The digital era shows an unprecedented worldwide flow of data within multinational companies and their external service providers. Binding Corporate Rules (BCRs) are designed to allow these companies to transfer personal data across borders in compliance with EU Data Protection Law. This is the first work to give an in-depth assessment of the BCR regime.It discusses the origins of the regime and the material requirements of BCR, as well as how they should be applied in practice and made binding on the companies and employees. It also covers how BCRs may provide for enforceable rights for the b
Zugriffsoptionen:
Die folgenden Links führen aus den jeweiligen lokalen Bibliotheken zum Volltext:
Abstract: Recent publications on the data protection aspects of blockchain technology focus on the characteristics of the initial public (Bitcoin) blockchain, and do so in a generalized manner. The authors then conclude that the characteristics of a public blockchain are profoundly incompatible at a conceptual level with the principles of the EU General Data Protection Regulation (GDPR). The GDPR requires identification of a central 'controller' who is responsible for compliance with the GDPR, while a public blockchain decentralizes the storage and processing of personal data, as a result whereof there is no such central point of control. For lack of a better alternative, the authors conclude that all 'nodes' involved in operating a blockchain qualify as a controller under the GDPR, raising enforcement and jurisdictional issues that make it impossible for individuals to enforce their rights. The transparency and immutability of a public blockchain would further not sit well with principles of data confidentiality, data minimization, data accuracy and the rights of individuals to correction and deletion of their data. I disagree with the analysis of these authors for a host of different reasons, the main one being that the authors focus on the shortcomings of the initial public (Bitcoin) blockchain when already many new types of permissioned private and consortium blockchain have been developed that significantly diverge from the original, permissionless public blockchain. In fact, these types of permissioned blockchain have been developed in response to the shortcomings of public blockchain. The authors further consider the data processing implications of blockchain as if this technology constitutes in itself a data processing activity for which a controller has to be identified. Controllership is, however, decided based on a specific use or deployment of a certain technology. Blockchain, like the internet, is a general-purpose technology that is subsequently deployed by actors for a certain purpose in a specific context. Applying the question of controllership to the internet at large would pose similar data protection issues under the GDPR as identified by the authors in respect of blockchain. This publication explains why none of these issues are currently hampering application of the GDPR to the internet and are equally unlikely to pose issues for blockchain applications. This publication describes the issues in their broader context, as well as how each of these issues can be addressed to ensure compliance with the GDPR. The conclusion is that the GDPR is also well able to regulate this new technology. This does not, however, mean that blockchain will thus be suitable for all use and deployment cases.
