题名

論區塊鏈技術與歐盟一般資料保護規則之衝突

并列篇名

Legal Study on Conflicts of Blockchain Technology and EU GDPR

DOI

10.6199/NTULJ.202103_50(1).0002

作者

郭戎晉(Jung-Chin Kuo)

关键词

區塊鏈 ; 一般資料保護規則 ; 個人資料 ; 雜湊演算 ; 不可變性 ; 節點 ; 資料控制者 ; 刪除 ; 銷毀 ; blockchain ; General Data Protection Regulation ; personal data ; hashing ; immutability ; node ; data controller ; erasure ; destruction

期刊名称

臺大法學論叢

卷期/出版年月

50卷1期(2021 / 03 / 01)

页次

69 - 152

内容语文

繁體中文
中文摘要

歐盟一般資料保護規則(GDPR)的嚴峻要求、域外效力設計及以全球營收計算處罰金額使得各界無不審慎看待GDPR之適用與遵循,但區塊鏈的系統架構及技術特性卻也引發:1.此一新興技術是否適用GDPR;2.如何確定分散式架構下實際擔負法律遵循責任的資料控制者或資料處理者;3.應如何解決資料加密演算(不可變性)導致難以處理資料刪除請求等核心問題。本文研究發現寫入區塊的各該資料只消符合識別性要求,即有視為個人資料並受GDPR拘束之可能,儘管區塊資料均經過雜湊函式加密演算,然此舉僅導致資料的假名化而非匿名化,尚未達到去識別之程度。其次,為確認區塊鏈架構下可得視為資料控制者之參與者,歐盟議會及法國CNIL均嘗試建立判斷標準並針對各該參與者進行討論,其中節點能否視為資料控制者尚無共識。區塊鏈本身的資料不可變特性使得當事人刪除請求成為幾近不可能之事,現階段可見的解決方案倡議,包括暫時閒置、脫鏈儲存、銷毀私密金鑰、採用可編輯區塊鏈或分叉技術等作法,雖各有優點但也存在不一之缺陷,尚難契合區塊資料刪除或改動之需求。本文最後對比國內個人資料保護法,針對相關問題在國內之適用情形進行分析,並就個人資料及非公務機關之界定等法規適用上存有爭議之處提出具體修法建議。
英文摘要

