scholarly journals Reconciliation of anti-money laundering instruments and European data protection requirements in permissionless blockchain spaces

2021 ◽  
Vol 7 (1) ◽  
Author(s):  
Iwona Karasek-Wojciechowicz
Keyword(s):  
Data Processing ◽  
Money Laundering ◽  
Data Protection ◽  
Task Force ◽  
Policy Instruments ◽  
Personal Data ◽  
General Data Protection Regulation ◽  
Terrorist Financing ◽  
The Government ◽  
High Level

AbstractThis article is an attempt to reconcile the requirements of the EU General Data Protection Regulation (GDPR) and anti-money laundering and combat terrorist financing (AML/CFT) instruments used in permissionless ecosystems based on distributed ledger technology (DLT). Usually, analysis is focused only on one of these regulations. Covering by this research the interplay between both regulations reveals their incoherencies in relation to permissionless DLT. The GDPR requirements force permissionless blockchain communities to use anonymization or, at the very least, strong pseudonymization technologies to ensure compliance of data processing with the GDPR. At the same time, instruments of global AML/CFT policy that are presently being implemented in many countries following the recommendations of the Financial Action Task Force, counteract the anonymity-enhanced technologies built into blockchain protocols. Solutions suggested in this article aim to induce the shaping of permissionless DLT-based networks in ways that at the same time would secure the protection of personal data according to the GDPR rules, while also addressing the money laundering and terrorist financing risks created by transactions in anonymous blockchain spaces or those with strong pseudonyms. Searching for new policy instruments is necessary to ensure that governments do not combat the development of all privacy-blockchains so as to enable a high level of privacy protection and GDPR-compliant data processing. This article indicates two AML/CFT tools which may be helpful for shaping privacy-blockchains that can enable the feasibility of such tools. The first tool is exceptional government access to transactional data written on non-transparent ledgers, obfuscated by advanced anonymization cryptography. The tool should be optional for networks as long as another effective AML/CFT measures are accessible for the intermediaries or for the government in relation to a given network. If these other measures are not available and the network does not grant exceptional access, the regulations should allow governments to combat the development of those networks. Effective tools in that scope should target the value of privacy-cryptocurrency, not its users. Such tools could include, as a tool of last resort, state attacks which would undermine the trust of the community in a specific network.

scholarly journals To What Extent are Consumers Harmed in the Digital Market from the Perspective of the GDPR?

2021 ◽  
Vol 04 (08) ◽  
Author(s):  
Ammar Younas ◽  
Keyword(s):  
Data Processing ◽  
Data Protection ◽  
Personal Data ◽  
The European Union ◽  
General Data Protection Regulation ◽  
Legal Instrument ◽  
Protection Legislation ◽  
High Level ◽  
Existing Data ◽  
The Eu

The European Union has recently enacted a new law, the General Data Protection Regulation (GDPR),1 which is designed to strengthen existing data protection legislation in the EU. The selection of Regulation itself as a legal instrument makes the GDPR stronger than Directive as it ensures a uniform and consistent implementation of rules thereby, consolidating the EU digital single market. The GDPR reforms existing data protection policy by imposing more stringent obligations on not only data controllers but also on data processors relating to obtaining a valid consent,2 ensuring transparency of automated decision making3 and security of data processing,4 and by providing new rights for data subjects. Data subjects are entitled to withdraw their consent,5 request their data to be transferred to another data controller6 or to be deleted.7 Also, the GDPR includes certain principles aimed at regulating its cross border transfers of the EU citizens’ personal data to ensure a high level of protection outside the EU.8 Taking into account the above mentioned policies along with others, some scholars describe the GDPR as ‘the most consequential regulatory development in information policy in generation’ that has teeth.9 However, the GDPR cannot be claimed as a legal instrument that effectively deals with all threats of the digital market to consumers. This paper argues that although the GDPR has considerably expanded the rights of consumers thereby, enabling them to regain control over their personal data to certain extent, the effectiveness of its principles is limited and cannot ensure full security of data processing. Firstly, it examines the effectiveness of consent principle of the GDPR in empowering consumers to control over their data and make a genuine choice. Secondly, it analyzes “data control-rights” of consumers. Finally, it comprehensively discusses extraterritorial application of the GDPR and regulation of international transfers of data.

