GDPR and Blockchain, a match made in heaven?

“Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather”. With this famous paragraph, John Perry Barlow (R.I.P., feb. 7, 2018) starts his renowned Declaration of Independence of Cyberspace in 1996.

Barlow expected that the internet “would create a civilisation of the mind, more humane and fair than the world your governments have made before”. Little did he know.

The internet as we know it nowadays is not always as civilised as we’d want it to be. And that’s a huge understatement. Andrew Keens book The Internet Is Not the Answer joins a number of recent books by critics who are also trying to wake us from the nightmare into which we have been sleepwalking. Far from being the “answer” to society’s problems, Keen argues, the internet is at the root of many of them.

Multinationals like Google, FaceBook, WhatsApp, Telco’s and even our own governments violate peoples rights on a massive scale. Personal data is being unlawfully collected and processed, misused, shared, sold, sent over country borders, profiled, etc, etc. The internet clearly is missing a secure layer where peoples identities are securely safeguarded.

The upcoming General Data Protection Regulation, new European privacy law that will be enforced May 25th has the Universal Declaration of Human rights, article 12, as its first predecessor. It will enforce legislation that protects data subjects information in many more ways then before. It will also fundamentally change the way organizations process Identity.

In comes the blockchain, trust and self sovereign identity!

A blockchain is a distributed ledger. A distributed ledger can be described as a ledger of any transactions or contracts maintained in decentralised form across different locations and people, eliminating the need of a central authority to keep a check against manipulation. All the information on it is securely and accurately stored using cryptography and can be accessed using keys and cryptographic signatures. Once the information is stored, it becomes an immutable database and is governed by the rules of the network. While centralised ledgers are prone to cyber-attack, distributed ledgers are inherently harder to attack because all the distributed copies need to be attacked simultaneously for an attack to be successful. Further, these records are resistant to malicious changes by a single party.

Now weighing the first blockchain application, Bitcoin, on a privacy scale it won’t make you happy. It’s primary purpose was to act as cryptocurrency. As first mover it has many flaws in the overall architecture. Crypto forensic companies like Chainanalysis have emerged and have a day job tracking and tracing BTC token flows since all is publicly visible on the chain. Pseudonimization is the maximum Privacy level on this disruptive blockchain. Next to that it is slow, doesn’t scale, expensive and environmentally polluting. Nevertheless it kicked off the renaissance of money.

Blockchain 2.0
The second round of blockchain innovation came with coloured coins, smart tokens and smart contracts. Ethereum is the most well known blockchain in this league followed by many others. Now developers are allowed to build programs (such as the Distributed Autonomous Organisation) and API’s on the blockchain protocol to facilitate, execute or enforce the performance of an agreement set in computer code. The smart contract code is immutable meaning that once it is deployed it cannot be changed. This is good for trust but not good when bugged!

Blockchain 3.0
But why do we even need a block? On the bitcoin network, many transactions are mined into blocks and the transaction sequence is maintained by the prehashes between blocks. What if you combine blocks and transactions together? Make every transaction directly involved in maintaining the sequences. After the transaction is placed, you can skip the process of mining. This makes it blockless and more efficient. Come in Directed Acylic Graph (DAG). Well known examples of DAG protocol chains are NXT, Hashgraph and IOTA that claims to be fast enough to support the internet of things. They all claim to provide global (and private) cloud solutions without servers.

Back to GDPR and Privacy!
The Data Protection Act gives rights to individuals in respect of the personal data that organisations hold about them. The Act says that:

“Personal data shall be processed in accordance with the rights of data subjects under this Act.”

This is the sixth data protection principle, and the rights of individuals that it refers to are:
1. a right of access to a copy of the information comprised in their personal data;
2. a right to object to processing that is likely to cause or is causing damage or distress;
3. a right to prevent processing for direct marketing;
4. a right to object to decisions being taken by automated means;
5. a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
6. a right to claim compensation for damages caused by a breach of the Act.

