A multitude of new regulations are either in the ordinary legislative procedure or already in force. These include the Data Act, the Data Governance Act, the Digital Services Act, the Digital Markets Act, the Cyber-Resilience Act, European Health Data Space Regulation, the Artificial Intelligence Act. Data regulations in the European Union (EU) are becoming more complex and challenging for businesses to comply with. The increasing number of administrative burdens and compliance requirements in these regulated areas are a valid concern for businesses. Supervisory enforcement, for enacted regulations will be a wake-up call for organizations that are not prepared. Tech players operating in the EU and authorities overseeing those activities face the similar challenge of adapting to legislative overlap. New fines, new supervisory authorities and new compliance requirements are expected. To better understand this burst of regulation, the EU’s strategic policies must be carefully examined.

What is the EU aiming for?

• The United States (US) and China (CN) have different advantages in the field of technological competitiveness. 
• The US has a strong private sector with abundant financial resources, while CN has a state-sponsored private sector. 
• The EU meanwhile wants to shape its own digital future, and create a competitive Digital Single Market while enforcing European democratic values. In a short span of time, the European Commission has implemented digital transformation policies to become more competitive in the global economy, reduce the carbon footprint that arises from the red-tape bureaucracy and go digital. 
• Better public services and comprehensive scientific research will be strengthened by the re-use of data envisaged in the European Strategy for Data. 

Understanding the distinct European view on data 

Greater productivity for IoT and data-enabled products are also on the list. But greater accessibility to data is needed to enable innovation in a data-driven economy. This explains why data intermediaries are expected to play a key economic role, as envisioned in the Data Governance Act. Making more data available to smaller players will be made possible by creating common European data spaces in strategic sectors. There are multiple underlying reasons for the data spaces, all of which align with the strategic data policies of the European Union.

• The new regulations are in line with the existing strategic objectives, allowing for organizations to get ahead of the game by embracing the EU’s strategic data policies. 
• The industrial data space and co-generated industrial data is part of the Data Act. 
• The common European health data space is also regulated with the upcoming European Health Data Space Regulation. 
• Green Deal data space, financial data space, energy data space, agricultural data spaces, are also mentioned in the “European Strategy for Data”.

EU strategic goals

• The digitalisation of public services and the digital transformation of businesses are of high priority in the 2030 Digital Compass: the European way for the Digital Decade. 
• The Digital Compass goals are consistent with the rising amount of data being created in the EU. 
• The EU is determined to maintain its regulatory norms and standards in its relations with international partners. 
• By 2030, the EU aims to build an interconnected data processing ecosystem conscious of fundamental rights and in full compliance with legal requirements. As stated in the 2030 Digital Compass policy, the EU will continue to promote the ethical use of AI, establish strict cybersecurity and resilience requirements, tackle disinformation and illegal content online, ensure the operational security of digital finance and facilitate transformation of e-government. Respectively, these strategic policies are being covered by the Artificial Intelligence Act, the NIS2 directive and Cyber-Resilience Act, the Digital Services Act, the Digital Operational Resilience Act for the financial sector and European Health Data Space Regulation.

Implications for the future

These new regulations pave the way for the EU to achieve its new industrial strategy of climate neutrality and digital leadership. They help to reduce the carbon footprint and prevent red tape bureaucracy. 

• The digital transformation is essential for a greener EU.
• The reuse of data is also critical. 
• As stated in the EU Strategy for Data, this includes greater productivity and competitive markets, as well as improvements in health and well-being. 

The emergence of data-driven ecosystems can prove itself in the long run but it may take years for the EU to figure out the interplay of new regulations within the existing legal frameworks, the preparation of new guidelines and the appropriate degree of coordination between supervisory authorities. 

The EU will need to ensure that data and data-enabled products and services are available throughout the single market. Considering the EU’s goal of building a legal digital framework and becoming an international market leader, similar regulations may spread over time to different continents through the Brussels Effect. The key intention is to create a European data ecosystem that is respectful of fundamental rights. Whether these strategic intentions will be translated into the regulatory scope as intended remains to be seen. 

