Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Ep 55: Applying GDPR to the Blockchain ft. Clifford Chance
70 Plays8 days ago
Can blockchains ever truly be privacy-compliant? Clifford Chance lawyers walk through the gray areas, from wallet addresses to pseudonymous data, and explain what regulators are starting to expect.
Recommended
Transcript
Introduction to Owl Explains Hootenanny
00:00:06
Speaker
Hello and welcome to this Owl Explains Hootenanny, our podcast series where you can wise up on blockchain and Web3 as we talk to the people seeking to build a better internet.
00:00:17
Speaker
Owl Explains is powered by Avalabs, a blockchain software company and participant in the Avalanche ecosystem. My name is Silvia Sanchez, project manager of Owl Explains, and with that, I'll hand it over to today's amazing speakers.
Blockchain & Data Privacy Overview
00:00:33
Speaker
Hi everyone. I'm Helen Kim, part of the legal team at AvaLabs and your host for today's podcast. We're talking today with three legal experts about the critical tension between blockchain technology and data privacy.
00:00:48
Speaker
Al explains listeners know that immutability, pseudonymity, and transparency are key features of distributed ledger technology. But what does that mean for privacy rights enshrined in laws like the GDPR in Europe, the CCPA in California, and similar laws in other jurisdictions?
00:01:05
Speaker
Can we honor the right to privacy on the blockchain when the very nature of blockchain makes it impossible to delete or alter data already verified in past blocks? What constitutes personal data on the blockchain anyway?
00:01:18
Speaker
In Europe, where regulators and courts are actively working on these issues, these are not theoretical questions.
Meet the Experts: Legal and Tech Perspectives
00:01:25
Speaker
And here to talk about this topic today are my guests. Diego Ballon is one of the partners spearheading the Clifford Chance fintech offering out of London.
00:01:33
Speaker
He is a recognized expert in regulatory policy development, particularly in the context of crypto assets and the uses of digital ledger technology in traditional financial markets.
00:01:44
Speaker
He gained significant experience in financial regulation working at the UK Financial Conduct Authority and predecessor organization from 2010 to 2015. Stephanie O'Hara is a senior associate in Clifford Chance's London office.
00:02:00
Speaker
She advises clients across the world from different industries on a range of tech and data matters, including compliance with data protection laws. She has a previous career in financial services IT t and has also worked for a cryptocurrency exchange for a short period of time before becoming a lawyer.
00:02:18
Speaker
Rita Flakehold is the Global Head of Tech Group Knowledge. She supports the Clifford Chance Cross-Practice Global Tech Group through monitoring and analyzing legal developments, facilitating knowledge sharing, and directing thought leadership.
00:02:32
Speaker
Her work spans tech-related law, including data and cyber governance, tech-intensive transactions, digital ethics, and emerging technologies. Welcome to Alex Blaine's, Diego, Stephanie, and Rita.
00:02:46
Speaker
This is such a fascinating topic, and we have a lot to talk about, so let's get right
GDPR and Personal Data Protection in Europe
00:02:51
Speaker
to it. So we're going to set the stage a little bit and talk generally about blockchain and privacy for a few minutes. And my first question to our guest is,
00:02:59
Speaker
How is personal data protection regulated in Europe on a high level? Thank you, Helen. Yes, in the EU, it's the GDPR, sort of General Data Protection Regulation, which I think most people are familiar with or at least heard of.
00:03:16
Speaker
um That is the central piece of legislation regulating um personal data protection in the EU. And I think one of the reasons it's quite well known is because it applies to not just within the eu but outside of it, so long as it's the dealing with processing of personal data of individuals in the EU.
00:03:39
Speaker
So, for example, it would be a business outside of the EU, but um providing services to your customers in the EU, and the first thing that contacts these sorts of things, because you're providing services to them, things, so the first thing that is relating to that could basically come on the scope of the GPPO.
00:03:59
Speaker
um And GDPR is are essentially based on number of key principles. And i think I'll mention a few that are particularly um relevant for today's topic.
00:04:10
Speaker
And first one is the principle of accountability. So the GDPR um breaks down, categorizes the data process, the personal data into two categories.
00:04:22
Speaker
So the data controller. and a data processor. And it's so the controller that is is the person that determines why they are processing personal data and how they're processing it.
00:04:37
Speaker
The processor is ah it's the person who i just merely acting on the instructions. And they have different responsibilities. um The GDPR, they can both be liable from the compliance, but really it's the controllers who bear the primary responsibility.
00:04:54
Speaker
um they have a majority of their locations. And so there's also, this is like you need to have a contracting place between controls. Oh, great. So thank you, Stephanie. um So I gather that the GDPR is has quite a broad scope.
