| 關 鍵 詞: |
區塊鏈;一般資料保護規則;個人資料;雜湊演算;不可變性;節點;資料控制者;刪除;銷毀 |
| 中文摘要: |
歐盟一般資料保護規則(GDPR)的嚴峻要求、域外效力設計及以全球營收計算處罰金額使得各界無不審慎看待 GDPR 之適用與遵循,但區塊鏈的系統架構及技術特性卻也引發:1. 此一新興技術是否適用 GDPR;2. 如何確定分散式架構下實際擔負法律遵循責任的資料控制者或資料處理者;3.應如何解決資料加密演算(不可變性)導致難以處理資料刪除請求等核心問題。本文研究發現寫入區塊的各該資料只消符合識別性要求,即有視為個人資料並受 GDPR 拘束之可能,儘管區塊資料均經過雜湊函式加密演算,然此舉僅導致資料的假名化而非匿名化,尚未達到去識別之程度。其次,為確認區塊鏈架構下可得視為資料控制者之參與者,歐盟議會及法國 CNIL 均嘗試建立判斷標準並針對各該參與者進行討論,其中節點能否視為資料控制者尚無共識。區塊鏈本身的資料不可變特性使得當事人刪除請求成為幾近不可能之事,現階段可見的解決方案倡議,包括暫時閒置、脫鏈儲存、銷毀私密金鑰、採用可編輯區塊鏈或分叉技術等作法,雖各有優點但也存在不一之缺陷,尚難契合區塊資料刪除或改動之需求。本文最後對比國內個人資料保護法,針對相關問題在國內之適用情形進行分析,並就個人資料及非公務機關之界定等法規適用上存有爭議之處提出具體修法建議。
|
| 英文關鍵詞: |
blockchain;General Data Protection Regulation;personal data;hashing;immutability;node;data controller;erasure;destruction |
| 英文摘要: |
Blockchain technology has the potential to revolutionize many industries, but some features of this hottest technology arise questions under EU General Data Protection Regulation (GDPR). Two most innovative aspects of blockchain, immutability of data and decentralization of control, have caused conflict with provisions of the GDPR. This article found that the complexities of compliance with GDPR will increase significantly when the transaction information contains personal data, but whether encrypted data and public key should be treated as personal data is controversial. Related studies show that encryption and hash functions do not automatically turn personal data into anonymous, encrypted data and public key are regarded as pseudonymized data and may considered as personal data when they combined with other necessary information. Secondly, the decentralized nature of blockchain technology presents challenges in identifying the relevant controllers. The accurate classification of participants as data controllers, joint controllers or data processors under the GDPR, is crucial as different implications arise depending on the said classification. To date, who should assume as the role of a controller or a processor within the blockchain system is still uncertain. Finally, under the GDPR, data subjects are granted a number of rights which appear to be in tension with blockchain’s immutable characteristics. Because blocks are linked through hashes, if someone decided to execute his or her right to erasure, it would be a huge challenge and nearly impossible to execute. The article will also compare those disputes with Personal Data Protection Law and related administrative interpretations in Taiwan, through this concrete examination, this article will clarify merits and demerits of the present domestic regulation and puts forward suggestions toward future legal adjustment. While challenges for blockchain technology compliance with the GDPR are quite clear, solutions are not obvious. Ultimately, the passage of time will reveal how the use of blockchain technology and the application of the GDPR relative to that technology will evolve.
|
| 目 次: |
壹、前言
貳、區塊鏈技術與個人資料保護
一、區塊鏈基本概念
二、於個人資料保護層面之應用與爭議
三、布魯塞爾效應與歐盟觀點之參採實益
參、區塊鏈是否受到 GDPR 拘束
一、區塊上存在個人資料與否?
二、系統運作與個人資料處理行為
三、區塊鏈應用與域外效力條款
四、小結
肆、資料控制者與資料處理者之判斷難題
一、資料控制者
二、共同控制者
三、區塊鏈應用與資料處理者
四、小結
伍、刪除請求(被遺忘權)處理難題
一、區塊鏈與當事人權利主張
二、刪除請求處理上之核心問題
三、區塊資料無法刪除衍生之相關討論
四、小結
陸、國內現況與借鏡
一、區塊鏈與個人資料保護法之適用
二、應受規範之人之認定
三、個人資料刪除請求之處理
四、個資保護爭端解決與區塊鏈規範設計
柒、結論
|
| 相關法條: |
 |
| 相關判解: |
|
| 相關函釋: |
|
| 相關論著: |
|