The post Making sense of new EU-wide data regulations, the red thread behind the digital single market appeared first on TechGDPR.

EU Companies using US vendors for their data

For companies operating within the EU, this adequacy decision eliminates the need for additional data protection measures when transferring personal data to U.S. vendors participating in the EU-U.S. Data Privacy Framework. It streamlines data transfers, allowing businesses to focus on their core operations without being burdened by complex compliance requirements.

If your company relies on U.S. vendors for services or data processing, this decision brings positive implications. The EU-US Data Privacy Framework introduces comprehensive binding safeguards to address concerns raised by the European Court of Justice. These safeguards ensure that access to EU data by U.S. intelligence services is limited to what is necessary and proportionate for national security purposes.

Moreover, the framework establishes a redress mechanism for EU individuals whose data is mishandled by U.S. companies. This includes independent dispute resolution mechanisms and an arbitration panel, providing added assurance to EU consumers and reinforcing trust in transatlantic data flows.

Serving EU Customers from the US

For U.S. vendors seeking to serve EU customers, participation in the EU-US Data Privacy Framework is crucial. By committing to comply with a detailed set of privacy obligations, U.S. companies can demonstrate their adherence to the high data protection standards required by the EU. This includes obligations such as purpose limitation, data minimization, data retention, data security, and responsible data sharing with third parties.

The framework will be administered by the U.S. Department of Commerce, ensuring proper oversight and monitoring of participating companies’ compliance. The U.S. Federal Trade Commission will enforce these obligations, safeguarding the interests of EU individuals and promoting accountability among U.S. vendors.

It is important to note that the safeguards implemented by the U.S. government to protect data privacy will also benefit companies using other data transfer mechanisms, such as standard contractual clauses and binding corporate rules. This provides flexibility and reassurance for companies engaged in transatlantic data transfers, regardless of the specific mechanism they choose.

We encourage companies to familiarize themselves with the details of the adequacy decision and the obligations set forth in the EU-US Data Privacy Framework as this will affect many data setups.

Criticism of the EU-US Data Privacy Framework

Critics argue that the new Trans-Atlantic Data Privacy Framework closely resembles its predecessors, particularly the failed “Privacy Shield” agreement. The fundamental concerns regarding U.S. surveillance laws and the unequal treatment of non-U.S. persons in terms of constitutional rights remain largely unaddressed. The framework’s reliance on the U.S. Executive Order 14086, which includes the term “proportionate” but interprets it differently than the European Court of Justice (CJEU), has raised concerns about the adequacy of protections.

Furthermore, the redress mechanism established under the new framework has been questioned. While some improvements have been made compared to the previous “Ombudsperson” mechanism, the individual’s direct interaction with the newly formed Civil Liberties Protection Officer (CLPO) and the “Court” is limited. Critics argue that this mechanism does not provide true judicial redress, as the response is already known before a case is brought, potentially undermining the effectiveness of individuals’ rights to seek redress.

It is expected that the privacy advocacy group noyb (None of Your Business) will challenge the adequacy decision in court. They contend that the new framework lacks substantial changes and does not address the necessary reforms to U.S. surveillance laws. Previous attempts, such as the “Safe Harbor” and “Privacy Shield,” have been declared invalid by the CJEU.

The potential legal challenge could result in further scrutiny of the Trans-Atlantic Data Privacy Framework. If the case reaches the CJEU, the court may suspend the framework during the review process, leading to a final decision in 2024 or 2025. This uncertainty raises concerns about the legal validity of data transfers conducted under the new framework.

The post EU-US Data Privacy Framework Adopted appeared first on TechGDPR.

On 7th October, 2022, President Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO) in order to oversee that the obligations of the US under the EU-US Data Privacy Framework are carried out. The EO is divided into 5 sections consisting of general provisions, definitions, purpose, redress mechanisms and activities of Signals Intelligence.