00:05:08
Speaker
And what you're saying is that there's a controller and a processor, and the controller controls, directs how the data is going to be used, and the processor follows
Challenges of GDPR in Blockchain
00:05:17
Speaker
its directions. Is that correct? All right.
00:05:19
Speaker
So my next question is then, what is the interplay between blockchain and personal data protection as under GDPR? Yes. So blockchain we can be used for so many different purposes.
00:05:32
Speaker
And some of the data process on it can include um personal data. i mean One example being like online identifiers, like wallet addresses, for example. So if you're processing there's a need to think about GDPR. But actually applying GDPR concept to blockchain is quite difficult.
00:05:57
Speaker
Essentially for the reasons you've already mentioned at the beginning of the podcast, um because it's decentralized and because it's immutable in Asia. So I mentioned the accountability point earlier, but identifying different participants, distinguishing who's the controller, who's the processor, that's actually difficult in a decentralized context, but ah particularly in public versionless blockchain.
00:06:23
Speaker
And the meetable nature as well, because the thing did be because GDPR gives rights to individuals to request, um for example, their dates to be corrected if it's out of date or wrong, erase them um if they request it. And that's obviously quite difficult power in the blockchain context. So this challenge in reconciling GDPR with blockchain is well known, and it's been...
00:06:51
Speaker
ah upon a discussion um for some time, it really pretty much ever since GDPR came into being. um And various bodies have talked about it, paper studies on it, but it does seem like it's come back into spotlights somewhat in the recent months.
00:07:08
Speaker
For example, the European Data Projection Board They got draft guidelines on this topic in spring. And more recently, the UK's data protection regulator, the ICO's release draft guidelines.
00:07:22
Speaker
Yes, and I know we're going to get into um some of those topics later. So that's really interesting. um When I started looking into this topic, getting ready for this podcast, I was thinking about the nature of the blockchain and wondering,
00:07:37
Speaker
Who would be the controller in ah blockchain context? And who would be the processor? This is a permissionless network. There are smart contracts automatically carrying out the directions that are being asked that of the user.
00:07:50
Speaker
The user indicates what they want. Is the user the controller? Is the smart contract the controller? Then who's who's responsible for any of these obligations that are coming down on either party?
00:08:02
Speaker
So really interesting topic. um Last in the in the setting the stage kind of category, why should users and blockchain companies be concerned about this tension that we've identified?
00:08:15
Speaker
Yes, because if your business involves the blockchain or your participant but um bla you you won't really understand if you have an obligation for GMPR or civilisation laws and what they are.
00:08:30
Speaker
um So that, you know, it that it does impact the level of responsibility you might have, what you might have to do, the invitation. um This is it difficult, but, and it has been very acknowledged as difficult, but it seems like there's a bit more for regulatory interest now. So I think it is point to monitored.
00:08:52
Speaker
And I've just heard in the news um and followed this somewhat, um just superficially, but The GDPR fines can be quite steep, correct? Yes.
00:09:04
Speaker
It's one of the, I think, other reasons that are quite well known. It can be high. The maximum is 20 million euros or 4% of your annual global turnover of your organization, whichever is high. So it is quite steep.
00:09:18
Speaker
Do you know off the bat whether any blockchain companies have um had to pay any fines? Actually, I'm afraid I don't know on the top of my head that that would be um yeah interesting to look at.
00:09:31
Speaker
ah we We have actually tried to find find out, Helen. And actually, it seems to me, because I did a bit of research on this, that because we're going to talk about some of the guidelines that are coming out in Europe, you know I'm sure as part of this this podcast,
00:09:49
Speaker
I think because there was a bit of uncertainty as to how how this whole thing applies and there were no guidelines, um a lot of this has been pushed down the road. it's It's not to say that it didn't apply. It's just that people have not been focusing on enforcement.
00:10:02
Speaker
And, you know, because the GDPR is in place for a long time. um And like many things in in the crypto space, we're learning how to how how traditional regulation applies to this new setting. right We've seen that in in other contexts.
00:10:17
Speaker
And the tricky bit about this, and and um Stephanie and and um Rita will give us more detail on it, is how some of these concepts have to be shoehorned into this into this and so i think that's the reason why regulators weren't that focused but once there is the guidance and they have a steer as to where they should be applying it and how it should be applied i think the risk of enforcement really really ah goes up and the the the fact that these things are real and actually make you change your behavior as a business
00:10:54
Speaker
is really obvious if you look at some other requirements that GDPR imposes. I mean, not least the cookie policies that we've got um in virtually every site that we access.
00:11:06
Speaker
That is partly driven by GDPR and the you know fear of potentially massive fines from website operators that may be sitting you know anywhere in the world but cannot be accessed by but European persons because the scope of GDPR is is not just you know For people who are in the EU, it's actually much, much broader.
