Home » GDPR Compliance in the age of Emerging Technologies

GDPR Compliance in the age of Emerging Technologies

Cyberwatching: GDPR Compliance Webinar Questions

Last 18 July 2019, Cyberwatching.eu held it's 7th webinar which focused on "GDPR compliance in the age of emerging technologies". The projects that were invited to present – together with cyberwatching.eu legal partner, ICT Legal Consulting, were GDPR cluster projects, namely, BPR4GDPR, DEFENDPAPAYA, PDP4E, POSEIDON, SMOOTH.


Together with the 6 EC-funded projects we addressed the arising challenges of achieving compliance in the emerging technologies such as Artificial Intelligence (AI), blockchain and cloud computing to upgrade the Europe's technological ability to address the related issues and ensure that Europe continues to innovate in this space.

Towards the end of the webinar, the speakers that presented were asked to shortly come up with the priorities and suggestions for future funding EU initiatives.

Read and download the complete recommendations report of those speakers on D3.4 Report.

We consolidated all the raised questions from our participants which was answered by those speakers during the webinar.

The GDPR doesn’t talk directly to AI, the use of AI in a processing follow the same evaluation process of a new processing. I suppose that the AI could be “similar” of a processing that use a software with automatic decisions, this means that the processing request as legal basis the consent by a data subject. About the process of evaluating, design the processing that include AI, evaluate the criticality of this processing, DPIA, and ask to National Data Protection Authority for the evaluation. About the risk of the use of AI, the main could be the alteration of input data by hacker or alteration of code of AI.

- Andrea Praitano, DEFEND.

Yes, today it must be avoided to insert data in blockchain even if private since that blockchain is immutable. This implies that when data is saved on the blockchain it remains immutable within the blockchain and this is in contrast to the GDPR (for example in response to the request for the right to be forgotten by an interested party).

European Securities and Markets Authority (ESMA), European Union Agency for Network and Information Security (ENISA) or Open Data Institute (ODI) confirm this issue.

There are two alternatives for using the blockchain while remaining GDPR compliant:

  • Save the data in an offledger DB and save in the blockchain only the data points (hash) – this is the choice adopted to date by the PoseIDon project.
  • Use a redactable blockchain (editable data to accommodate legal and regulatory requirements, address bugs, and mischief).

    Also, this type of blockchain is obviously decentralized and immutable as all other blockchains. There is no centralized server and bad actors won't be able to make changes.

    In this case only trusted administrators acting on agreed rules of governance can edit, rewrite or remove blocks without breaking the chain.

This last alternative fills all regulatory requirements introduced by GDPR, but introduces more operational efforts for security reasons (it is necessary to safely protect the "seeds" that allow you to "go back" from the hash) and more complexity analysis on scalability and performance loads.

- Dario Beltrame, PoseIDon.

There are many different references for security best practices, some are from Europe, some from the USA and others are international. The main reference is the ISO/IEC27000 family standard. In this family the main standards are ISO/IEC 27002 (code of practice), ISO/IEC 27005 (risk management), ISO/IEC 27017, ISO/IEC 27018. There are other important ISO standards like ISO 22301 on business continuity. There are also other institutions that provide guidelines on information security, ENISA (from Europe), NIST (from US), OWASP.

- Andrea Praitano, DEFEND.

If we take a look at Article 4 of the GDPR, personal data is any information concerning an identified or identifiable natural person; that is, a data is considered personal if it allows for the identification of the data subject. In this sense and contrary to consent, a telephone number may allow the identification of a person. In fact, again in article 4 of the Regulation, consent is identified as a free, specific, informed and unequivocal expression of will. Furthermore, recital 32 gives us a series of additional indications for which it is necessary to be able to save and trace this manifestation of will. Precisely for this reason the PoSeID-on project has used blockchain to memorize and trace the consent of European citizens.