Blockchain technology has the potential to revolutionize many industries, but some features of this hottest technology arise questions under EU General Data Protection Regulation (GDPR). Two most innovative aspects of blockchain, immutability of data and decentralization of control, have caused conflict with provisions of the GDPR. This article found that the complexities of compliance with GDPR will increase significantly when the transaction information contains personal data, but whether encrypted data and public key should be treated as personal data is controversial. Related studies show that encryption and hash functions do not automatically turn personal data into anonymous, encrypted data and public key are regarded as pseudonymized data and may considered as personal data when they combined with other necessary information. Secondly, the decentralized nature of blockchain technology presents challenges in identifying the relevant controllers. The accurate classification of participants as data controllers, joint controllers or data processors under the GDPR, is crucial as different implications arise depending on the said classification. To date, who should assume as the role of a controller or a processor within the blockchain system is still uncertain. Finally, under the GDPR, data subjects are granted a number of rights which appear to be in tension with blockchain's immutable characteristics. Because blocks are linked through hashes, if someone decided to execute his or her right to erasure, it would be a huge challenge and nearly impossible to execute. The article will also compare those disputes with Personal Data Protection Law and related administrative interpretations in Taiwan, through this concrete examination, this article will clarify merits and demerits of the present domestic regulation and puts forward suggestions toward future legal adjustment. While challenges for blockchain technology compliance with the GDPR are quite clear, solutions are not obvious. Ultimately, the passage of time will reveal how the use of blockchain technology and the application of the GDPR relative to that technology will evolve.
主题分类 社會科學 > 法律學
参考文献
  1. 江耀國,黃子宴(2019)。個人資料的概念與匿名化:一個認識論的觀點。東海大學法學研究,58,1-62。
    連結:
  2. 陳榮傳(2019)。論比特幣與比特幣之債。軍法專刊,65(6),1-41。
    連結:
  3. 黃朝琮(2019)。首次代幣發行之架構及相關問題探討。臺北大學法學論叢,111,1-94。
    連結:
  4. 楊岳平(2019)。區塊鏈時代下的證券監管思維挑戰:評金管會最新證券型虛擬通貨監管方案。臺大法學論叢,48(特刊),1279-1374。
    連結:
  5. Accenture. (2016). Editing the Uneditable Blockchain: Why Distributed Ledger Technology Must Adapt to an Imperfect World. https://www.accenture.com/_acnmedia/pdf-33/accenture-editing-uneditable-blockchain.pdf#zoom=50
  6. Ateniese, G.,Magri B,Venturi, D.,Andrade, E.(2017).Redactable Blockchain - or - Rewriting History in Bitcoin and Friends.2017 Ieee European Symposium on Security and Privacy (Euros&P),France, Paris:
  7. Atik, J.,Gerro, G.(2018).Hard Forks on the Bitcoin Blockchain: Reversible Exit, Continuing Voice.Stanford Journal of Blockchain Law & Policy,1,24-40.
  8. Bacon, J.,Michels, J. D.,Millard, C.,Singh, J.(2018).Blockchain Demystified: A Technical and Legal Introduction to Distributed and Centralized Ledgers.Richmond Journal of Law & Technology,25(1),1-106.
  9. Baker McKenzie, & R3. (2017). Blockchains and Laws. Are They Compatible?. https://www.bakermckenzie.com/en/-/media/files/expertise/fig/br_fig_blockchainsandlaws_jul17.pdf.
  10. Berberich, M.,Steiner, M.(2016).Blockchain Technology and the GDPR: How To Reconcile Privacy and Distributed Ledgers?.European Data Protection Law Review,2(3),422-426.
  11. Bradford, A.(2012).The Brussels Effect.Northwestern University Law Review,107(1),1-68.
  12. Brkan, M.(2016).The Unstoppable Expansion of the Eu Fundamental Right to Data Protection: Little Shop of Horrors?.Maastricht Journal of European and Comparative Law,23(5),812-841.
  13. Burri, M.,Schär, R.(2016).The Reform of the EU Data Protection Framework: Outlining Key Changes and Assessing Their Fitness for a Data-Driven Economy.Journal of Information Policy,6,479-511.
  14. Chang, H.(2018).Is Distributed Ledger Technology Built for Personal Data?.Journal of Data Protection & Privacy,1(4),1-9.
  15. Cohen, J. E.(2019).Internet Utopianism and the Practical Inevitability of Law.Duke Law & Technology Review,18(1),85-96.
  16. Commission Nationale de L’informatique et des Libertés. (2018). Blockchain and the GDPR: Solutions for a Responsible Use of the Blockchain in the Context of Personal Data. https://www.cnil.fr/sites/default/files/atoms/files/blockchain_en.pdf