00:11:26
Speaker
um and so that really you know illustrates, I think now everybody goes on online and has to face these these these damn cookies. And it's because right it's because the the the impact is really so vast. so So it's just to exemplify how important this is.
00:11:41
Speaker
Thank you, Diego. So thinking about how to date, there may not have been any clear guidance on this topic as it did applies to
EDPB Guidelines on Blockchain & GDPR
00:11:50
Speaker
blockchain. But as you mentioned, Stephanie, ah the European Data Protection Board has issued some guidelines which do address GDPR and the blockchain.
00:12:02
Speaker
So for our non-legal and non-EU listeners, could you briefly describe what the EDP is what the EDP is and what significance its guidelines have?
00:12:13
Speaker
Yes, of course. um The EDPB, European Data Protection Board, is an EU body that's essentially responsible for making sure that the GDPR is consistently applied throughout Europe.
00:12:27
Speaker
A large part of it is formed by heads of the data protection authorities and in each EU member state. it brings them together, really, to ensure how much approach. One of their responsibilities is to provide guidance, um recommendations and so on on the interpretation of the GDPR.
00:12:48
Speaker
And the the guidelines, which some of us I mentioned earlier, they do basically reflect GDPR's interpretation.
00:13:00
Speaker
So they're not legally binding, but they do have significant influence. um They do serve as authoritative interpretation on how the law applies. And it is generally followed by the big protection authorities in the courts. It's quite important.
00:13:18
Speaker
Interesting. um And what do these guidelines, when were these guidelines issued? They came out, the drafts came out in April, it open up for public consultation for a couple months, I believe, and closed in June.
00:13:35
Speaker
So will these guidelines be changing? per the comments or in response? It could be. I think the the EDPBs are currently going through all of the responses, which I think they're quite cheap. And they're publishing final report.
00:13:54
Speaker
but Yeah, i would agree with with hi this is henryta just I would agree with Stephanie that they could be. um and In the past, we have not seen like a tendency towards meaningfully changing the substantive guidelines between the initial draft and and kind and what you see at the end of the consultation.
00:14:14
Speaker
But it is a technical subject and the EDPB was receiving you know views from experts in this area, people who are dealing with these technologies today. So there there could be edits.
00:14:25
Speaker
um I just don't want to get anyone's hopes up that they are going to be drastically different from the drafts that we have seen. So let's get into sort of the blockchain community's reaction to these guidelines in a minute. But could you describe for us before we do that what the guidelines say?
00:14:42
Speaker
Great, yeah, I can take that one. And i I'll probably bring together a few themes from the EDPB guidelines, but also some of the things that the ICO, so the UK's Data Protection Authority, is also touching on in its draft guidelines, which it recently opened for consultation. So they're more recent. They came out at the end of August and they're open for consultation at the moment until early November.
00:15:07
Speaker
So the the draft guidelines outline key GDPR compliance considerations for organisations that are thinking of using blockchain. And yet to to some degree, that is actually the framing, at least for the EDPB ones, especially. So almost as though we're at the start of all of our um blockchain adoption journey. So we're wondering which ones to use.
00:15:30
Speaker
um I want to pull out maybe kind of five key things because the the guidelines are quite long, it's about 25 pages and in some places a little dense but I think for me the things that stood out were there's this very broad view of personal data which people should understand it might be um not not familiar to people who may be in other jurisdictions but under the GDPR and in these EDPD guidelines it's a very very broad view of personal data as Stephanie said it's it pulls out online identifiers as the example so things
00:16:06
Speaker
public key data, unique transaction identifiers, wallet addresses, those sorts of things where the user is a natural person. So someone like you and I, an individual, and that those keys can be used to identify individuals through means that would be reasonably likely to be used to make that link.
00:16:28
Speaker
and And it says even where those sorts of identifiers are then hidden using cryptographic tools, the EDPB flags that the data that replaces those identifiers might still be personal data.
00:16:41
Speaker
And it all comes back to an ability to link it back to an individual or use it to single out an individual. And I do want to come back to this because it's really fundamental. And there's some really interesting case law around that sort of ah data. So pseudonymized data where it's not directly linked to an individual and the question about perspectives from which you you look at that. But just putting ah pin in that for a moment, the other things that I would flag at the high level around the guidance is,
00:17:09
Speaker
um that the EDPB and the ICO both acknowledge data protection challenges arising from the characteristics of blockchain. So the the things that Stephanie touched on around quasi immutable nature and kind of dis distributed nature and structure.
00:17:29
Speaker
um But they do take a very hard line. So the tone is rather strict. They take the position that technical limitations are not valid reasons for noncompliance with the GDPR.