International Organizations and the EU General Data Protection Regulation

2019 ◽  
Vol 16 (1) ◽  
pp. 158-191 ◽  
Author(s):  
Christopher Kuner
Keyword(s):  
International Law ◽  
International Organizations ◽  
Data Protection ◽  
Personal Data ◽  
Eu Law ◽  
Protection Measures ◽  
General Data Protection Regulation ◽  
General Data ◽  
High Level ◽  
The Eu

The importance of personal data processing for international organizations (‘IOs’) demonstrates the need for them to implement data protection in their work. The EU General Data Protection Regulation (‘GDPR’) will be influential around the world, and will impact IOs as well. Its application to them should be determined under relevant principles of EU law and public international law, and it should be interpreted consistently with the international obligations of the EU and its Member States. However, IOs should implement data protection measures regardless of whether the GDPR applies to them in a legal sense. There is a need for EU law and international law to take each other better into account, so that IOs can enjoy their privileges and immunities also with regard to EU law and avoid conflicts with international law, while still providing a high level of data protection in their operations.

scholarly journals Delegation-Based Personal Data Processing Request Notarization Framework for GDPR Based on Private Blockchain

2021 ◽  
Vol 11 (22) ◽  
pp. 10574
Author(s):  
Sung-Soo Jung ◽  
Sang-Joon Lee ◽  
Ieck-Chae Euom
Keyword(s):  
Data Processing ◽  
Data Protection ◽  
Data Privacy ◽  
Personal Data ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
Compliance Audit ◽  
General Data ◽  
Data Controller ◽  
Data Subject

With the growing awareness regarding the importance of personal data protection, many countries have established laws and regulations to ensure data privacy and are supervising managements to comply with them. Although various studies have suggested compliance methods of the general data protection regulation (GDPR) for personal data, no method exists that can ensure the reliability and integrity of the personal data processing request records of a data subject to enable its utilization as a GDPR compliance audit proof for an auditor. In this paper, we propose a delegation-based personal data processing request notarization framework for GDPR using a private blockchain. The proposed notarization framework allows the data subject to delegate requests to process of personal data; the framework makes the requests to the data controller, which performs the processing. The generated data processing request and processing result data are stored in the blockchain ledger and notarized via a trusted institution of the blockchain network. The Hypderledger Fabric implementation of the framework demonstrates the fulfillment of system requirements and feasibility of implementing a GDPR compliance audit for the processing of personal data. The analysis results with comparisons among the related works indicate that the proposed framework provides better reliability and feasibility for the GDPR audit of personal data processing request than extant methods.

scholarly journals Recommendations for Creating Codes of Conduct for Processing Personal Data in Biobanking Based on the GDPR art.40

2021 ◽  
Vol 12 ◽  
Author(s):  
Dorota Krekora-Zając ◽  
Błażej Marciniak ◽  
Jakub Pawlikowski
Keyword(s):  
Data Processing ◽  
Data Protection ◽  
Codes Of Conduct ◽  
Code Of Conduct ◽  
Personal Data ◽  
Specific Area ◽  
Research Infrastructure ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
Polish Code

Personal data protection has become a fundamental normative challenge for biobankers and scientists researching human biological samples and associated data. The General Data Protection Regulation (GDPR) harmonises the law on protecting personal data throughout Europe and allows developing codes of conduct for processing personal data based on GDPR art. 40. Codes of conduct are a soft law measure to create protective standards for data processing adapted to the specific area, among others, to biobanking of human biological material. Challenges in this area were noticed by the European Data Protection Supervisor on data protection and Biobanking and BioMolecular Resources Research Infrastructure–European Research Infrastructure Consortium (BBMRI.ERIC). They concern mainly the specification of the definitions of the GDPR and the determination of the appropriate legal basis for data processing, particularly for transferring data to other European countries. Recommendations indicated in the article, which are based on the GDPR, guidelines published by the authority and expert bodies, and our experiences regarding the creation of the Polish code of conduct, should help develop how a code of conduct for processing personal data in biobanks should be developed.