  17. Daoui, S.,Fleinert-Jensen, T.,Lempérière, M.(2019).GDPR, Blockchain and the French Data Protection Authority: Many Answers but Some Remaining Questions.Stanford Journal of Blockchain Law & Policy,2(2),240-251.
  18. De Conca, S.(2019).GC et al v CNIL: Balancing the Right To Be Forgotten with the Freedom of Information, the Duties of Search Engine Operator (C‑136/17 GC et al v CNIL).European Data Protection Law Review,5(4),561-567.
  19. De Filippi, P.,Wright, A.(2018).Blockchain and the Law: The Rule of Code.Harvard University Press.
  20. De Hert, P.,Papakonstantinou, V.,Malgieri, G.,Beslay, L.,Sanchez, I.(2018).The Right to Data Portability in the GDPR: Towards User-centric Interoperability of Digital Services.Computer Law & Security Review,34(2),193-203.
  21. Deloitte. (2019). Deloitte’s 2019 Global Blockchain Survey: Blockchain Gets Down to Business. https://www2.deloitte.com/content/dam/Deloitte/se/Doc uments/risk/DI_2019-global-blockchain-survey.pdf
  22. Edwards, L.(2018).Law, Policy and the Internet.Hart Publishing.
  23. European Parliament(2018).Global Trends to 2035: Economy and Society.
  24. European Union Blockchain Observatory And Forum(2018).,未出版
  25. Finck, M.(2018).Blockchains and Data Protection in the European Union.European Data Protection Law Review,4(1),17-35.
  26. Finck, M.(2018).Blockchain Regulation and Governance in Europe.Cambridge University Press.
  27. Fulmer, N.(2019).Exploring the Legal Issues of Blockchain Applications.Akron Law Review,52(1),161-192.
  28. Fyrigou-Koulouri, M.(2018).Blockchain Technology: An Interconnected Legal Framework for an Interconnected System.Case Western Reserve Journal of Law, Technology and the Internet,9,1-15.
  29. Galavis, J.(2019).Blame It on the Blockchain: Cryptocurrencies Boom Amidst Global Regulations.University of Miami International and Comparative Law Review,26(2),561-598.
  30. Gassner, U. M.(2018).Blockchain in Eu e-health-blocked by the Barrier of Data Protection?.Compliance Elliance Journal,4(2),3-20.
  31. Gikay, A. A.(2019).European Consumer Law and Blockchain based Financial Services: A Functional Approach against the Rhetoric of Regulatory Uncertainty.Tilburg Law Review,24(1),27-48.
  32. Gömann, M.(2017).The New Territorial Scope of EU Data Protection Law: Deconstructing a Revolutionary Achievement.Common Market Law Review,54(2),567-590.
  33. Greenleaf, G.(2014).Asian Data Privacy Laws: Trade & Human Rights Perspectives.Oxford University Press.
  34. Hartzog, W.,Richards, N.(2020).Privacy’s Constitutional Moment and the Limits of Data Protection.Boston College Law Review,61(5),1687-1762.
  35. Heiman, M. R. A.(2020).The GDPR and the Consequences of Big Regulation.Pepperdine Law Review,47(4),945-954.
  36. Hon, W. K.,Millard, C.,Walden, I.(2012).Who Is Responsible for ‘Personal Data’ in Cloud Computing?: The Cloud of Unknowing, Part 2.International Data Privacy Law,2(1),3-18.
  37. Hoofnagle, C. J.,van der Sloot, B.,Borgesius, F. Z.(2019).The European Union General Data Protection Regulation: What It Is and What It Means.Information & Communications Technology Law,28(1),65-98.
  38. IBM(2018).IBM. (2018). Blockchain and GDPR: How Blockchain Could Address Five Areas Associated with GDPR..
  39. Javanshir, L.(2019).The GDPR: It Came, We Saw, but Did It Conquer?.Seattle University Law Review,42(3),1019-1022.
  40. Jiménez-Gómez, Briseida Sofia(2020).Risks of Blockchain for Data Protection: A European Approach.Santa Clara High Technology Law Journal,36(3),281-344.
  41. Kiviat, T. I.(2015).Beyond Bitcoin: Issues in Regulating Blockchain Tranactions.Duke Law Journal,65(3),569-608.
  42. Krishnan, S.,Balas, V. E.,Julie, E. G.,Robinson, Y. H.,Balaji, S.,Kumar, R.(2020).Handbook of Research on Blockchain Technology.Academic Press.
  43. Kuner, C.,Cate, F.,Lynskey, O.,Millard, C.,Ni Loideain, N.,Svantesson, D.(2018).Blockchain versus Data Protection.International Data Privacy Law,8(2),103-104.
  44. Leenes, R.,Palmerini, E.,Koops, B-J.,Bertolini, A.,Salvini, P.,Lucivero, F.(2017).Regulatory Challenges of Robotics: Some Guidelines for Addressing Legal and Ethical Issues.Law, Innovation and Technology,9(1),1-44.
  45. Longman, A. N.(2019).The Future of Blockchain: As Technology Spreads, It May Warrant More Privacy Protection for Information Stored with Blockchain.North Carolina Banking Institute,23,111-136.
  46. Lubarsky, B.(2017).Re-Identification of "Anonymized Data".Georgetown Law Technology Review,1,202-213.
  47. Mahieu, R.,van Hoboken, J.,Asghari, H.(2019).Responsibility for Data Protection in a Networked World: On the Question of the Controller, "Effective and Complete Protection" and Its Application to Data Access Rights in Europe.Journal of Intellectual Property, Information Technology and Electronic Commerce Law,10(1),39-59.
