Legal Aspects of Blockchain Technology — Identities

Preamble

This article is the eighth publication of the series “legal aspects of blockchain technology” by the Frankfurt School Blockchain Center (FSBC), Datarella, and CMS Hasche Sigle. This research is part of the KOSMoS project, a research project funded by the German Federal Ministry of Education and Research (BMBF) under the funding code 02P17D020. The Frankfurt School Blockchain Center gGmbH and Datarella GmbH are part of the “KOSMoS” consortium. Together with partners from the industry (Schwäbische Werkzeugmaschinen GmbH, Alfred H. Schütte GmbH & Co. KG, ASYS Automatisierungssysteme GmbH), academia (Universität Stuttgart, Hochschule Furtwangen), and software development (inovex GmbH, Ondics GmbH), they create a blockchain-based solution allowing manufacturing companies to establish a DLT-based framework for producing machines in order to (a) execute dynamic leasing contracts, (b) provide transparent maintenance documentation and © ensure high-quality documentation of manufactured products.

Introduction

The GDPR’s purpose is to ensure the right to informational self-determination and privacy of individuals. It aims at protecting personal data within the European Union (EU) as well as ensuring the free movement of data within the EU and it makes no exceptions for blockchain-stored data. Blockchain-based use cases also have to comply with the GDPR. The GDPR is directly legally binding for the EU member states, however, they have the possibility to change some specific predetermined clauses if they deem it necessary.

Anonymization of identities

Natural persons are to be distinguished from machines in terms of data protection measures. The reasons for data anonymization is to protect basic human rights (ie., right to informational self-determination) and ensure data privacy of individuals in the digital age. But is there a need for anonymization of such an identity or is the use of privacy-enhancing features, such as private channels on Hyperledger, already a sufficient decoupling of trusted (possibly personal) information? A distinction must be made between keys that refer to machines (machine data) and keys that refer to natural persons (personal data) as is shown in Figure 1:

Source: Own illustration.

Keys with a personal reference

Keys with a personal reference should be pseudonymized using a lookup table[1]: The actual IDs are then assigned to a key in the lookup table and only this key, but not the ID, is stored on the blockchain. In this way, a company can respond to any deletion requests by deleting the data in the lookup table. The data on the blockchain then loses its reference and is thus anonymous. If the actual IDs are not relevant and could also be deleted, they could be stored directly on the blockchain. This could be the case when a company only cares about the amount of keys but not about who they belong to. Recordkeeping of the number of subscribers for the sake of internal marketing statistics is one such example. The eWpG bill for the law on the introduction of electronic securities and crypto securities in Germany seems to follow the same path — it talks about the “data used for pseudonymization”. [2] Under the GDPR, whether private channels are sufficient to achieve anonymity depends on whether re-identification is possible using proportionate means. Whether a mean is considered proportionate differs from case to case. It can be determined by assessing the level of difficulty and effort needed for re-identification to be successful.

Keys without a personal reference

Keys without a personal reference do not have to be anonymized for reasons laid out in the data protection law because they are not personal data. However, an obligation to make them anonymous may arise (indirectly) from the fact that the data constitute trade secrets. For example, the machine data could be used to read the times and intensities of use which might allow conclusions to be drawn about the order situation of a company.

Compliance of machine data

Data protection laws only record personal data (e.g. for the GDPR: Art. 2 GDPR). However, machine-related data may also be personal data under certain circumstances (see the answer to question 3). Machine data may also be subject to database rights (see the answers to questions 3 and 5). They can also constitute trade secrets (see the answers to question 3).

Endnotes

[1] This is recommended e.g., by the French data protection authority: CNIL, Blockchain and the GDPR: Solutions for a responsible use of the blockchain in the context of personal data, 06.11.2018: “these solutions enable stakeholders to come closer to the GDPR’s compliance requirements”.

About KOSMoS

KOSMoS is a research project funded by the German Federal Ministry of Education and Research (BMBF) under the funding code 02P17D020. More information about the project can be found on the website.

Remarks

If you like this article, we would be pleased if you would forward it to your colleagues or share it on social networks. More information about the Frankfurt School Blockchain Center on the Internet, on Twitter or on Facebook.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonas Gross

Jonas Gross

Jonas Gross is Chairman of the Digital Euro Association (DEA) and Head of Digital Assets and Currencies at etonec. Further, Jonas holds a PhD in Economics.