00:17:44
Speaker
So this is a ah similar stance that we're seeing them wanting to adopt with AI, I think. and the And the quote is, the EDPB emphasizes that technical impossibility cannot be invoked to justify non-compliance with GDPR requirements. So that that's where they are coming at this from.
00:18:02
Speaker
um And so you you can imagine there has been a lot of feedback around that. um the they So they go through reminders of the different obligations under GDPR, that the things that sort of Stephanie outlined around transparency requirements, the fact that you need to have contracts in place between certain types of people handling data.
00:18:27
Speaker
You have to think about things like data transfers and people, data subjects, we call them, people who the data relates to have certain rights. Stephanie flags some of the key tricky ones in this space around things like erasure and correction of data.
00:18:44
Speaker
um And it it makes the point that it's really important to to understand whether you're a controller or a processor. So what you were saying earlier, Helen, how do how do you think about this in in a blockchain ecosystem?
00:18:57
Speaker
that They start off with that point. So the the obligations that you have under GDPR and the UK's equivalent, UK GDPR, they hang off these controller and processor definitions and that sort of shapes what your obligations are. so um ah The EDPB keeps it all quite theoretical, but actually the ICO guidance has got some helpful examples in it around around this. So it says, for example, the um the participants that create transactions containing personal information and then send them for validation, they say those are likely to be controllers.
00:19:38
Speaker
And they say that's because they're making decisions around why data is being processed. And if there is a group of those participants that do that role, they are what I guess termed as joint controllers who do this together.
00:19:53
Speaker
And then it gives an example of... um node validator nodes, so they operate as a validator node and the ICO says they're quite likely to be processors as long as they're only validating transactions that other participants write and they they don't you know set the purposes of means of processing.
00:20:14
Speaker
So those are some examples that the ICO is considering in its draft guidance. The EDPB doesn't get that concrete, I would say, um but but that it it has the same principles underneath those two concepts.
00:20:28
Speaker
Well, a lot to unpack there, Rita. Thank you so much for going through that. So what I'm hearing about the EDPB guidelines is first that their view of personal data is very broad. And even if it's cryptographically hidden, it still might be considered personal data and therefore fall under the gdp GDPR and be subject to all the requirements under the GDPR.
00:20:55
Speaker
But when you say that technical challenges are not an excuse to not adhere to the um to comply with GDPR.
00:21:11
Speaker
Where does that leave blockchain? As far as I know, and I'm not a tech person, but if I have an immutable blockchain, I can't go back and erase something.
00:21:23
Speaker
it's gonna die It's going to wreck the blockchain. but oh How... how What has been the reaction from the blockchain community about
Community Reactions to GDPR Compliance
00:21:33
Speaker
this? Well, they don't quite leave it there, I should say. I feel like I have maybe done them a disservice. But there is some practical suggestions in that one of the main things being don't put data that's directly linking to an individual on the blockchain. So put something on the blockchain that...
00:21:52
Speaker
indirect so you can't from that data get to uh to me say that that's my transaction for example you could still maybe get to that through data that's stored off chain and what the guidance is saying is try to make sure that the connection between the two the way you store that off chain data is such that you can Break that chain and render, therefore, anonymous what's left on the chain because there's no longer that breadcrumb back to an individual person like me. So that's one of the ways that they are suggesting that you can try to... um
00:22:31
Speaker
be able to, because you could maybe then change the off-chain data, or you could erase it in theory, if you can, because there might be other things that stop you being able to do that. um That's one of their suggestions for how you might think about this, given that you, yeah, you as you say, you you can't change the previous blocks and but what was already on there. i mean, I think in practice, of course, that's really difficult, right? Because you have already, Helen, you're aware of this,
00:22:59
Speaker
in the context of of various blockchains, there are known wallet addresses, right? There are big wallet addresses that you know they belong to, people monitor them. and in fact, under under the the the travel rule, there is a requirement to submit information alongside of the transactions which identify the person for whom you're transacting. So if you're a crypto exchange, you're subject to the travel rule, you need to submit you know certain information about your client and the recipient, and you do that, the only way in which you can you know achieve compliance with the travel rule is actually by linking it, the the pseudonymous data on the blockchain, with your client information and verifying that that is actually one-to-one that matches. right
00:23:48
Speaker
So in a way, it's just ah really difficult to to to align this. it this you know there are there We've been fighting so hard to try and get ah a level of of transparency um from an AML perspective, from a travel rule perspective, into the whole framework.
00:24:11
Speaker
And now these guidelines and the data protection agencies are coming along with a slightly different approach to the world and obviously from a very different lens, which seems to undermine some of the hard work that, you know, all the the the the agencies around AML and money laundering and terrorist financing and all of that stuff has been put in place to to try to to protect.