It is evident that your blockchain architecture needs to be able to execute the above rights without braking the chain by breaching its immutability. Also personal data is not to leave the EU. That’s a challenge with a public blockchain. This article describes the GDPR-Blockchain paradox and one workaround in a nice fashion.

To Summarize!
Blockchain developments are necessary for the people to take back their right to own their digital identity again. Blockchain initiatives can be a great answer to the mass profiling by multinationals and governments. As John Perry Barlow stated “You are not welcome among us. You have no sovereignty where we gather”.

When setting up your infrastructure, make sure your off chain environment is GDPR compliant and decouple the personal data from the hashed data. As we see initiatives sprout up all over the world we see that many questions still need to be answered. Decentralised and Sovereign Identity however, is here to stay!

Dimitri van Zantvliet Rozemeijer MBA CIPP/E CIPPM is founder of EU Privacy Protectors and a lifelong geek..

Hoe gaat de school om met de privacy van uw kind? In 10 stappen naar een betere AVG compliance.

Met de komst van de Algemene Verordening Gegevensbescherming (AVG) dragen schoolbestuurders meer verantwoordelijkheden om de persoonsgegevens van hun leerlingen goed te beschermen. De wet is al in werking getreden en zal per 25 mei 2018 ook echt gehandhaafd gaan worden door de Autoriteit Persoonsgegevens.

1, Zorg dat de medewerkers op de hoogte zijn van de AVG

De directie, het management maar ook de docenten en ondersteunend personeel kunnen allemaal aan de basis liggen van een privacy lek. Het is daarom belangrijk de gevolgen van de wet en de mogelijke consequenties

voor de school duidelijk te maken. Het voldoen aan de AVG zal behoorlijk wat tijd vergen van de school en haar medewerkers en dient derhalve tijdig gebudgetteerd en ingepland te worden. Ook de ouders dienen geïnformeerd te worden over de mogelijke consequenties. Dit dient tijdig te gebeuren en zeker niet NA 25 mei 2018.

2, Stel z.s.m. een Functionaris Gegevensbescherming (FG) aan.

Soms is een organisatie verplicht een FG aan te stellen. Het voldoen aan een van de drie genoemde vereisten is hiervoor al voldoende. Scholen zijn vrijwel allemaal wettelijk verplicht een FG aan te stellen. Een overkoepelende

stichting kan een centrale FG aan stellen die voor alle scholen de werkzaamheden coördineert. Een FG kan in loondienst worden aangesteld of extern worden ingehuurd. De school dient aan de Autoriteit Persoonsgegevens te melden wie de FG voor de school is. Een FG is een gekwalificeerde functie met voldoende juridische, privacy en databescherming kennis en kunde.

3, Start met de privacy governance

Voldoen aan de AVG is niet voldoende, de Autoriteit Persoonsgegevens wil bewijs zien dat er pro-actief omgegaan wordt met de databescherming. Dit omvat onder andere het uitvoeren van een Privacy Impact Assessment, gegevensbescherming audits, privacy policy reviews en het opzetten en bijhouden van een verwerkingsregister.

4, Communiceer en informeer

Scholen zijn verplicht te melden aan personen van wie de gegevens bijgehouden wordt, welke informatie wordt verwerkt, waarom die data wordt verwerkt, waar die data wordt bewaard, hoe lang die data wordt bewaard met wie deze data gedeeld wordt. Tevens moeten die personen geïnformeerd worden over hun rechten omtrent deze gegevensverwerking. Als er in het proces iets wijzigt, de school besteed bijvoorbeeld een deel van de verwerking uit, dan dient het informeren opnieuw te geschieden en dienen deze personen hiertegen in bezwaar te kunnen gaan.