For the purpose of this document, significant provisions of the EO will be highlighted. To clearly understand the provisions, it is important to first understand what signals intelligence means. Signals intelligence describes a form of intelligence gathering by intercepting electronic signals. In the context of the US, signals intelligence involves collecting foreign intelligence from communications and information systems and providing it to customers across the U.S. government, such as senior civilian and military officials. They then use the information to help protect our troops, support our allies, fight terrorism, combat international crime and narcotics, support diplomatic negotiations, and advance many other important national objectives. 

Legitimate objectives for signal intelligence

Signal intelligence will not be carried out randomly. According to section 2.b.i.A, this type of intelligence is to be carried out only for the following reasons –

1. To assess the capabilities or activities of a foreign government/military/political organization or any entity acting on its behalf in order to protect the national security of the USA and its allies/partners.
2. To assess the activities of international terrorist organisations that pose a current or potential threat to the national security of the US or allies and partners.
3. To assess transnational threats impacting global security such as climate change, public health risks, humanitarian threats, political instability and geographic rivalry
4. To protect against foreign military capabilities and activities
5. To protect against terrorism, taking of hostages conducted by or on behalf of a foreign government
6. To protect against espionage
7. To protect against threats from the development and proliferation of weapons of mass destruction conducted by or with the assistance of a foreign government, organization or person.
8. To protect against malicious cybersecurity threats.
9. To protect against threats to the personnel of the US or its allies or partners
10. To protect against transnational criminal threats including illicit finance and sanctions evasion related to any of the objectives stated in this list.
11. To protect the integrity of government property, US physical and electronic infrastructure and political processes such as elections from activities conducted by a foreign government, organization or person.
12. To advance operational capabilities in order to further any of the reasons stated in this list.

Prohibitions to the conduct of signal intelligence activities. 

The exceptions to signal intelligence objectives are found in section 2.b.i.B of the EO:

1. Suppression of criticism or the free expression of ideas or political opinions
2. Suppression or restriction of legitimate privacy interests
3. Suppression or restriction of the right to legal counsel
4. Discrimination of persons based on ethnicity, race, gender, gender identity, sexual orientation or religion.

It is further stated in the EO that collection of foreign private commercial information or trade secrets to afford a competitive advantage to US companies or the US business sector is not a legitimate objective and therefore, can only be conducted with authorisation and in order to protect the national security of the US or its allies or partners.

The EO provides thus “Signals intelligence collection activities shall be as tailored as feasible to advance a validated intelligence priority and, taking due account of relevant factors, not disproportionately impact privacy and civil liberties.  Such factors may include, depending on the circumstances, the nature of the pursued objective; the feasible steps taken to limit the scope of the collection to the authorized purpose; the intrusiveness of the collection activity, including its duration; the probable contribution of the collection to the objective pursued; the reasonably foreseeable consequences to individuals, including unintended third parties; the nature and sensitivity of the data to be collected; and the safeguards afforded to the information collected.”

With respect to bulk collection of signals intelligence, the EO states that when it is determined that bulk collection is necessary to advance a validated intelligence priority, reasonable methods and technical measures shall be applied to limit the data collected to only what is necessary in order to achieve legitimate objectives.

Handling of personal information collected through signals intelligence

The EO also provides for handling of personal information collected through signals intelligence. Elements of the intelligence community handling personal information shall ensure that policies and procedures are put in place to minimize the dissemination and  retention of personal information. The provisions on retention of personal information provides equal level of protection to ‘non-United States persons’ as with United States persons. For instance, under ‘Retention’ in section 2.c, the Intelligence community “shall delete non-United States persons’ personal information collected through signals intelligence that may no longer be retained in the same manner that comparable information concerning United States persons would be deleted.”

With respect to data security and access, appropriate protection and the prevention of unauthorized access consistent with applicable safeguards for sensitive information in relevant EOs and Directives are to be ensured.

