还给用户。

其中一个尝试是帝国理工学院和康奈尔大学的联合项目Teechain,它用可信硬件来实现公链的安全和高效的链下交易。另一个项目,是由iExec和Intel在企业以太坊联盟(EEA)内发起的合作。

你最喜欢的区块链项目有没有采取必要的措施来应对这次隐私法大地震呢?如果没有,也许是时候以“隐私设计”为核心来实施产品了。

The General Data Protection Regulation (GDPR), a sweeping and stringent European Union (EU) wide legal framework for personal data privacy, became effective on May 25. Ready or not, this framework is going to drastically transform the business of any digital venture. The International Association of Privacy Professionals (IAPP) forecast that at least 75,000 privacy jobs will be created as a result, and that Fortune's Global 500 companies will spend close to $8 bln in order to ensure they are compliant with the GDPR. But what does this mean for the blockchain?

The GDPR’s goals are: to create a uniform data regulation framework within Europe, and to strengthen individuals’ control over the storage and use of their personal data. It was adopted in 2016, and after a two-year transition period, is now in force.

Obligations and rights

The GDPR introduces new procedural and organizational obligations for "data processors" - including corporate as well as public entities, and gives more rights to “data subjects” - the term it uses for individuals.

Public and private organizations, when left to themselves, tend to accumulate data even before knowing what they will do with it, sort of "gold rush" in personal data acquisition. The GDPR goes against this habit by specifying that data processors should not collect data beyond what is directly useful to their immediate interaction with consumers. In effect, the data harvest should be “adequate, relevant and limited to the minimum necessary in relation to the purposes for which they are processed” (Article 39 of the GDPR).

Besides setting out what is or isn’t allowed, the GDPR also specifies organizational guidelines that data processors will need to adopt from now on. For instance, their technological architecture will have, by default, to erase consumer data after using it - "privacy by design".

Secondly, any entity considered to be a “data nexus” will be required to have a Data Protection Officer (DPO) responsible for managing compliance with the GDPR. This DPO will be under the legal obligation to alert the supervisory authority whenever a risk to data subject's privacy arises (Article 33).

Data subjects, on the other hand, will be better informed on how their private data is stored and processed (Article 15). They will, for instance, have the right to ask for a copy of the information companies held about them. Furthermore, data processors have to inform the data subjects in details about the processing of the data, and how it is shared or acquired.

Besides transparency, the GDPR provides citizens more control on how their data is used. Article 17 lists conditions under which they will be able to request the deletion of their data from business databases, or the so called "right of erasure".

As Sarah Gordon and Aliya Ram remarked in the Financial Times however, "ultimately, the impact of GDPR will depend on whether individuals decide to exercise the greater powers the rules give them". When is the last time you refused your consent to Facebook’s privacy policy?

A loaded gun with global reach

The GDPR imposes extremely hefty fees for companies not abiding by it. Furthermore, its reach goes far beyond the EU.

For companies, a visit from the data protection auditor might become even more scary than a visit from the tax inspector. An intentional, or repeated, non-compliance with the principles laid out by the GDPR will lead to a fine up to €20 mln or up to 4 percent of the annual worldwide turnover of the offender - whichever is greater. Rather than just relying on companies' DPOs to ring the alarm bell, regular data protection audits are also going to be carried out.

Even though, strictly speaking, it only protects data subject within the EU, the GDPR's reach is, in practice, global. For a start, data processors located outside the EU that handle the personal information of EU residents will have to abide by it.

Also, the EU innovates in that it now ties data flows to trade flows: any country wanting to sign a trade deal with the EU will have to sign up to respecting GDPR. In the past decade, the USA has become the world economic police, fining banks huge amounts for not complying with its anti money laundering regulations. With the GDPR, will the EU become the world's data protection champion?

Is blockchain escaping the GDPR?

The GDPR was first proposed by the European Commission in 2012, with an initial focus on cloud services and social networks, at a time when blockchain was not a known word. Cloud services and social networks, at least in the pre-blockchain world, are organized mostly centrally: many data subjects interact with a unique server entity - the data processor/controller. Central management creates an easy single attack point for regulators. But how will the GDPR affect decentralized protocols such as public blockchains?

It is clear that, given the thin line between pseudonymity and identification, the blockchain stores some potentially personal data – starting with one’s transaction history. It could as such fall into the scope of the GDPR.

At first glance, one might think there is a direct contradiction between GDPR and public blockchains.  For instance, among the many principles set out in the GDPR, the "right to erasure" appears to be particularly at odds with the immutable nature that, in common parlance, is at the core of the blockchain technology. Assuming for a moment this contradiction holds, this begs the question: who are the accountable data processors in a purely decentralized blockchain system?

All in all, articulating the logic of the GDPR and the blockchain, using the “data processor”/ “data subject” divide, seems difficult. No doubt a strenuous legal debate lies ahead.

Blockchain with GDPR?

Nevertheless, the blockchain shares many goals with the GDPR. Both aim at decentralizing data control, and tempering the power inequality between centralized service providers - in part by suppressing these, in the blockchain mythos - and end users. While the original Bitcoin specification didn’t guarantee anonymity, many technological innovations, ranging from elementary tumblers to zk-SNARK applications, brought us closer to this ideal. This type of anonymity is probably not what the regulator is after however - are there solutions suggested by the blockchain which would be more easily accepted by the regulator?

One particularly promising research avenue is the combination of trusted hardware and blockchains. On public blockchains, all data is replicated and shared across all machines in the network. This makes transaction data deletion, and privacy, a nightmare for users. Recent research has begun looking into how “trusted computing enclaves", such as Intel SGX, could provide secure and confidential data storage and privacy.

Combining trusted computing with public blockchains means that the privacy of data can be protected from outside threats, and stored off-chain, with the blockchain acting as the final judge for who can access that data or not. Because smart contracts mean no longer having to trust centralized service providers, data rights can be managed exclusively via the blockchain and trusted hardware, by users; returning control and privacy of their data back to them. Several projects currently pursue this idea, in the hope it could transform the blockchain from a GDPR nightmare to a fairytale.

One such attempt is a joint effort of Imperial College London and Cornell University. Teechain, is a project which uses trusted hardware to enable secure and efficient off-chain transactions for a public blockchain. It takes an interesting step towards asking whether or not transaction privacy can be found on all public blockchains, not just those that provide anonymity by default. An alternative project, which also led to live demonstrations, is the collaboration between iExec and Intel initiated within the Enterprise Ethereum Alliance (EEA).

Are your favorite blockchain projects taking the necessary steps to adapt to this privacy law earthquake? If not, maybe it is time to implement products with “privacy by design” at their core. As always, constraints will breed creativity.


用微信扫描可以分享至好友和朋友圈

扫描二维码或搜索微信号“iweiyangx”
关注未央网官方微信公众号,获取互联网金融领域前沿资讯。

发表评论

发表评论

您的评论提交后会进行审核,审核通过的留言会展示在下方留言区域,请耐心等待。

评论

您的个人信息不会被公开,请放心填写! 标记为的是必填项

取消

75家跨国银行参与摩根大通区块链支付平台

William Su... | 巴比特资讯 8小时前

迪拜财政部推出区块链支付系统

Helen Part... | 巴比特资讯 1天前

不同架构的区块链越来越多,正常么?

区块科技研究与监管 1天前

瑞士和以色列将在区块链监管方面展开合作

Conor Malo... | 巴比特资讯 09-21

纽约大学在美国开设第一个加密货币专业

Ana Alexan... | 鸵鸟创投媒... 09-21

版权所有 © 清华大学五道口金融学院互联网金融实验室 | 京ICP备17044750号-1