5, Vraag toestemming, wie zwijgt stemt toe gaat niet meer op

Dit onderdeel binnen de AVG is sterk aangezet. Bij geldige toestemming moet elke twijfel zijn uitgesloten. Foto’s en video’s waarbij personen herkenbaar in beeld zijn, zijn persoonsgegevens. Wil de school beeldmateriaal publiceren van een leerling van 16 jaar of ouder? Dan moet de leerling daarvoor zelf toestemming geven. Is de leerling jonger dan 16 jaar? Dan heeft de school toestemming nodig van zijn of haar ouder/voogd. Onder de AVG moet de

school straks aan kunnen tonen dat ze een geldige toestemming van leerlingen en/of hun ouders heeft voor de publicatie van het beeldmateriaal. En het moet voor leerlingen en ouders net zo makkelijk zijn om de toestemming weer in te trekken als om de toestemming te geven.

6, Erken de rechten van de persoon en richt hiervoor de juiste processen in

De rechten van de datasubjects zijn onder de AVG sterk toegenomen. Zo kunnen personen wiens gegevens worden verwerkt gratis hun gegevens mogen inzien, laten corrigeren bij fouten, vergeten mogen worden uit de administratie, hun gegevens mee willen nemen naar een andere school. Zorg ervoor dat de digitale middelen die u als school gebruikt ook de mogelijkheden bieden om bovenstaande rechten uit te kunnen voeren.

7, Werk aan Privacy by Design en Default

Privacy by design houdt in dat u er al bij het ontwerpen van onderwijs producten en diensten voor zorgt dat persoonsgegevens goed worden beschermd. Maar bijvoorbeeld ook dat u niet meer gegevens verzameld dan noodzakelijk voor het doel van de verwerking. En dat u de gegevens niet langer bewaart dan nodig.

Privacy by default houdt in dat u technische en organisatorische maatregelen moet nemen om ervoor te zorgen dat u, als standaard, alléén persoonsgegevens verwerkt die noodzakelijk zijn voor het specifieke doel dat

u wilt bereiken. Dit kunnen vinkjes op de website zijn die standaard aan staan en gegevens die u vraagt voor de nieuwsbrief.

8, Zorg dat ook leveranciers en verwerkers hun zaken op orde hebben

Ondanks dat de school de data niet altijd zelf verwerkt, ontslaat dat het schoolbestuur niet van hun verantwoordelijkheden. Dankzij het convenant Digitale Onderwijsmiddelen en Privacy 2.0 is het voor scholen eenvoudiger om afspraken te maken met leveranciers. Belangrijkste punt in het convenant is de rolverdeling: scholen hebben de regie op wat er gebeurt met de persoonsgegevens. Dit mag je niet overlaten aan een leverancier (een verwerker). De school beslist wat de leverancier wél en niet met de gegevens mag doen. Check of uw leverancier is aangesloten bij het privacy convenant, zorg dat er een model verwerkersovereenkomst is- of wordt afgesloten, controleer de bijlagen hiervan en onderteken alle benodigde documenten.

9, Internationaal data verkeer

Scholen moeten goed in kaart brengen of hun privacy data binnen de grenzen van de EU blijft. Het gebruik van cloud services, digitale fotoboeken, mobiele apps, nieuwsbrieven of alleen al een email zenden naar ouders of agenten in het buitenland kan mogelijk in strijd zijn met de AVG. Discussies spelen nog steeds over de geldigheid van Safe Harbour en Privacy Shield afspraken met de Verenigde Staten. Het is de verantwoordelijkheid van het schoolbestuur om te controleren of het gebruik van deze diensten is toegestaan.

10, Incidenten en Datalekken

Een beveiligingsincident is een gebeurtenis waarbij de mogelijkheid bestaat dat de beschikbaarheid, integriteit of vertrouwelijkheid van informatie of informatieverwerkende systemen in gevaar is of kan komen. Een datalek is een beveiligingsincident, waarbij gegevens verloren raken of onrechtmatig worden bewerkt (opgeslagen, aangepast, verzonden, enz.). Een school is verplicht binnen 72 uur een datalek te melden bij de Autoriteit

Persoonsgegevens. De FG van de school dient tevens een incidentenregister bij te houden.

