The Global Data Protection Regulation, the European Union’s latest regulation on data privacy, aims to address this. In this article, we unpack the key aspects of the regulation, looking for nuances that might otherwise be missed and giving you our take on what it all means.
Freedom to determine who can do what to my data, is key to digital freedom.
In GDPR speak, parties on the right side of the table are referred to as a Controllers and Processors, whereas on the left side as data subjects as they are the subject of the data.
When online, we are all that our data says about us.
As we drill down these consent forms, it’s surprising to realize how many services our personal data was sent to. If we do not control the data that identifies us when we are online, we do not control who we are and how we would like to be treated. Our data is all that a service provider has about us, and using that providers can profile us in the name of targeted advertising and improved user experience.
With the advance of machine learning and quantum computing, what is not identifiable today might become so in the near future.
GDPR currently lists the following attributes as personal data.
Telephone numbers, IPs, PublicKeys
Racial or ethnic origin
Political opinions, browsing habits and personal preferences
Religious and philosophical beliefs
Trade union membership
Health, sex life or sexual orientation
Genetic and biometric data
We are looking at a never ending race to find the holy grail of data that is in no way traceable to a natural person. Take, for example, Dynamic IPs, as they do not change that often our ISPs can locate who we are. Also, the study, “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata”, where data scientists analyzed credit card transactions from 1.1 million people in 10,000 stores over a three-month period. Although the information had been “anonymized” by removing personal details like names and account numbers, the uniqueness of people’s behavior made it easy to single them out. What is and is not identifiable to a natural person is a highly contentious issue.
GDPR addresses data subjects, not data owners.
Alice took a digital picture of Bob. Bob is the data subject, Alice the controller. As a photographer, Alice may own the picture but she will never be the subject of it. Subjecthood is about being the data, whereas ownership is about who can do what to a data, and is thus, a lesser priority in terms of digital freedom “to be”.
Freedom to be > Freedom to do.
Subjecthood and Ownership are of different paradigms:
Ownership falls under the category of data governance, which deals with who can “do what” to my data. Someone who:
– owns my data – is an owner;
– holds my data as a data custodian - a steward;
– uses my data — a consumer;
– makes or produces data about me - a producer.
Subjecthood is about who the data is about, it is about being the data.
Being focused on subjecthood, GDPR goes beyond the data governance issues of access control and data provenance, by focusing on active and dynamic consent as well.
In the world of blockchains, subjecthood, like soulfulness, can not be tokenized.
Once Alice takes the picture of Bob, no one else can claim to be the data subject or Bob would not be able to make someone else the same as Bob. There is only one Bob of that picture in the world, and that will never change.
You are your personal data, you don’t just own it, and no one can take that beingness from you.
With respect to blockchains, where tokens represent unique data whose ownership can be changed, the photo could be tokenized and its ownership changed from Alice to someone else, but that it is a photo of Bob will never change. In fact even in the tokenization of the photo, the subjecthood is not tokenized as it remains outside of the paradigm of transference.
Giving up control of your personal data is not the tax you pay for using a service even if you do not pay for it with money.
Since personal data is about being the data, subjects must be able to decide what happens to their data.
Controllers must ask for consent even before touching the data, unless of course the controller needs the data to fulfill her contractual obligations as has been agreed upon by the subject as clearly specified in the contract. Any use of data outside of the contract, such as for advertising, it can only be done if consent has been asked and received.
For any extra-contract data use, the controller can not assume “implicit” consent, even if the controller:
Consent cannot be clubbed in with T&C, nor can the controller have the consent automated alongside opt-out fields.
In public blockchains, all subjects are controllers being peers of each other.
Strictly speaking, public blockchains, are outside of the scope of GDPR because there is no difference between controllers and subjects, as all nodes host every other node’s data.
Additionally, the right to erasure and rectification runs counter to the fundamentals of trustless technology, where all data that is once written can always be trusted to be there in the blockchain.
A key difference to make between blockchains and GDPR, is that the later was architected to address the power dynamics between controllers and subjects.
This was addressed equally but in a very different way with blockchains by making everyone peers instead of a hierarchy of controllers over subjects.
In fact, the power dynamics in blockchains are not about who holds data or doesn’t hold data, but who has more economic power in terms of coins. So, blockchains are outside the realm of GDPR.
Stratumn + Blockchain = Share Proofs, Never Data
In our enterprise blockchains at Stratumn, stakeholders timestamp the hash of their data on a public blockchain, while putting only proofs of data as transactions on the blockchains. This allows the enterprise network to verify every transaction without exposing data.
In this respect, we are experimenting with cryptographic protocols, such as Zero Knowledge Proofs, and Attribute Based Encryption which allows confidential disclosure of personal data between the intended participants. The actual data is thus stored outside of the network in an encrypted format, where it can be deleted as need be by the owner of the data.
However, some personal data still need to be shared in the network, such as public keys, IPs of stakeholders. That is why, this is an explicit consent process as part of the bootstrapping of the network and the setup of stakeholders.