00:24:39
Speaker
And so I think that, you know, the dynamic that we're seeing is is is one where it feels like you know both hands are not talking to each other and they just don't, they do their own thing.
00:24:51
Speaker
um and it obviously undermines some of the basic principles that you've got also under, for example, the MECA regulation in in Europe, right? So where you do need to make sure that you're you're protecting your customers and you know where they are, etc. And so I think that that type of of requirement and that type of solution that is being proposed is just not really viable. It's, you know, it it may help from time to time for certain people, but it's not a blanket solution at all.
00:25:24
Speaker
And, you know, depending on where you are in the chain, what your role is, your challenges might be either very big or you know, big, but they're they're always there. There is no sort of small challenge. I think all of them, all of the chain but providers in the chain are going to be subject to really stringent requirements. That's a really interesting point that there are even more tensions and ripple effects going out um touching on the law enforcement concerns, because I know the transparency of the blockchain has really assisted ah law enforcement in chasing down bad actors.
00:26:01
Speaker
um And if you take that away, then ah where we're you know that at a negative, I think, um in some respects.
00:26:12
Speaker
um And I had not thought about actually the interchange with MICA regulations and requirements as well. um This is why you're the expert.
Pseudonymity, Anonymity, and Data Protection
00:26:20
Speaker
and So let's talk a little bit about um some specific aspects of um the guidelines, both from EDPB and UK maybe um around the idea of pseudonymous data.
00:26:37
Speaker
um And maybe we can just start out with the difference between pseudonymity and anonymity. and what data on the blockchain is pseudonymous and why that matters.
00:26:51
Speaker
Yes, I can comment on that. but So the um anonymized data, pseudonymized data, they have quite, as you mentioned, the key concepts, particularly in the blockchain context.
00:27:05
Speaker
Anonymization is um ah basically process of irreversibly altering and the personal data, so you never link it back to an individual using that anonymized data. So if it it's no longer personal data. GDPR doesn't apply.
00:27:26
Speaker
um Well, that's the news, but actually the GDPR's standard of ah standard of or his anonymisation is quite high. So it's only anonymised so long as it's not possible.
00:27:39
Speaker
It's not possible for someone to identify the individual either directly or indirectly quote unquote, any means reasonably likely to be used. So that's quite a high bar. So in reality, when people say it's anonymised or they attempt to do anonymisation,
00:27:58
Speaker
um it's It's not quite anonymised data from GDPR point of view, a pseudonymised data, which is essentially altered, personal data altered in a way that's difficult to link it back. Not impossible, but difficult very difficult.
00:28:19
Speaker
um and it yes i think it usually works by replacing and identifying in data like names or id numbers but something else like a generative kind of regenerative code and to re-connect the data back to a person you need a linker a pointer secret key for example let'scap sounds to um so um that's very much the reason As you mentioned, authoring transactions also describe this being pseudonym business.
00:28:50
Speaker
and a lot of the fundamental questions that have to be tackled when you're talking about blockchain, GQT, is how are you treating the myself? Ask yourself, what's a wallet for? Bank cards, train tickets, spare change, maybe even a picture of your cat Fluffy.
00:29:09
Speaker
But what about a wallet that does more? Meet Core, the native crypto wallet for Avalanche. Mobile, desktop, however you work, it works around you.
00:29:20
Speaker
There's no messing around with exchanges. Upload funds directly from your bank account or Venmo just as easily as sending a PayPal transaction. You've probably got enough passwords to remember already, right?
00:29:32
Speaker
Log in with your Google or Apple account. No seed phrase memorization required. It's that easy. With multi-chain compatibility, Core lets you view and manage assets across Avalanche and other supported networks, all in one place.
00:29:47
Speaker
Pretty awesome. Then, there's a whole world of crypto apps and tools to explore, direct from your wallet. Get the wallet that does more. Download Core today. So how does, how do the guidelines treat pseudonymized data?
00:30:02
Speaker
So don't really go into a lot of detail around exactly how to think about the the linkability.
00:30:13
Speaker
They take the line that they remind everybody that pseudonymized data is still personal data and they don't go into this interesting question which is coming up in some of the case law around considering that from the from different perspectives.
00:30:34
Speaker
So for one entity, might it be b linkable and for another entity, might it not? That isn't something that the guidelines really dig into. but But we are seeing being discussed outside of that.
00:30:48
Speaker
Right. And Rita, you were hinting at our next kind of section of our our recording here is um there's been a judgment delivered in an interesting case between the single resolution board and the European data protection supervisor.
00:31:03
Speaker
which are all you know two Americans. We don't know what those are. um But it seems to be a very interesting ah judgment. And in fact, we were all waiting for this judgment to come down before we recorded this podcast.