Tot slot

Bovenstaande stappen zijn slechts een eerste aanzet om te komen tot AVG compliance. Het (bewust) niet voldoen aan de wet zal door de landelijke autoriteiten persoonsgegevens beboet kunnen worden tot een bedrag van 4% van de overkoepelende omzet of €20 miljoen euro. Mocht u in Oktober 2017 nog niet begonnen zijn dan kunt u maar beter snel starten. 25 mei 2018 komt sneller dan u denkt.

Mocht u verdere vragen hebben omtrent de AVG/GDPR of hulp nodig bij de implementatie dan kunt u mailen naar avg@privacyprotectors.eu

First Annual Review of the EU-U.S. Privacy Shield

First Annual Review of the EU-U.S. Privacy Shield

The Privacy Shield is an arrangement for protecting the personal data of anyone in the EU when it is transferred to the U.S. for commercial purposes.

Yesterday the EU published its report on the adequacy of the EU-US Privacy Shield. As many Software Services are provided from US based organisations and data is therefore transferred from EU to US this is an important topic.

In general the outcome of the Commissions review is a positive one. It says that the Privacy Shield provides better monitoring and better ways for individuals to obtain redress.

However there is room for improvement, a few topics: US Companies should not be allowed to communicate to be certified unless the Department of Commerce process is finalised. These certified companies should be checked upon more regularly. A US ombudsperson should be appointed as well as an informal panel of DPAs to resolve complaints.

A more comprehensive update is found here:

 

Three times is a charm but not when it comes to privacy protection!

Amsterdam, July 13th 2017
Three times is a charm but not when it comes to privacy protection. The Trump hotel chain’s security has been breached several times over the last years. It’s Ironic when you look back at the many times president nr. 45 accused Hillary Clinton of using an unsecured server and that because of that she should be locked up.
 
Hotels are by nature a great target for hackers because of the depth of sensitive information that needs to be processed. Address info, age, sex, family members, passport info and last but not least credit card information.
 
The new General Data Protection Regulation that will come into force May 25th next year will specifically audit the protection of this kind of information. When hotels do not comply they risk a fine of €20M or 4% of their global annual turnover (whichever is the highest).
 
It’s important to have specific processes and technology in in place to show the local Data Protection Authorities that your organisation is compliant. Next to that we are confident that you want to safeguard your brands reputation against any digital negativity. We have tools and solutions available for all the possible data protection challenges.
 
If you like to know how you can get your Hotel (chain) compliant with the new regulation then we’re happy to assist. Fill in the contact form at https://www.privacyprotectors.eu/contact/ please and we’ll contact you within 12 hours.
Dimitri van Zantvliet Rozemeijer
EU Privacy Protectors

Privacy Shield; the way forward or lipstick on a pig?

Amsterdam, July 12th 2017.

Just recently, on May 7th, The European Economic Area Joint Committee has officially adopted a decision to incorporate the EU-U.S. Privacy Shield adequacy decision into the EEA Agreement, which establishes the framework as a valid mechanism to transfer data from EEA member states to the U.S.A.

This decision made, is rather peculiar as the Privacy Shield itself (after Safer Harbour was declared invalid)  has sparked vivid discussions about the adequacy of the Shield all together. With only a few months to go until a scheduled European Commission review of the so-called Privacy Shield transatlantic data transfer framework (September 2017), two US NGOs have weighed in with devastating warnings that America isn’t keeping its side of the deal.

As that date draws nearer, the Center for Digital Democracy (CDD), which specialises in data protection issues in digital marketplaces, and Access Now, which “defends and extends the digital rights of users at risk around the world”, have both criticised Privacy Shield as being not fit-for-purpose, with the former calling for it to be scrapped completely.