Worthy of note is the savings clause in section 2.e which states that nothing in the EO shall be construed to limit any signals intelligence collection technique under the Foreign Intelligence Surveillance Act of 1978 as amended (FISA). It should be remembered that one of the considerations for the invalidation of the privacy shield framework was section 702 of FISA. This allowed for surveillance of electronic communication service providers which term is commonly broadly interpreted by the American courts.

Redress Mechanism

Section 3 of the EO provides for the establishment of a process for the submission of qualifying complaints from qualifying states for any covered violation of US law, appropriate remediation where and if necessary, investigation, the establishment of a Data Protection Review Court (DPRC). The designation of qualifying state is dependent on a number of factors under section 3.f.i of the EO, one of which is that the country, regional economic integration organization or its member countries permit or intend to permit the transfer of personal information for commercial purposes between the territory of the country or member countries and the territory of the US. This means the application of the principle of reciprocity. The designation of qualifying state can also be revoked if the countries or member countries do not permit the transfer of personal information for commercial purposes between the countries and the US.

What does this mean for EU-US data transfers?

You are probably wondering how this impacts your business operations and EU-US data transfers. The EO brings a ray of hope as it promises an ease in data flows between the EU and the US. What is important to keep in mind, however, is that an Executive Order in the USA is just that and has no direct effect on EU territory. It is for this reason that the European Commission has published a Q&A on the EU-US data Privacy Framework. 

In this publication, it is stated that the European Commission will take steps to propose a draft adequacy decision and launch the procedure for its adoption. The final adequacy decision will only be adopted after scrutiny by the European Parliament and after which there should be a free and easy EU-US data transfers between the EU and US companies that have been certified by the Department of Commerce under the new framework. 

Until these formalities have happened, nothing is required from businesses in the EU. If you hope to commence data transfers to the US, note that an adequacy decision is not the only way to achieve this. One mechanism adopted by the European Commission for international data transfers is the use of modernized standard contractual clauses which businesses can include in their commercial contracts. In the future, the European Commission has stated that all the safeguards that the Commission has agreed with the US Government in the area of national security (including the redress mechanism) will be available for all transfers to the US under the GDPR, regardless of the transfer tool used.

Summary

Undoubtedly, the EO appears to be a laudable effort in creating an environment of trust for EU-US data transfers. For instance, the establishment of a Data Protection Review Court is a progressive step because it provides a redress mechanism for so-called qualifying complaints from qualifying states. According to the White House, the provisions of the EO are intended to provide a basis for the European Commission to adopt a new adequacy decision aimed at restoring an accessible and affordable data transfer mechanism under EU Law. 

Despite being a commendable effort, the EO gives with a hand and takes with the other. The savings clause states that the EO does not limit any signals intelligence collection technique authorized under the Foreign Intelligence Surveillance Act (FISA) amongst other laws. 

Furthermore, the process for lodging a qualifying complaint appears cumbersome, especially for non-US persons. This is because the CLPO  will have to first review the complaints and inform the complainant through the appropriate public authority in the qualifying state on whether  a covered violation was identified or not. This means that complainants cannot lodge complaints directly or bring an action before the DPRC. 

After the CLPO has reviewed a complaint, the DPRC (to be constituted by judges selected by the Attorney General in consultation with the Secretary of commerce amongst others) shall further review the decision of the CLPO where necessary. If the complainant applies for a review by the DPRC, an advocate will be selected by the DPRC to advocate regarding the complainant’s interest in the matter (section 3.c.i.E). This brings to mind a latin maxim, nemo judex in causa sua, which means no one should be a judge in their own case. Would an advocate employed by the DPRC really serve the interest of a complainant or that of its master? Time will tell.

The EO is loudly silent on the rights of the complainant. At best, it creates only an ‘[…] entitlement to submit qualifying complaints to the CLPO and to obtain review of the CLOP’s decisions by the Data Protection Review Court[…]’ according to section 5.h. This section clearly states that the Order ‘… is not intended to, and does not, create any other entitlement, right, or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.’

