New kid on the blockchain Controllers processors and

New kid on the block(chain): Controllers, processors and decentralised processing Sam Wrigley IPR University Centre sam@thewrigleys. com

Overview 0. 1. 2. 3. 4. 5. 6. Introduction The case scenario What is a blockchain? Who are the actors? Controller and processor duties Recommendations A few extra thoughts

The case scenario • IMSVETO, a company which sells designs for 3 D-printed spare parts, decide to usea permissioned blockchain to help validate parts as safe • A record of every new part is saved on the blockchain, and is signed by the designer and the engineer who tested it • All designers, testers and printers must maintain a copy of the blockchain • Peers can check a design against the blockchain to validate it

What is a blockchain? • Most famous implementation is the cryptocurrency bitcoin • Information recorded into “blocks” • No centralised, authoritative version of the database • Allows for “lite” and “node” clients • Can utilise public key cryptography • Can be designed with varying levels of control

What is a blockchain? • Less famous implementation is the cryptocurrency dogecoin • Information recorded into “blocks” • No centralised, authoritative version of the database • Allows for “lite” and “node” clients • Can utilise public key cryptography • Can be designed with varying levels of control

Who are the actors? • We need to find: • The controller(s) • The processor(s) (if there any) • The data subjects • The people we have: • The blockchain implementer (IMSVETO) • The blockchain peers (the designers, engineers and printers) • Anybody whose personal information is recorded in the blockchain

The law (1): What is processing? “any operation or set of operations which is performed on personal data. . . whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” – GDPR, art. 4(2) • Suffice to say: Extremely wide.

The law (2): What is a controller? “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” – the GDPR, art. 4(7) • A deliberately wide term • Should be given a “broad definition” to ensure “effective and complete protection” – C-131/12 Google Spain SL. • Article 29 Working Party says that: • Purpose of controller is to determine who is responsible for compliance with data protection rules • A party “determines purpose and means” if it determines the “why” and the “how” of processing • The controller is the party who chooses to process data “for its own purpose” • Whether or not a party is a controller is a “pragmatic question”

The law (3): What is a processor? “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” – GDPR, art. 4(8) • • A more subservient role that “recalls the legal concept of delegation” (ICO) by “serving someone else’s interest” (Article 29 Working Party) Question of how wide this term is • • Debate whether mere provision of equipment sufficient to make a party a controller GDPR seems to favour a wide interpretation Likely that a narrow interpretation rejected to ensure strong protection of right to privacy/data protection Ultimately a factual question.

A return to the scenario: Who is who? • Key questions: • Are any of the actors processing? • Yes, both the peers and the establisher process information • Who controls the means and purposes? • Depends on the facts. In our situation, probably IMSVETO • Do the peers act independently, or do they simply process according to the establisher’s instructions? • Again, depends on the facts. In our situation, they probably process according to the establisher’s instructions. • In our example, IMSVETO is probably the controller and the peers are probably processors

Is this always the case? • No! Very fact specific • Factors that could (but might not) change the answer include: • • • How open the blockchain client is What level of instruction the establisher gives to the peers Whether the peers branch off the blockchain independently Whether peers use lite or node clients Whether we accept a wider or a narrower definition of “processor” • However, “controller = establisher, peers = processor” likely to be default, or at least most common, scenario

Controller and processor duties • Controllers must (inter alia): • Ensure that they only use processors who give “sufficient guarantees” that they will comply with the GDPR (art. 28(1)) • Ensure that the controller/processor relationship is governed by a contract which sets out certain details (art. 28(3)) • Processors must (inter alia): • Comply with the GDPR (including art. 5, principles of processing, and art. 32, security of processing) • Comply with the processor agreement (including only processing information as instructed) • Keep and transfer necessary records to the controller (arts. 28(3) and 30) • Be open to legal liability under the GDPR, ch. VIII.

How to deal with these duties? • Difficult, since processors are not guaranteed to be acting in professional capacity • Some can be dealt with by click-wrap licences (e. g. the contract between controller and processor) • Some can be dealt with by technological means (e. g. a blockchain client which automatically uploads records to the controller, or which stops the client from running if no anti-virus is detected) • Some hard to deal with at all (e. g. meeting the high standard of the processor’s “sufficient guarantee”) • Some make you wonder why a peer would want to sign up at all (e. g. liability to pay fines in full)

Recommendations • Nothing to indicate that controller/processor requirements incompatible with blockchain per se • We need guidance from the Article 29 Working Party/European Data Protection Board about which factors are most relevant for determining if a party is a controller or a processor • Vitally important that we get a code of conduct for blockchain establishers and peers • Establishers should do everything possible to make sure that peers actually agree to the contract and see the relevant instructions • Anybody who wishes to use a blockchain should perform a DPIA and consult a DPO/other data protection expert

A few extra thoughts • Blockchain technology still faced with other problems (particularly the Right to Erasure) • Pseudonymising data stored in the blockchain may help, but not a silver bullet • Be aware of overseas blockchain peers – international data transfers are always tricky • The key to a successful blockchain is planning. Embrace privacy by design!

Image attributions: Slide 2: Image used under the Creative Commons Attribution-Share Alike 4. 0 International licence. Author: Davidstankiewicz. Source: https: //commons. wikimedia. org/wiki/File: Blockchain_Illustration_2. jpg Slide 3: Image of SAAB variable compression engine (slide 4) used under the CC 4. 0 Attribution-Share Alike International licence. Original picture by Reedhawk <https: //commons. wikimedia. org/wiki/Category: Saab_engines#/media/File: Saab. Variable. Compression 02. JPG>, modified by Ellis Wilson. Slide 5: Dogecoin logo created by Christine Ricks. Used with permission. Slide 6 & 10: Guess Who? Game released by Milton Bradley. Image credit to Amazon. com. Used under educational exemption. Slide 8: Image used under the Creative Commons Attribution 2. 0 Generic licence. Credit: Jackie. Source: https: //commons. wikimedia. org/wiki/File: Marionette_Show_NJ. jpg Slide 9: Image of used under the Creative Commons Attribution-Share Alike 3. 0 Unported licence. Attribution to Алексей-моэк. Source: https: //commons. wikimedia. org/wiki/File: %D 0%90%D 0%BB%D 0%B 5%D 0%BA%D 1%81%D 0%B 5%D 0%B 9%D 0%BC%D 0%BE%D 1%8 D%D 0%BA. jpg Slide 12: Image used under the Creative Commons 2. 0 generic licence. Attribution: Oregon Department of Transportation. Source: https: //commons. wikimedia. org/wiki/File: Vehicle_Inspection_(5161920290). jpg Slide 15: Image used under the Creative Commons Attribution, non-commercial 2. 5 license. Credit: xkcd. Available at: https: //xkcd. com/1110/ All other images are part of the public domain.

Thank you for listening! Questions or comments? Send me an email! sam@thewrigleys. com