Attrace is committed to providing all its users full transparency and control over their personal data and can claim superiority in terms of GDPR compliance compared to any traditional affiliate marketing ecosystem:
1. Blockchain structure could in essence be perceived as contradictory to the principles of GDPR, making it is legally problematic to determine who, if anyone, has accountability;
2. The Attrace ecosystem has implemented irreversible unidentifiable verification hashes for registration of all clicks and sales on public chain, in combination with private channels for direct encrypted GDPR Data exchange between Publishers and Merchants;
3. This means no GDPR Data will be processed or saved on the public chain; and
4. Attrace has not and cannot acquire access to the GDPR Data exchanged between Publishers and Merchants on the private channel; and as a result
5. Attrace is neither a GDPR Data Owner nor GDPR Data Processor.
1. What is GDPR
On May 25, 2018, The European Union enforced a new data privacy law, the General Data Protection Regulation (GDPR). A primary aim of the GDPR is to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach it.
Common objectives of GDPR:
- Facilitate the free movement of personal data in the EU; and
- Provide data subjects with more control over their personal data.
Any company or organisation that collects or processes personal data (“GDPR Data”) of persons in the EU falls under the scope of the GDPR, even if the company has no physical presence in the European Union. This means that most businesses with a global or online presence, including those participating in the Attrace ecosystem, are affected.
The complete GDPR document can be consulted at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.119.01.0001.01.ENG
1.1 What is GDPR Data (personal data)
GDPR applies to processing of personal data, which is any information relating directly or indirectly to a ‘living natural person”, whether it actually identifies them or makes them identifiable.
GDPR does not apply to non-personal and anonymous data, provided there is no
- Linkability: It must be impossible to identify a natural person through any and all means “reasonably likely to be used for identification”, and
- Reversibility: The conversion into anonymous data must be irreversible: it may not be possible to reconstitute the data from the anonymized form (encryption needs to be irreversible).
1.2 Important aspects when dealing with GDPR in a blockchain environment
- Identification of the Data Controller and the Data Processor
- GDPR Data minimization by anonymizing personal data
- Requirement of data subject being able to exercise certain data subject rights (e.g. the right for the data subject to erase data at a certain point in time)
General consensus is that there are tensions between a blockchain and GDPR, as GDPR was not designed for technologies that forsake centralised control in favour of a distributed network.
Also, the so-called “right to be forgotten” cannot easily be applied to a blockchain environment. GDPR does not define what “erasure of data” means, which suggests that, to comply with this requirement, actual physical and logical deletion is required. However, one of the key features of blockchain technology is the general immutability of its data, and many applications of the technology thus far are built on publicly available data trails.
Another aspect of GDPR on blockchain is the fact that GDPR Data cannot leave the EU. This requirement is a major problem with permissionless blockchains, since in such cases there is no control on who hosts a Validating Node / Witness.
This all brings us to the question how to deal with the above aspects when working in a blockchain environment and especially how to identify the Data Controller and the Data Processor.
1.2.1 Identification of the GDPR Data Controller and Data Processor
GDPR compliance is a shared responsibility between Data Controllers and Data Processors of the data subject’s personal data. Entities subject to GDPR have different obligations based on whether they qualify as a Data Controller or Data Processor.
- Data Controller means: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Data Processor means: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
GDPR assumes there is always a Data Controller and sometimes also a Data Processor. This is important, as the regulator assumes that in the context of GDPR, these two bodies have certain accountability in case something goes wrong with the data subject rights such as “the right to be forgotten”, the right to data portability and the right to object.
1.2.2 Identification of the Data Controller and Data Processor in a traditional affiliate marketing ecosystem
A traditional affiliate marketing ecosystem has as middleman, the Affiliate Network, that is handling all agreements, clicks and payments between end-users.
- In a traditional affiliate marketing ecosystem the end users, such as Advertisers and Publishers, are considered to be Data Controllers.
- In a traditional affiliate marketing ecosystem a middleman, i.e. the Affiliate Network, is considered a Data Processor.
1.2.3 Identification of the Data Controller and Data Processor in a permissionless blockchain
Context: Attrace is a custom made public (read: permissionless) blockchain with private channels.
It is a challenge to identify the Data Controller and Data Processor in a permissionless blockchain environment. Current consensus is focused on the principle that qualification of any natural or legal person, public authority, agency or other body as a Data Controller or Data Processor should be activity specific.
When applying this principle:
- Protocol developers are unlikely to qualify as Data Controller since they do not determine the purpose (and means) of the processing of GDPR Data. Depending on the functionalities of the Protocol, they might also not qualify as Data Processor;
- Validating Nodes / Witnesses can be deemed data processors if they process GDPR Data on behalf of a Data Controller – for example, by executing the instructions of the Data Controller when they verify a transaction submitted by the Data Controller; The legal status of Validating Nodes / Witnesses is however still much debated;
- Network users may qualify as Data Controllers, except when they are only using data for their own purpose, in which case they would fall under the household exception of GDPR. However, related to that is the ‘GDPR article 29 working party’, which states that sharing data with many and / or an undetermined number of persons means that the household exception does not apply. Therefore, also the legal status of network users is still much debated. (Note: Network users in the Attrace ecosystem are both the Attrace end users as well as the individuals which are targeted by the Attrace end users.)
