Nice to see privacy and data security being acknowledged as important. Obviously drawing on the reasoning behind that, then useful for SAFE. The amount of attention GDPR has brought is fairly extraordinary.
GDPR is a bit of a double edged sword. On the one hand it’s great that rules around data privacy are to be enforced. This should lead to a lot of innovation around privacy-centric technology and redress the current abusive system. On the other, the GDPR is not particularly clear about distributed systems in which files containing personal data are chunked and the encrypted chunks spread around wherever. At present it looks as though encrypted chunks will still be treated as personal data even though they are unreadable without the hash table and encryption key.
As far as I interpret the GDPR, no, encrypted chunks would not be considered personal data, as an individual has to be identifiable to meet the definition.
My guess is it will take a few test cases to sort it out and to refine the law. There are a lot of grey areas at the moment around the dividing line between anonimisation and psuedonimisation, and the law always lags behind technology.
So the Zuck moves 1.5B users from their servers in Ireland to the US. In a sense, this is like moving everone who lives in South America to another country where different laws apply. Gobsmacking.
I don’t see that… as Jim suggests:
The grey goo that is the bits and bytes on the network, are as meaningless to everyone as all other data. That’s the whole strength of what SAFE will achieve… only the owner has access in the way they determine is appropriate.
There was some suggestion that the US is heading the same direction but I don’t know anything of that. I guess the movement behind “big is better” Government, will be encouraging that, along with trade agreements and the like.
I don’t think this is so grey though. It doesn’t fit the definition of anonymised nor psuedonimised data, it’s just completely inaccessible to the host/farmer of the chunks; it’s not personal data at all. It would only become personal when decrypted by the data controller.
Practically speaking you’re right of course, but the legislation was written with the client-server model in mind and decentralised systems like SAFE and blockchains are edge cases. I’ve read a fair bit about this (will do a proper duckduckgo later when I have a moment see if I can dig something up) and the situation is definitely not cut and dried. With blockchains there is an additional issue around the ‘right of erasure’ - erase some data and you break the chain.
Good law would be cut and dried. The fear of ignorance from law, is not a suggestion of good law… it’s a suggestion of a correction needed but I don’t see there’s any depth to confusion of what SAFE is relative to this. The whole point of user being owner is central to what GDPR is trying to achieve; SAFE is all about power to the user, in the same way. Any confusion about some third party control of user data, is legacy… though important perhaps for any service on-top of SAFE network, as they perhaps would need to do the usual nod to GDPR.
And Google in the UK is making everyone agree to their data being collected and not specific where stored with the impression that its stored where ever. They state that using google maps for instance will mean you agree to all of google services storing combined data on you. If I remember correctly they claim it does not hold personal ID. But we know ID can be easily reversed engineered and google know this too and rely on it.
I hope someone challenges this subtle way to bypass the GDPR.
Compounded with that Google is fairly a monopoly… good job to them for doing what they do well but when it gets to a point that one provider is fairly the de facto default for so many services, incumbent on it to be squeeky when it comes to how it interacts with users. Google is too powerful and the way it shares data almost requires the user to keep purging its cookie et al to avoid the over use of personal data. Avoiding or opting out of the “we-will-do-what-we-want-because-we-make-no-error-and-do-no-evil agreement - which we assume you will agree too”, is a bit much.
I’d like to hear the opinions of technical experts who have studied and ideally worked to implement GDPR. Also, sorry about this, technical… lawyers!
Then I may sleep better.
From one angle, GDPR sounds like a great thing. It is, a least, a statement that personal data should be reasonably controlled by the individual.
On the other hand, when government gets involved in stating the obvious and asserting that it will ensure a good result, it lays claim to controlling a lot of stuff it is incapable really controlling or even understanding the dynamics of.
My concern is that the EU has claimed an area of control that it is completely incapable of actually regulating in an honest way, but will seize more and more arbitrary “authority” over the entire space in order to enforce solutions “for the public good”. And with every failure, the solution will be (as always) “we need more control–it was our lack of control that is the problem.”
The OP title is perfect because I predict there will be a lot of “shakeup”, mainly in the direction of a growing state.
When SAFE is functional, it will change these dynamics completely and that’s the real solution.