scholarly journals Examining Compliance with Personal Data Protection Regulations in Interorganizational Data Analysis

2021 ◽  
Vol 13 (20) ◽  
pp. 11459
Author(s):  
Szu-Chuang Li ◽  
Yi-Wen Chen ◽  
Yennun Huang
Keyword(s):  
Big Data ◽  
Data Analysis ◽  
Data Protection ◽  
Privacy Preservation ◽  
Personal Data ◽  
Data Sets ◽  
Data Set ◽  
General Data Protection Regulation ◽  
Personal Data Protection ◽  
The Government

The development of big data analysis technologies has changed how organizations work. Tech giants, such as Google and Facebook, are well positioned because they possess not only big data sets but also the in-house capability to analyze them. For small and medium-sized enterprises (SMEs), which have limited resources, capacity, and a relatively small collection of data, the ability to conduct data analysis collaboratively is key. Personal data protection regulations have become stricter due to incidents of private data being leaked, making it more difficult for SMEs to perform interorganizational data analysis. This problem can be resolved by anonymizing the data such that reidentifying an individual is no longer a concern or by deploying technical procedures that enable interorganizational data analysis without the exchange of actual data, such as data deidentification, data synthesis, and federated learning. Herein, we compared the technical options and their compliance with personal data protection regulations from several countries and regions. Using the EU’s GDPR (General Data Protection Regulation) as the main point of reference, technical studies, legislative studies, related regulations, and government-sponsored reports from various countries and regions were also reviewed. Alignment of the technical description with the government regulations and guidelines revealed that the solutions are compliant with the personal data protection regulations. Current regulations require “reasonable” privacy preservation efforts from data controllers; potential attackers are not assumed to be experts with knowledge of the target data set. This means that relevant requirements can be fulfilled without considerably sacrificing data utility. However, the potential existence of an extremely knowledgeable adversary when the stakes of data leakage are high still needs to be considered carefully.

scholarly journals Przetwarzanie danych osobowych do celów badań naukowych. Aspekty prawne

2019 ◽  
pp. 79-101 ◽  
Author(s):  
Aleksandra Pyka
Keyword(s):  
Data Processing ◽  
Data Protection ◽  
Scientific Research ◽  
Personal Data ◽  
National Legislation ◽  
General Data Protection Regulation ◽  
Criminal Convictions ◽  
General Data ◽  
Technical And Organizational Measures ◽  
Volume Range

This article refers to the issue of personal data processing conducted in connection with scientific research and in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). It is not uncommon for the purposes of scientific research to process personal data, which is connected with the obligation to respect the rights of the data of the subjects involved. Entities conducting scientific research that process personal data for this purpose are required to apply the general reg­ulation governing, among others, the obligations imposed on the controllers. The issue of personal data processing for scientific research purposes has also been regulated in national legislation in connection with the need to apply the General Data Protection Regulation. The article discusses the basics of the admissibility of data processing for the needs of scientific research; providing personal data regarding criminal convictions and offences extracted from public registers at the request of the entity conducting scientific research; exercising the rights of the data of the subjects concerned; as well as the implementation of appropriate technical and organizational measures to ensure the security of data processing. In addition, the article discusses the issue of anonymization of personal data carried out after achieving the purpose of personal data processing, as well as the processing of special categories of personal data. The topics discussed in the article were not discussed in detail, as this would require further elaboration in a publication with a much wider volume range.

scholarly journals Those Who Shall Be Identified: The Data Protection Aspects of the Legal Framework for Electronic Identification in the European Union

2021 ◽  
Vol 11 (2) ◽  
pp. 3-24
Author(s):  
Jozef Andraško ◽  
Matúš Mesarčík
Keyword(s):  
European Union ◽  
Data Processing ◽  
Data Protection ◽  
Mutual Recognition ◽  
Personal Data ◽  
Legal Framework ◽  
The European Union ◽  
General Data Protection Regulation ◽  
General Data