As illustrated by the above, the basic overall conclusion / general consensus that it is very difficult and perhaps even impossible to identify a Data Controller or Data Processor in a permissionless blockchain, which leads back to the question if GDPR rules are applicable in a permissionless blockchain and if so for which blockchain participants.
Although a definitive answer to these questions might be perceived by some as a pillar to meet GDPR from a legal perspective for at least some time to come, Attrace has nevertheless developed an ecosystem that is able to meet the current GDPR regulations in a permission less blockchain environment:
2. The Attrace answer to GDPR in affiliate marketing via a permissionless blockchain
To anticipate any questions GDPR related, regardless of the context whether or not GDPR rules are applicable in a permissionless blockchain, Attrace has decided to technically add a second layer to the blockchain structure that will guaranteed assure GDPR compliance going forward:
2.1 Key aspects of Attrace to achieve full compliance with GDPR
- Publick chain stores (anonymized) unidentifiable verification hashes to track all clicks and sales
- Private channels used for direct encrypted GDPR Data / information exchange between end-users (Advertisers and Publishers)
Hashing is a technique that consists of replacing one attribute (typically a unique attribute) in a record by another (a unique numerical identifier) using a hash function. This is essentially the “fingerprint” of specific data. When processing personal data, a hash or identifier would be generated for each unit of personal data. Hashing is irreversible, which means the hash cannot be converted back into the personal data. The hashes corresponding to each unit of personal data will be stored in the blockchain network while the unit itself will remain stored with the end-user.
With the help of hashing, the public chain is solely used to verify data in the private channel. No GDPR Data is recorded on the public network or any part of the blockchain.
Note: The hashing is done by end-user, end-user side. The Attrace “private channel toolkit” has facilitated code to enable end-users to run the hashing. These hashes will then go to the Attrace public network. This methodology secures that Attrace does not act as a Data Processor.
2.1.2 Private channels
Private channels are created in the blockchain network by two or more end-users (e.g. Publishers and Advertisers) that want to share information in a private environment. For example, end-user A and B don’t want the Nodes / Witnesses from the public chain knowing which data / information they are sharing. In the Attrace ecosystem the Nodes / Witnesses of the public chain will only know the hash of the corresponding information shared through the private channel, the actual information will be exchanged directly between the Publisher and the Advertiser. Both Attrace and the Nodes / Witnesses cannot access the GDPR Data exchanged through the private channel.
On top of that, all information exchanged through the private channel will also be encrypted (TLS 1.3 encryption).
The implementation of private channels is especially useful in case of transfer of GDPR Data between end-users. Since all information, including GDPR Data, will be exchanged directly between the Publisher and the Adviser without any involvement of Attrace, the Attrace ecosystem will never handle nor process any GDPR related data / information as a Data Owner or Data Processor.
2.2 Data removal
In case of a request to remove personal data, according to the GDPR principles of lawfulness of processing or storage limitation, the end-user will remove any GDPR Data shared through the private channel from their external database. The corresponding hash remains in the public blockchain. Since the data related to this hash has been removed, the hash becomes a number with no correspondence. Since hashes are stored in the public blockchain and personal data remains stored in a database outside the network (end-user side), the participants in the public blockchain network will only ever have access to the hashes, which are random numbers with no meaning for them, and therefore also no GDPR Data.
Functionality for full data removal request handling is available. Please contact us at firstname.lastname@example.org for further clarification.
3. Final note
For Publishers and Advertisers, it is important to understand that while the content on this page is to help you understand GDPR when working with Attrace, the information contained should not be construed as legal advice and Attrace cannot be held liable for the information provided herein. As an end-user you should always consult with your own legal counsel to determine your legal obligations under GDPR and the use of a company’s products and services to process personal data.
Attrace has obtained legal advice and has performed its own research on how it can offer its services in compliance with GDPR This includes an in-depth assessment of its impact on individual privacy for each aspect of the ecosystem.
Having considered impact on an individual’s rights under GDPR, Attrace is comfortable that facilitating the processing of GDPR Data for tracking services should not conflict with GDPR as such processing is done in a proportionate manner and such processing is necessary for Attrace to pursue its legitimate interests. This means Attrace does not envisage to request an individual’s consent as the legal basis for facilitating the processing of personal data as part of its tracking services under GDPR.
Attrace is also implementing several safeguards and compliance measures required to protect an individual’s rights and freedoms pursuant to GDPR. This includes minimizing personal data processing wherever possible, publishing notices to explain how GDPR Data is processed and appointing a specialist member of the team to serve as data protection officer as required.
Historically, data protection laws have been accompanied by detailed regulatory guidance issued over a number of years. GDPR is a new set of regulations, for which regulatory guidance is still awaited in respect to several key aspects, especially regarding blockchain technology. In the absence of such guidance, our assessment is, in some cases, based solely on the wording of GDPR itself. As soon as further regulatory guidance is issued, we may be required to revise our position or take additional measures to ensure compliance. Any measures that may have an impact on the Attrace end-users will be clearly communicated in a timely manner.