On 13th December, 2022, the European Commission published a draft adequacy decision for EU-US data transfers, thus, signaling the start of the adoption procedure for the EU-U.S. Data Privacy Framework following the US Executive Order. According to the European Commission through its official website, the Commission submitted its draft decision to the European Data Protection Board (EDPB). Afterwards, the Commission will seek approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Once this procedure is completed, the Commission can proceed to adopting the final adequacy decision.

Summarily, while the Executive Order is a step in the right direction, it still begs the questions about government surveillance and enforceability of data subject rights in the USA. The coming months will present with interesting events as more processes are put in place to comply with this Executive Order and adopt a final adequacy decision for EU-US data transfers. Until then, it is advisable that businesses in the EU maintain the status quo and continue to limit as much as possible data transfers to the US or rely on lawful mechanisms for such transfers.

The post EU-US data transfers: US Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities and the impact on organizational GDPR compliance. appeared first on TechGDPR.

In this article, we provide practical guidance for all organisations that export data outside of the EEA on how to reassess their transfers of personal data outside of Europe in a post-Schrems II era.

The Schrems-II ruling of the European Court of Justice on Transfers of Personal Data outside of the EU

The European Union is infamous for its diligent approach to the protection of the rights of human rights. The GDPR, the regulation ensuring the right to personal data protection, limits all transfers of personal data outside of the European Union to ensure that the data and individual rights are not abused as soon as they cross the EU border. 

The European Commission produced a list of 13 countries deemed to ensure a sufficient level of data protection, to which personal data can be transferred without limitations. That list also allowed a select group of companies based in the US to receive personal data from their EU partners. The requirement for those companies in this group is to self-declare and join the so-called EU-US Privacy Shield. Until recently, more than 5000 organisations used the scheme, among which Amazon, Facebook, and Google. 

With its judgement, the CJEU has invalidated the EU-US Privacy Shield, making further transfers of personal data to those organisations in the US, illegal. Additionally, the ruling impacted another mechanism, that of Standard Contractual Clauses (SCCs), which was used in 88% of international transfers, warning that these SCCs cannot always be used in transfers to third countries. It implied a similar fate for Binding Corporate Rules, another transfer mechanism for transfers within a corporate group.

As if this were not enough, the court left no grace period for organisations to understand their situation and come up with alternative transfer mechanisms applicable to their business model. It leaves thousands of transfers of personal data to the US and, presumably, to many other countries, unlawful. This is why a swift reaction is vital for companies in the EU.

Step-by-step guide to international data transfers after the CJEU ruling

Step 1 – Audit existing transfers 

To start with, prepare a list of all connections with companies that imply transfers of personal data outside of the European Union. Acknowledge  that storing personal data on the cloud servers in another country, using third-party applications such as CRM, HR, payment systems, collaboration tools, video-conferencing or task managers definitely implies the international transfer of data. Remember that involving contractors or software development agencies from third countries also imply international data transfers.

Next, figure out the transfer mechanisms used by these partner organisations and service providers. Most information can be parsed from public sources, e.g. company websites, but if not, we recommend contacting your service providers directly. The current mechanisms used by the companies can be an adequacy decision (Art. 45 GDPR), the (defunct) EU-US Privacy Shield, Standard Contractual Clauses (Art. 46.3.a) GDPR), Binding Corporate Rules (Art. 47 GDPR), or Derogations (Art. 49 GDPR).

Step 2 – Choose appropriate safeguards

Pay specific attention to the transfers of personal data to the US. While the situation with other third countries remains unclear, transfers of personal data in the States cannot continue as they do at the moment. Companies that have relied on the Privacy Shield must consider adopting new safeguards, and Standard Contractual Clauses cannot be used by the providers of cloud computing and telecommunication services.