Abstract The article focuses on the intersections of the regulation of electronic identification as provided in the eIDAS Regulation and data protection rules in the European Union. The first part of the article is devoted to the explanation of the basic notions and framework related to the electronic identity in the European Union— the eIDAS Regulation. The second part of the article discusses specific intersections of the eIDAS Regulation with the General Data Protection Regulation (GDPR), specifically scope, the general data protection clause and mainly personal data processing in the context of mutual recognition of electronic identification means. The article aims to discuss the overlapping issues of the regulation of the GDPR and the eIDAS Regulation and provides a further guide for interpretation and implementation of the outcomes in practice.

scholarly journals Data protection rules applicable to Financial Intelligence Units: still no clarity in sight

ERA Forum ◽  
2022 ◽  
Author(s):  
Teresa Quintel
Keyword(s):  
Law Enforcement ◽  
Money Laundering ◽  
Data Protection ◽  
Action Plan ◽  
Personal Data ◽  
Legal Framework ◽  
General Data Protection Regulation ◽  
Terrorism Financing ◽  
Financing Of Terrorism ◽  
Financial Intelligence

AbstractFinancial information can play a key role in tackling money laundering, terrorist financing and combatting serious crime more generally. Preventing and fighting money laundering and the financing of terrorism were top priorities of the European Union’s (EU) Security Strategy for 2020-2025, which might explain the fast developments regarding legislative measures to further regulate anti-money laundering (AML) and counter terrorism financing (CTF). In May 2020, the European Commission put forward an Action Plan to establish a Union policy on combatting money laundering and shortly afterwards, proposed a new AML Package.Financial Intelligence Units (FIUs) play a crucial role in analysing and exchanging information concerning unusual and suspicious transactions, serving as intermediaries between the private sector and law enforcement authorities (LEAs). Such information includes personal data, which is protected under the EU data protection acquis. The latter is constituted of two main laws, the General Data Protection Regulation (GDPR), which applies to general processing and the so-called Law Enforcement Directive (LED) that is applicable when competent law enforcement authorities process personal data for law enforcement purposes.This Article argues that the current legal framework on AML and CTF legislation is unclear on the data protection regime that applies to the processing of personal data by FIUs and that the proposed AML Package does little or nothing to clarify this dilemma. In order to contribute to the discussion on the applicable data protection framework for FIUs, the assessment puts forward arguments for and against the application of the LED to such processing, taking into account the relevant legal texts on AML and data protection.

scholarly journals General Data Protection Regulation and Horizon 2020 Ethics Review Process: Ethics Compliance under GDPR

Bioethica ◽  
2019 ◽  
Vol 5 (1) ◽  
pp. 6
Author(s):  
Albena Kuyumdzhieva
Keyword(s):  
Data Processing ◽  
Data Protection ◽  
Personal Data ◽  
Research Field ◽  
Research Projects ◽  
Horizon 2020 ◽  
General Data Protection Regulation ◽  
Main Research ◽  
General Data ◽  
European Programme

The present manuscript examines the new ethics data protection requirements introduced for the research projects funded by the European Programme Horizon 2020.Initially, reference is made to the basic data protection principles introduced by the General Data Protection Regulation (GDPR) and the derogations permitted in the research field in favor of the science advancement. Although these derogations are subject to a number of safeguards to protect personal data, new ethics requirements are introduced for research projects funded by the European Programme Horizon 2020. The aim of these safeguards is the increased transparency and accountability at the data processing and the consequent enhanced protection of the individuals’ rights. These requirements are geared to the main research ethics postulate, which requires free, voluntary and informed participation of the research subject.Under these new requirements, Horizon 2020 beneficiaries/applicants must comply with a set of predefined standards, reflecting their ethical and legal obligations, provide a detailed and precise description of the technical and organisational measures that will be implemented in order to safeguard the rights of the research participants and also demonstrate their observance. In addition, depending on the type of the data being processed and the data processing techniques, the H2020 applicants/beneficiaries may need to provide a number of additional documents/explanations and implement further measures.

Sign in / Sign up

Export Citation Format

Share Document