To make things even worse:

An Executive Order signed in January by U.S. President Donald Trump in his first few days in office, jeopardised the six-month-old data transfer framework that enables EU citizens’ personal data to flow to the U.S. for processing — with the promise of ‘essentially equivalent’ privacy protection once it gets there.

Also, on March 28, Congress voted along party lines to kill a set of rules adopted by the Federal Communications Commission in October that would’ve forced your internet service provider, or ISP, to ask you before it collected – and sold- certain personal information. In both chambers, most Republicans voted to repeal the rules, while Democrats voted against. President Donald Trump quickly signed the resolution overnight, turning it into law and repealing again a federal regulation passed late in the Obama administration.

Lipstick on a pig.

The Privacy Shield is meant to “restore trust in transatlantic data flows,” but Max Schrems, the man who Slayed the Safe Harbour agreement, was not convinced when it was published February 2016. He labelled the new data protection umbrella as follows:

‘#PrivacyShield: They put ten layers of lipstick on a pig but I doubt the Court&DPAs suddenly want to cuddle with it!”

With a republican majority governance that is eager to repeal Privacy Protection legislation and a White House with it’s president is being sued because of blocking Twitter followers, it is clear that sending your Privacy sensitive data across the digital US border isn’t without severe risk.

With all layers of lipstick now removed the privacy pig is still a pig and the U.S. government is looking more and more like George Orwell’s Animal Farm mr. Jones.  Question is; will the animals rebel, sue mr. Jones and claim their privacy back? The near future will tell..

Dimitri van Zantvliet Rozemeijer
EU Privacy Protectors

 

Creative Commons Licence
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.

TOOP and GDPR, an impossible marriage?

TOOP and GDPR, an impossible marriage?

TOOP

The European Commission launched the €8 Million “Once-Only” Principle Project (TOOP) on January 1st 2017. This project is part of the EU eGovernment Action Plan 2016-2020 and will contribute towards increasing the efficiency of the Digital Single Market.

The project will ensure that information is supplied to public administrations only once regardless of the company’s country of origin therefore eliminating unnecessary burdens for European businesses who are asked to repeatedly present the same data and documents. According to the “Once-Only” principle, public bodies should take action to share data with each other, respecting privacy and data protection rules, both nationally (across sectors) and across borders.

When initial data that has been entered once by an organisation, is needed for another digital procedure within the EU, then this data should be automatically entered in advance in the digital form at hand. This is known as pre-filling.

Here comes the challenge:

Article 5.1(b) of the EU General Data Protection Regulation states clearly that “Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)”

When the initial datacollector retrieves the data for the process that needs it, gives the legal grounds to do so and gets consent, then every forwarding of that data is incompatible with the initial purpose.

Article 5.1(c) states that “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)

When data is collected to be forwarded to another European service or entity, this is not compatible with the initial purpose for which it was collected.

Article 5.1(d) states that “Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

When data is collected by the initial service and is forwarded throughout services in EC member states then who is responsible for keeping all the data accurate, up-to-date and rectified when needed. Also who is responsible to keep the oversight when a datasubject asks for insight or executes the right to be forgotten (article 17)?

Also, articles 12 and 13 are all about transparency and access to personal data. If personal data is scattered around European services and datacontrollers/processors then who will be the single point of contact when a data subject asks for information or insight in it?

Article 18 states that “The data subject shall have the right to obtain from the controller restriction of processing under certain circumstances.” What happens when the datasubject executes that right? Will TOOP be able to NOT forward and process the personal data?

Realising the impossible?

It is pretty clear that TOOP is not in line with the philosophy of the GDPR and is incompatible with many of the 99 articles in it. We look forward to the stretch and bend exercises the TOOP project will enforce itself into to deliver some value for the €8Million project it started.

 

Amsterdam, June 27th 2017

D.A. van Zantvliet Rozemeijer MBA

 

Creative Commons Licence
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.