  48. McKinney, S. A.,Landy, R.,Wilka, R.(2018).Smart Contracts, Blockchain, and the Next Frontier of Transactional Law.Washington Journal of Law, Technology & Arts,13(3),313-347.
  49. Mcstay, A.(2017).Privacy and the Media.Bangor University.
  50. Mirchandani, A.(2019).The GDPR-Blockchain Paradox: Exempting Permissioned Blockchains from The GDPR.Fordham Intellectual Property, Media & Entertainment Law Journal,29(4),1201-1242.
  51. Moerel, L.(2018).Blockchain & Data Protection … and Why They Are Not on a Collision Course.European Review of Private Law,26(6),825-852.
  52. Moerel, L.(2011).The Long Arm of EU Data Protection Law: Does the Data Protection Directive Apply to Processing of Personal Data of EU Citizens by Websites Worldwide?.International Data Privacy Law,1(1),28-46.
  53. Mourby, M.,Mackey, E.,Elliot, M.,Gowans, H.,Wallace, S. E.,Bell, J.,Smith, H.,Aidinlis, S.,Kaye, J.(2018).Are ‘Pseudonymised’ Data Always Personal Data? Implications of the GDPR for Administrative Data Research in the UK.Computer Law & Security Review,34(2),222-233.
  54. Organisation for Economic Co-operation and Development. (2018, June 8). Blockchain Technology and Competition Policy (DAF/COMP/WD(2018)47). https://one.oecd.org/document/DAF/COMP/WD(2018)47/en/pdf
  55. Panel for the Future of Science and Technology(2019).Blockchain and the General Data Protection Regulation: Can Distributed Ledgers Be Squared with European Data Protection Law?.
  56. Patel, O.,Lea, N.(2020).,UCL European Institute.
  57. Peel, J.(2019).The GDPR: The Biggest Threat to the Implementation of Blockchain Technology in Global Supply Chains.UMKC Law Review,88(2),497-518.
  58. Politou, E.,Alepis, E.,Patsakis, C.(2018).Forgetting Personal Data and Revoking Consent Under the GDPR: Challenges and Proposed Solutions.Journal of Cybersecurity,4(1),1-20.
  59. Post, R. C.(2018).Data Privacy and Dignitary Privacy: Google Spain, the Right To Be Forgotten, and the Construction of the Public Sphere.Duke Law Journal,67(5),981-1072.
  60. Purtova, N.(2018).The Law of Everything. Broad Concept of Personal Data and Future of EU Data Protection Law.Law, Innovation and Technology,10(1),40-81.
  61. Rustad, M. L.,Koenig, T. H.(2019).Towards a Global Data Privacy Standard.Florida Law Review,71(2),365-454.
  62. Schwartz, P. M.(2019).Global Data Privacy: The EU Way.New York University Law Review,94(4),771-818.
  63. Schwartz, P. M.,Solove, D. J.(2014).Reconciling Personal Information in the United States and European Union.California Law Review,102(4),877-916.
  64. Tapia, S. P.(2019).Requiem for Cyberspace: The Effect of the European General Privacy Regulation on the Global Internet.Seattle University Law Review,42(3),1163-1173.
  65. Vermeulen, G.,Lievens, E.(2017).Data Protection and Privacy Under Pressure: Transatlantic Tensions, EU Surveillance, and Big Data.Maklu Uitgevers België.
  66. Voss, W. G.,Castets-Renard, C.(2016).Proposal for an International Taxonomy on the Various Forms of the "Right To Be Forgotten": Study on the Convergence of Norms.Colorado Technology Law Journal,14(2),281-344.
  67. Walch, A.(2017).The Path of the Blockchain Lexicon (and the Law).Review of Banking and Financial Law,36(2),713-766.
  68. Walch, A.(2017).Blockchain’s Treacherous Vocabulary: One More Challenge for Regulators.Journal of Internet Law,21(2),1-11.
  69. Wirth, C.,Kolain, M.(2018).Privacy by BlockChain Design: A Blockchain-enabled GDPR-compliant Approach for Handling Personal Data.Reports of the European Society for Socially Embedded Technologies,2(6)
  70. Zetzsche, D. A.,Buckley, R. P.,Arner, D. W.(2018).The Distributed Liability of Distributed Ledgers: Legal Risks of Blockchain.University of Illinois Law Review,2018(4),1361-1406.
  71. 李世德(2018)。GDPR 與我國個人資料保護法之比較分析。臺灣經濟論衡,16(3),69-93。
  72. 林裕嘉(2017)。公務機關利用去識別化資料之風險評估及法律責任(上)。司法周刊,1852,2-3。
  73. 林裕嘉(2017)。公務機關利用去識別化資料之風險評估及法律責任(下)。司法周刊,1853,2-3。
  74. 個人情報保護委員会(2016),《個人情報の利活用と保護に関するハンドブック》,載於:https://www.ppc.go.jp/files/pdf/personal_280229sympo_pamph.pdf。
  75. 個人情報保護委員会事務局(2019),《「個人情報保護法いわゆる 3 年ごと見直しに係る中間整理」に関する意見募集結果》,載於:https://www.ppc.go.jp/files/pdf/0709_shiryou1.pdf。
  76. 郭戎晉(2020)。論歐盟個人資料保護立法域外效力規定暨其適用問題。政大法學評論,161,1-70。
  77. 楊岳平(2020)。論虛擬通貨之法律定性:以民事法與金融法為中心。月旦法學雜誌,301,43-63。
  78. 劉佐國,李世德(2015).個人資料保護法釋義與實務:如何面臨個資保護的新時代.碁峰.
  79. 劉靜怡(2019)。淺談 GDPR 的國際衝擊及其可能因應之道。月旦法學雜誌,286,5-31。
被引用次数
  1. 蔡佩芬(2022)。跨國司法互助或訴訟利用區塊鏈送達和電子送達之運作原理區別與優缺。東吳法律學報,33(4),79-141。
  2. (2022)。數位經濟時代之信任服務——論多層次傳銷管理法電子文件規範。政大法學評論,171,147-208。
print cancel