Sign up to save your podcasts
Or
Share Ep.44 – Blockchain & GDPR
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Ep.44 – Blockchain & GDPR
Last week we had the pleasure of talking to Dr. Markus Kaulartz, lawyer at CMS Germany, discuss with us the very hot topic of Blockchain & GDPR. We will try to answer the question of how does GDPR, drafted in a world in which centralised and identifiable actors control personal data, sit within a decentralised world like blockchain? Markus is the co-author of "The tension between GDPR and the rise of blockchain technologies".
Markus works in the IT law department of CMS Germany with a focus on innovative topics such as blockchain, AI, cyber security and all the data protection issues. Previously to becoming a lawyer, Markus used to work as a software developer.
What is Blockchain?
From a pure legal point of view there are two aspects:
* Blockchain is a database which is distributed and synchronised, whose data cannot be deleted. This definition however is controversial within some quarters as blockchain isn't considered as a database but it is used to simplify defining it for a non-IT audience.
* Blockchain enables us to move digital assets. This is very important because a receiver of a digital token for example will always know that the sender of the token doesn't own it anymore. In other words the tokens transfer of ownership emulates the transfer of ownership of real life offline assets. If we look at the transfer of ownership of paper share certificates they presently use a bank as a central intermediary to help identify who is the present owner of a share. In a blockchain world we can theoretically eliminate the need of the bank.
What is GDPR?
General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It was enacted in May 2016 but only applied from May 2018. It replaced the former EU Data Protection Directive with a big difference that it applied directly to the member states of the EU without the need for it to be transformed into national laws. The other big difference of GDPR with the former EU Data Protection Directive is the amount of the fines. Under GDPR the fines are up to 4% of the global turnover of a company.
What is key is that GDPR also applies to companies outside of the EU that works with the EU. For example if you're an Indian or American company who offers services to EU citizen you will have to comply with GDPR regulation.
Personal Data & Application of GDPR
GDPR only applies where personal data is being processed. Personal data is defined as any information relating, directly or indirectly, to a natural living person, whether the data identifies the person or makes him or her identifiable.
Article 4 of GDPR defines Personal Data - "as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
The key implication is that a person, not a company, can be identified or identifiable. Being identifiable means you don't necessarily need to have their name, or address of the person, it suffices to have their unique ID and even their IP address.
View all episodes
By Walid Al Saqqaf - Blockchain insuranceLast week we had the pleasure of talking to Dr. Markus Kaulartz, lawyer at CMS Germany, discuss with us the very hot topic of Blockchain & GDPR. We will try to answer the question of how does GDPR, drafted in a world in which centralised and identifiable actors control personal data, sit within a decentralised world like blockchain? Markus is the co-author of "The tension between GDPR and the rise of blockchain technologies".
Markus works in the IT law department of CMS Germany with a focus on innovative topics such as blockchain, AI, cyber security and all the data protection issues. Previously to becoming a lawyer, Markus used to work as a software developer.
What is Blockchain?
From a pure legal point of view there are two aspects:
* Blockchain is a database which is distributed and synchronised, whose data cannot be deleted. This definition however is controversial within some quarters as blockchain isn't considered as a database but it is used to simplify defining it for a non-IT audience.
* Blockchain enables us to move digital assets. This is very important because a receiver of a digital token for example will always know that the sender of the token doesn't own it anymore. In other words the tokens transfer of ownership emulates the transfer of ownership of real life offline assets. If we look at the transfer of ownership of paper share certificates they presently use a bank as a central intermediary to help identify who is the present owner of a share. In a blockchain world we can theoretically eliminate the need of the bank.
What is GDPR?
General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It was enacted in May 2016 but only applied from May 2018. It replaced the former EU Data Protection Directive with a big difference that it applied directly to the member states of the EU without the need for it to be transformed into national laws. The other big difference of GDPR with the former EU Data Protection Directive is the amount of the fines. Under GDPR the fines are up to 4% of the global turnover of a company.
What is key is that GDPR also applies to companies outside of the EU that works with the EU. For example if you're an Indian or American company who offers services to EU citizen you will have to comply with GDPR regulation.
Personal Data & Application of GDPR
GDPR only applies where personal data is being processed. Personal data is defined as any information relating, directly or indirectly, to a natural living person, whether the data identifies the person or makes him or her identifiable.
Article 4 of GDPR defines Personal Data - "as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
The key implication is that a person, not a company, can be identified or identifiable. Being identifiable means you don't necessarily need to have their name, or address of the person, it suffices to have their unique ID and even their IP address.