00:31:18
Speaker
um So we'd love to get into the facts of the case here. Can anyone kind of generally describe what happened? Yeah, absolutely. So as you say, so on the 4th of September, the Court of Justice of the European Union, the CJEU, they handed down this judgment in in this interesting case.
00:31:35
Speaker
And not that case is directly relating to this question of whether personal data is a somewhat relative concept. So in other words, do you need to consider the perspective of a particular organisation that's processing data when you determine whether it's personal data and and whether you take into account whether they can link that data to an an identifiable individual.
00:31:59
Speaker
So the context, just quickly, of the case has been going on for very, very many years. So it's it's gone through various stages. But it arose because a Spanish bank was being resolved and the single resolution board, the SRB, was involved in that process.
00:32:12
Speaker
And in the course of that, they shared with a third party, with Deloitte, certain foot for their analysis, certain comments that had been made by shareholders and creditors as part of a legal process that had to take place called a a right to fed process.
00:32:30
Speaker
So the SRB took steps to pseudonymise that data, including through alphanumeric codes, so that the SRB could link the comments to an identifiable individual.
00:32:41
Speaker
But Deloitte, who received that data, wasn't able to link the data to an ah individual. And then um people who provided the comments complained to the the EDPS, the European Data Protection Supervisor,
00:32:56
Speaker
and that that they had not been provided with some information that they had to be around that disclosure under the equivalent to GDPR that applies to EU institutions such as the SRB.
00:33:08
Speaker
And so that's how this case came about. The EDPS, who was acting as the kind of the authority that was governing whether EU institutions were complying with their data protection obligations,
00:33:21
Speaker
um found that no, you know, that they hadn't had ah the right disclosures made to them or transparency information provided to them about this data transfer that happened.
00:33:33
Speaker
ah But the SRB did not agree. So they took the case to court. And so that's when it went to the general court, um who initially had held in favour of the SRB.
00:33:45
Speaker
um and then that got appealed again. So what we're looking at now is the ultimate judgment that came down from the CJEU. This case got everybody's attention. The EDPB intervened on behalf of the EDPS.
00:33:59
Speaker
The European Commission got involved supporting the SRB. So it was quite a big one. um And um um what did they find, I guess, is the main question that we're coming to. Well, I think for the purposes of this discussion,
00:34:12
Speaker
The key finding was that in line with previous case law, pseudonymised data is not necessarily personal data in all cases for every person.
00:34:23
Speaker
So where the pseudonymisation measures mean that a data recipient is not in a position to re-identify data subjects through means that are reasonably likely to be used, then the data subject is not identifiable for that data recipient.
00:34:41
Speaker
And in relation to this, the court agreed with something that the Advocate General had said in his opinion that he provided to the court for these cases, which is that um data protection obligations that require data subjects to be identified, they really can't be imposed on an entity that's not in a position to identify these data subjects.
00:35:01
Speaker
So, so far, so good. or very quite helpful. um But what we don't have from the case, in my view, is an additional colour on how you apply this test of means reasonably likely to be used.
00:35:16
Speaker
So nothing beyond what's been said in previous cases, which is that you don't meet this you know reasonably likely test if the risk of identification appears in reality to be insignificant because Either you know it's prohibited by law or impossible in practice because of the but effort and time and costs of labor.
00:35:38
Speaker
Okay, so once again, so much to unpack here. So this case, just to be clear, it has nothing to do with blockchain. It was um a the SRB um gave some synonymized information to Deloitte, which you think Deloitte, you know, that's a trusted advisor for most people.
00:35:57
Speaker
the and ah the progenitors of that data complained. um And really the outcome is just confirming what case law had already said, and which and which is that pseudonymized data is relative when it comes to the GDPR.
00:36:18
Speaker
It could be personal data and fall under GDPR, or it could not be personal data. And it depends on whether you can link the personal the pseudonymized data to the subject, to the individual, or not.
00:36:33
Speaker
Is that about right? That is right. And so in this in this case, it all revolved around these transparency notices. So what they dug into because of that was, well, from the perspective of the controller, the original controller, SRB,
00:36:52
Speaker
It was still personal data, and therefore that disclosure needed to be included in the notice to the individuals. And so they they went into that side of it. So they agreed the relative concept, but they looked at it then from the controller perspective because that's what they needed to look at, they felt.
00:37:10
Speaker
Okay, so in this case, and I'm not a data privacy lawyer, um but it makes sense to me, this outcome, just ah broadly speaking, because ah that the SRB,
00:37:22
Speaker
had the means to link the pseudonymized comments, I believe, to the people who made those comments. But when they passed that over to Deloitte, Deloitte did not have the key to link those comments of that data to the individuals that made them.