If you already use or consider using Standard Contractual Clauses or Binding Corporate Rules for transfers under Art. 46, ask your partners and service providers whether they are subject to national laws that:

• require indiscriminate surveillance / data collection from them by government bodies;
• prohibit deletion of the transferred data at the end of your relationship with them;
• limit the rights of concerned individuals (data subjects), such as the right to be informed, right to access, rectify and erasure, upon the request.

The restrictions above will be difficult to overcome by the available EU privacy safeguards, which was confirmed by the CJEU judgement. This is exactly the case with the transfers to the United States: under 702 FISA (50 USC § 1881a), all “electronic communication service providers”, which are providers of remote computing services, electronic communication services, or telecommunications carriers must share the data that they store about foreigners with the U.S. national enforcement agencies. As a result, it is considered that the SCC cannot be used for transfers of data to these types of providers at all. 

For other types of partners and services providers, the SCC and BCR remain a possible option, though additional examination will be necessary.

To make matters worse is that foreign companies can be prohibited from informing you about such requirements due to their statutory provisions. The option, in this case, is to look into media-coverage of such scenarios, as well as to check their national enforcement and judicial practice on data protection.
Best practice, however, is to regard those companies who claim they cannot disclose that information to be under that statutory obligation and interpret that answer as those likely to be subject to such national requirements.

Step 3 – Consider derogations or restructure the transfers

Art. 49 of the GDPR provides derogations from the rule described above. For case-by-case transfers, you can ask for explicit consent from the data subject. However, such an option seems unrealistic for transferring the whole database as it may prove impractical to ensure collecting consent from all concerned users. 

You can also transfer personal data to third countries if it is necessary to perform the contract with your users or other data subjects. Unfortunately, it is only available to the transfers that are strictly necessary, i.e. where the execution of the contract takes place on U.S. territory (or another third country). That said, the mere convenience to transfer the data to the U.S. cannot be regarded as the “necessity”, neither can the cost of the offered solution be a determining factor alone.

Finally, as a temporary measure, the company can argue that it has legitimate interests in international transfers. This option can serve as a temporary relief for those companies that need time for re-architecting their processing activities following the CJEU judgement. The transfer based on the legitimate interests should not be repetitive. It must concern only a limited number of data subjects, and must not be overridden by the interests or rights and freedoms of the data subject. Two conditions come when relying on  this derogation: the need to inform your supervisory authority and data subjects about the transfers. Thus, legitimate interests might be used as a temporary measure while searching for a more reliable transfer mechanism.

There are many situations where none of the above options can be used by the EU company. For example, it is fairly difficult to come up with a solution for transferring personal data to cloud hosting providers in the U.S. or EU subsidiaries of those companies. In such cases, a strong decision is needed: that of restructuring your data processing and stop transfers of personal data outside of the EU. In such a case, only local EU service providers will be used, particularly those not under legal or contractual obligation to transfer data back to the US -or merely allow access to other entities.

Conclusion: what to do after the Schrems-II ruling

Until new guidance from the EU regulators is issued, in particular the EDPB and the EU Commission, the situation with international transfers remains rather vague, to say the least. In accordance with its announcement in the assessment of the last 2 years of the GDPR, the European Commission is also working on new transfer mechanisms. The new safeguards should allow transferring personal data outside of the EAA more easily. This is a much awaited work considering the fact that current SCCs date back prior to the GDPR, thus not being fully in line with the GDPR provisions

In the meantime, the companies are left with few options:

1. To amend their processing infrastructure and limit transfers of personal data outside of the EU; or
2. To take a risk and try to come up with protective measures to complement these unstable mechanisms, in an attempt to consolidate the current mechanisms. However, until the European Data Protection Board drafts guidance on such measures, choosing them ought to be carefully examined by data protection professionals.

This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.

If your business relies on international transfers of personal data, the TechGDPR team provides practical and actionable assessments for organisations to find a solution for each case. Feel free to reach out if you need further help.

