On 18 June 2020, the Brussels Privacy Hub and the Health and Ageing Law Lab (HALL) in synergy with the Horizon 2020-funded research projects: Cyber-Trust| Advanced Cyber-Threat Intelligence, Detection, and Mitigation Platform for a Trusted Internet of Things, FASTER | First responder Advanced technologies for Safe and efficienT Emergency Response, and LOCARD | Lawful evidence collecting and continuity platform development held the webinar ‘The Promise of “Blockchain”: DLT-based applications re-shape data storage and sharing, but can they be compliant with the EU data protection law?’. Panelists and respondents in alphabetical order were: Olga Gkotsopoulou (LSTS/VUB), Anastasiya Kiseleva (LSTS/HALL/VUB), Ashwinee Kumar (LSTS/VUB), Clément Pavué (Scorechain) representing the Cyber-Trust project, Jon Shamah (EEMA) representing the LOCARD project, Yuri Tijerino (Kwansei Gakuin University) and Carlos Tovar (Ariwonto), both representing the FASTER project. The session was chaired by Prof. Dr. Paul Quinn (LSTS/HALL/VUB).
Prof. Dr. Quinn and Olga Gkotsopoulou welcomed the audience and the panelists in the virtual venue. Ashwinee Kumar was the first panelist to be given the floor. He offered a concise overview of the legal challenges Distributed Ledger Technologies (DLTs) carry in relation to data protection law. He reinstated that implications emerge from both a) their inherent characteristics (namely: immutability and decentralization) and b) their design (namely: public/permissionless, private/permissioned, hybrid/consortium). He then proceeded by explaining immutability and decentralization as two distinct challenges. In relation to immutability, Kumar argued, that the term immutability is open to interpretation, varying from ‘not changing/unable to be changed’ to ‘almost difficult to be changed’. Such a lack of an accurate legal definition may result in difficulties for data subjects to exercise their rights to erasure and rectification. Concerning decentralization, Kumar noted that it is not always easy to define a central authority against whom a right can be claimed or which would be obliged to perform a task. He concluded his presentation by recalling open questions with regards to public private and consortium blockchains, for example, whether every node should be considered by default data controller and whether harmonization of blockchain use is possible.
The floor was then given to the panelists representing each project of the event synergy. Clément Pavué from Scorechain first presented the DLT approach developed in the Cyber-Trust project. The latter aims “to develop an innovative cyber-threat intelligence gathering, detection, and mitigation platform to tackle the grand challenges towards securing the ecosystem of IoT devices”. DLT is used in the project for three reasons: to ensure trusted file storage as a whole, to provide an auditable environment for forensic evidence storage, and to enhance mitigation and authority management. Pavué presented Hyperledger Fabric which constitutes the basis for a private and permissioned solution and its newly-added feature of ‘private data’, which allows to dynamically create subsets of the network of actors, allowing for a private ‘collection’ between partners who wish to share information. He underlined that Hyperledger Fabric provides for a TTL (Time-To-Live) feature which ensures that shared private data can be periodically purged in order to comply with the applicable data protection law framework.
Jon Shamah, Chair of EEMA, continued by explaining the DLT approach in LOCARD, emphasizing on the importance of the DLT policy design. The main challenge faced by the LOCARD project is to translate sound forensic workflows used by Law Enforcement Agencies into the DLT system, by enabling different actors to have different roles and permissions. The DLT solution introduced by LOCARD, is also based on Hyperledger Fabric as is the Cyber-Trust one seen above. The rationale behind this choice was to allow for secure and tamper-proof chain of custody and follow-up of cases, to achieve minimal data storage (e.g. through hashes) for performance and scalability, and to provide for deployment of private transactions. Shamah stated that the strategy behind the LOCARD solution is to build a sustainable governance framework acceptable to prospective users and jurisdictions with the capacity of accommodating policy and regulatory issues, as they evolve. He then proceeded by presenting the LOCARD policy design, grounded on control through smart contracts, Trust Authorities and Trust Lists, offering flexibility for local configuration given differences in national law and in parallel taking on board learnings of Identity Management.
Prof. Yuri Tijerino from Kwansei Gakuin University and Carlos Tovar from Ariwonto, then took the floor to present the innovative approach introduced by the FASTER project. FASTER aims to ensure the safety and efficiency of first responders during an emergency, through the secure exchange of information from multiple sources in real-time. The panelists presented AIngle (Artificial Intelligence Dag Semantic), an alternative to blockchain which provides for high scalability, zero-fee microtransactions, Real-Time and offline transactions, secure data transfer or organization as well as low resource requirements. The developed technology allows for the massive exchange of information, with the benefits of a blockchain but without the problems of scalability and fees. AIngle is quantum resistant and aims to specifically offer means to comply with EU data protection law. For instance, compared to a blockchain hash, AIngle instead creates first a “digital twin” to validate information and provides for anonymization of personal data. Anonymized information is then used for the creation of models, whereas the initially collected personal data can be further processed in line with the applicable data protection law.
In the discussion session that followed the presentations, several questions were posed by the event attendees to the panelists and the respondents, including but not limited to: whether public keys are always personal data; what is the added value of DLT-solutions if there is still a need for a trusted central authority; how DLT-based solutions can be compliant in a cross-border context; whether it is possible to eliminate the likelihood of malicious data manipulation when the central authority is pre-selected and pre-trusted.