00:37:39
Speaker
So it would make sense from a sort of common sense perspective, if I can't link the pseudonymized data to a person, then for all intents and purposes,
00:37:52
Speaker
That's anonymous data to me. Isn't that right? Right. So it wasn't um quite right the way you laid this out. um I think it wasn't intuitive and obvious in many cases how this was going to come out because the requirements around the the obligation of transparency said that you needed to disclose certain information.
00:38:13
Speaker
in relation to where you transfer personal data. And so the question was, well, if it's not personal data for Deloitte, are you transferring personal data? And so that was where it got a bit um unclear.
00:38:27
Speaker
And then we're looking at whether that same principle ah would have applied in other cases, because this case was very was quite specific around consent-based processing, which really, really needs a lot of transparency around it.
00:38:43
Speaker
And it all sounds very sensible until I'm about to tell you another thing that also got mentioned in this case, um which is quite interesting to try and um sit together with this relative concept, which is that the judgment also said, um referring back to a previous case, that if an organisation, so organisation A,
00:39:05
Speaker
handling data that's not personal data for them, so not personal data for organisation A, then puts that data at the disposal of another organisation, organisation B, that can link the data to an individual, then that's personal data, not just for organisation B, but indirectly also for organisation And it says that in one paragraph and doesn't go into it in detail because it didn't need to in this case.
00:39:32
Speaker
But that is quite, for me, that is quite quite hard to stick together with the rest of the case. um And the only sort of takeaway that I can summarise that handles both of those points is that it's important to take it into account what you can do with data in terms of linking it to a person, but also in some circumstances also what other people can do.
00:39:54
Speaker
That's a lot to put on organization A, I think. If I am A and I don't have the means to link data to ah an individual and I give that to organization B, if I give it to you and you have that means, it seems like a stretch to make those obligations ah pertain to me as well.
00:40:15
Speaker
But let's let's bring this back to blockchain. So we have a lot of pseudonymized data on the blockchain What does this judgment say or what can we take away from this judgment to apply to the blockchain context?
00:40:34
Speaker
Can we? Is it applicable in any sense? I think it, well it is in that we've been, what we've been talking about is a lot of the data that's on the blockchain is pseudonymized data. So like for the organisation that can link it to an individual, like assuming that there is an individual that links to that data and an organisation can, then that organisation is going to need to think about it as personal data. So there's going to be obligations that apply to it if if GDPR applies to it relating to how they handle that.
00:41:14
Speaker
That's what this case is saying. So even if the information is not... personal data for others that then receive it in the blockchain ecosystem. The case is saying that for the person, that for for the organisation, for which it is still linkable to an identifiable individual, there will be some, there will be obligations. So in this case, it was the transparency obligations that they looked at.
00:41:39
Speaker
I think maybe um also it's because essentially I think it's still and it still doesn't um really quite ah help in the sense this it threshold of um its what is still a personal data. It's quite wide because of the, basically, um the case still probably means that pseudonymized data, which is still considered personal data in GDPR, that's still, I think, you' quite broad.
00:42:13
Speaker
And I think the case... um at least still doesn't kind of narrow that very much because this whole reasonable means likely to be linked back is still quite um like a a wine um but quite a wide scope.
00:42:38
Speaker
So think it basically means that if you apply that through a blockchain, it's quite hard it's because it's the majority has got like two of my states being processed, no one really, it's really hard to say like anyone participating in the blockchain escapes the GDPR. Like it's quite difficult to really understand, um you know, where the line starts and ends. And I think that's that's quite, um that's the thing I think a lot of that is so not but also,
00:43:16
Speaker
In the consultation that we mentioned earlier, there's a feedback around like, this quote, where does it start when does it end up? Still tricky question. Right, because the the fulcrum there um is whether the ah controller or another person or whoever has um the data can take reasonable means or means reasonably likely to to link the data to the individual, right?
00:43:46
Speaker
Can we go a little bit into what that means? What is what are reasonable means? What does that... um If I'm trying, if I'm a blockchain company or if I'm just a person and a company, um then what what am I supposed to take from that?
00:44:02
Speaker
um What are reasonable means? ah ah How far does the reasonableness go? Do I need to... If if it's available, um for example, if I can use a blockchain explorer...
00:44:15
Speaker
to chase down um a wallet address and link it to go back and back and the, oh, wow, I've discovered it's now, it's the North Koreans. um Is that reasonable? It's out there. You can do it.
00:44:27
Speaker
um If I can read ah code and go into the smart contract level um and trace identity somehow through other data, like, ah I don't know, um ISPs or or anything else that's public,
00:44:42
Speaker
um Is that reasonable? I mean, I can't do that as a normal person. Maybe a program a coder could do that. An engineer could do that. um So where how far does that go back and what are we supposed to take away from that?