- Dario Beltrame, PoseIDon

When we talk on information or cybersecurity the European and US approach are quite similar. It’s different for data protection/privacy, the European approach is different from the US approach. In my opinion, it’s important in data protection adopt EU based best practices, from ENISA there are some guidelines that follow this approach. At this moment there is a big difference between the European guidelines and the Standard Publication from NIST (the 800-xxx series). I hope that the guidelines from ENISA (or other European institutions) increase as numbers and level of detail. When I use no-EU based guidelines/best practices my approach is to adapt it to European approach.

- Andrea Praitano, DEFEND.

Digital culture cannot be imposed by any law.

To help citizens comply with the law, digital culture should be promoted from schools first. In parallel, an ecosystem could be created in which individuals can select configurable services according to their level of knowledge, in order to improve security, and data privacy skills. Given that children increasingly have access to the internet at an earlier age, EC programmes should promote digital education, awareness to understand the risks and protection measures already from the schools. At the same time, EC should boost initiatives to develop platforms/sites compiling the different existing tools with training programs to simplify the adoption of adequate solutions for enhancing security, privacy protection, and defensive capacity, according to the needs of the individuals.

- Rosa Araujo, SMOOTH

Advertising technology (Adtech) and Real-Time Bidding mechanism.

Adtech is a term used to describe tools that analyse and manage information (including personal data) for online advertising and automate the processing of advertising transactions. Real-Time Bidding is a particular type of online advertising that ensures the buying and selling of advertising inventory in real time. In essence, it implies open auctions among advertisers. Real-Time Bidding involves many data processing operations that may result in a high risk to the rights and freedoms of individuals. Moreover, users are rarely aware of the effective functioning of this activity and how their personal data are affected. Indeed, operations like profiling, large-scale processing and tracking of location and/or behaviour, usage of new technologies are included; this happens in really short time (i.e. milliseconds). That said, there is a need to address the risks generated by the special features of Real-Time Bidding, that involves, for instance, careful analysis of the appropriate legal grounds, carrying out DPIAs and provide an elevate degree of transparency in processing such a great amount of personal data. Unfortunately, the dynamics of these processing operations and the technologies that are already in place in this sector, require a deeper comprehension by the regulators at EU level. Therefore, it is recommended that policy makers commit themselves to better understand the functioning of this type of adtech and how concretely address the relevant privacy issues..

- Davide Cascone, BPR4GDPR

The challenge with emerging technologies is that they continue to develop in ways that outstrip the EU's and member states’ ability to legislate effectively. While GDPR has somewhat stemmed the tide in terms of setting up a regulatory framework, its inflexibility is likely to create challenges in the future, particularly as these technologies are primarily being developed outside of Europe and thus outside of the reach of EU legislation. The EU and the EC in particular should thus focus its efforts on developing forward-looking and flexible legislation that can help create a far-reaching framework for governing the use of new technologies, so that as new capabilities are developed and become widespread, they can be effectively governed within an existing structure, instead of requiring reactionary legislation. The European Union should also boost investment in fostering a wide use of digital technologies across the economy and society and in securing them through investments in cybersecurity research and development. Its goal should be to support the procurement of advanced cybersecurity equipment, tools and data infrastructures, so as to promote the deployment of the latest security solutions across industries. Doing so can help foster the best use of knowledge and increase European capacity and skills related to cybersecurity. In particular, EC programmes should focus on reinforcing the capabilities within Member States for a uniformly high level of security of network and information systems across the EU. This will enable the EU to take advantage of emerging technologies such as blockchain and potentially help the EU spur on the development of technological champions, such as those currently found in Silicon Valley..

- Dario Beltrame, PoseIDon

We believe that the future EC programmes should continue their support for research on the design and development of privacy enhancing technologies for compliance with the GDPR and the upcoming e-privacy regulations. As the use of such technology in different situations (with different requirements) and the integration of different security and privacy primitives are not straightforward, the EC should also foster training programmes accordingly. ..

- Melek Onen, PAPAYA


On the event of the adoption of the draft regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union, the AI4HealthSec project kicked off a process to provide its opinion.