The post International Transfers of Personal Data after the Schrems II ruling appeared first on TechGDPR.

1. Is the Opinion 05/2014 by Working Party 29 still valid?

Article 29 Working Party issued comprehensive guidance on Anonymisation Techniques in April 2014 (WP216), setting a high standard for the requirements of true anonymisation, and specifies what is to be interpreted as pseudonymisation – which is merely a method to reduce linkability of a dataset with the original identity of a data subject.

Many applications of DLT requires some verification data to be stored on-chain, which, depending on interpretation and the specific requirements can be seen as anonymous or pseudonymous.

During its first plenary meeting on May 25th, 2018 the European Data Protection Board (EDPB) endorsed a number of GDPR related WP29 Guidelines, but not “Opinion 05/2014 on Anonymization Techniques” by “Art. 29 Working Party”.

The EDPB should clarify whether this opinion by WP29 may be used as a guideline, or ideally issue new guidelines that allow for sufficiently protected pseudonymous data and verification hashes to be recognised as anonymous.

2. Clarification of distribution of responsibilities in a decentralised environment (DLT) according to given roles under GDPR.

The architecture (or topology) of systems using DLT is vastly different from more traditional systems comprising of a client-server, or client-cloud architecture. The GDPR is clearly designed for a client-server architecture, with clear distinguishable rights and duties between a data controller, who is primarily responsible, a data processor, who processes data on behalf of a controller, and a data subject, of whom the personal data is being processed.

This is not translatable into blockchain or distributed ledger technology, where every node could play every role, not overseen by a central entity or system. Participants may have different roles under different circumstances, and may have multiple roles at the same time. In addition, the requirement of concluding a Data Processing Agreement in a public permissionless network is very difficult to fulfil, and other overarching measures may be required.

Clarification of the GDPR roles of the different actors within the blockchain ecosystem, under different circumstances is highly desirable to give innovators enough legal certainty to continue their efforts.

3. Clarification regarding deletion and rectification obligations under DLT.

Under Article 16 and 17 of the GDPR, data subjects have the right to have incorrect personal data corrected, and have their personal data that is no longer required erased.

This poses a problem when using DLT, that primarily derives its trust from its immutability. Because data, including personal data on DLT can not be rectified or erased, and many blockchains are public, the best practice so far is to not directly store personal data on a blockchain but only a verification value, also known as a hash, of some kind. However, as highlighted before, there is no current valid guidance on exact limits of anonymisation, so how this is to be applied remains unclear.

Technical approaches to resolve this problem exist, for example through the ability of nodes to restrict access to certain information, to only allow ‘keyed hashes’, which all have a unique key stored off-chain that can be deleted, or by using a mutable implementation of DLT, which unfortunately hardly ever helps us trust the technology as it relies on a trusted third party and should not be seen as a true solution. Which defeats the appeal of blockchain and DLT.

Within current practices using data backups in more traditional settings, it can also not be assumed that all personal data is effectively deleted, in particular from offline tape backups. It can also be questioned what the technically implementation of ‘deleting data’ in a traditional sense is: under most circumstances this is just ‘unlinking’ data, which can still be recovered.

Further guidance, and more flexibility on the interpretation of deletion and rectification obligations, in particular in a blockchain environment, is requested.

4. Request to ensure future guidance takes the different blockchain and DLT architectures into account.

When the EDPB or other regulators are providing guidance on blockchain under the GDPR, it is essential to understand and consider the different blockchain architectures currently available, and possibly those of the future. A public permissionless blockchain, free to join, participate in and download for everyone, is vastly different from a private permissioned one, related technologies that are technically not blockchain but still fall within the scope of distributed ledger technologies, such as Tangle and Hashgraph, have yet another very different architecture requiring a different approach.

We’d like to urge the regulators and in particular the EDPB to take these fundamental differences into account when issuing further guidance.

The post Blockchain & DLT under the GDPR explained to the European Commission appeared first on TechGDPR.