00:44:53
Speaker
And so this is the remaining big question where i said we didn't get the right, the color on that from this case. And actually, in other cases, it's been left at quite a principles level, I think. So it said that you can take into account objective factors like costs, time for identification, take into account available technology that ah that that could be used, but it doesnt there's not like worked examples and specific thresholds that we can work through here. So there's a lot still to assess on a context-specific basis.
00:45:32
Speaker
Okay, so then my next question is, um who ah who is the recipient of the data that's put on a public permissionless blockchain?
GDPR's Impact on Blockchain Industry
00:45:42
Speaker
um Who are we calibrating that test for if it's available on on Avalanche, for example, which you can you can use SnowTrace to look at addresses and and go down into... um all the data that's available for every transaction that that wallet address has taken.
00:46:04
Speaker
um It's out there, but who's the recipient and who is ah going to be subject to those obligations. and then And here, ah probably the the bad news is that that probably makes the test quite high because you you have to assume quite a lot of different data points might be available to some of the people that might receive that data, um but which can go make it, I mean, I think it it was already intended to be quite a high bar and where something is then publicly available,
00:46:36
Speaker
my view is that they're going to take a very high bar to that. So because because you can't assess from a specific recipient's point of view, you might have to imagine what a lot of different types of people and organisations might be able to do at that time.
00:46:53
Speaker
Yeah, this is, think this is one of the most difficult things because like processing, the definition of processing is quite wide. it's It's pretty much anything you do with the data, storing, collecting, using, transferring,
00:47:04
Speaker
And so plus the fact that, you know, pseudonymized data is the starting point, and it's still personal data. So that puts a lot of people into the potential scope of mystic aid processor.
00:47:20
Speaker
And that's precisely um one of the quite common, I think, feedback that was given on the consultation, that's the fact that there really should, you know, can we and have...
00:47:33
Speaker
I think some of the feedback was saying there's more guidance on you know what is what is the reasonable and is likely to be, been to the extent you consider the likelihood of a specific person being able to think about.
00:47:51
Speaker
Yes, I think it's it's the the key and then the quite difficult question. Last question then is, ah ah as we kind of wrap up this ultimately unsatisfying um discussion of pseudonymized data and what the GDPR is going to apply to in the context of blockchain.
00:48:11
Speaker
um How is this case going to affect or will it affect the considerations um of the UK regulator and the EDPP? So I'd say um this case, although it was much anticipated, building on existing case law.
00:48:31
Speaker
I think maybe in terms of what's going to impact you know considerations of the ICO and ADPB potentially, in my view, is just the wider environment that we're in where...
00:48:43
Speaker
you know authorities, or regulators um are generally being asked to consider things like competitiveness, promoting innovation and how their approach to enforcing regulation sits within that wider picture.
00:48:59
Speaker
um That's not necessarily going to change some of these approaches and guidance, but but it that I think could potentially be something to watch and and see if that is making any changes in and approach.
00:49:11
Speaker
Well, thank you so much. um If you have any takeaways or last comments on this topic, I would love to hear from from you about anything that you'd like to mention to wrap up as we finish this podcast.
00:49:27
Speaker
so Shall I go? i mean, I think um what Rita just said is is actually spot on in terms of um how the case might actually help in in the sense that this this case seems to give a fig leaf.
00:49:39
Speaker
But for that fig leaf to be operational, I think you need some some steer at these agencies that that that's the way we're going to approach it, to to give way to to the industry, if that makes sense. so I think that the the combination of the case with um some political steer at the level of the agencies to help the interpretation would actually be the hopeful tone that we need to finish this, if that makes sense, because that may actually be and and and and a door opener for for a level of compliance that's achievable. I think the problem is if we don't have that, there is no way of ah achieving any sense of compliance and would be, you know, entirely on on risk. And I think that is that would be problematic and that would kill the industry. So I think that there must be a ah sensible
00:50:39
Speaker
at political level at least, sensible approach to this.
00:50:44
Speaker
I hope that is the case, and I hope that you will all return to discuss it when that happens. ah Thank you very much, Diego, Rita, and Stephanie, for joining me today on this very interesting and as yet to be resolved topic.
00:51:02
Speaker
We hope you enjoyed our Hootenanny. Thank you for listening.
Additional Resources and Conclusion
00:51:05
Speaker
For more hootful and hype-free resources, visit owlexplains.com. There, you will find articles, quizzes, practical explainers, suggested reading materials, and lots more.
00:51:17
Speaker
Also, follow us on Twitter and LinkedIn to continue wising up on blockchain and Web3. That's all for now on Owl Explains. Until next time.