On the Technological (Im)Possibility to Enforce Data Protection Laws

GDPR has been characterized as “the toughest privacy and security law in the world”. However, practice shows that enforcing GDPR is challenging. The demand for its lifelong enforcement on personal data is particularly strong: GDPR should “travel with the data”, and thus, follow the data as it is being transferred and processed. A technological solution that seems essential to satisfy this demand is data traceability. This project focuses on three GDPR requirements---right to erasure, purpose limitation, and rights in relation to automated decision making and profiling---and asks whether data traceability can enable the lifelong enforcement of these requirements (R1-3) within a common data-processing pipeline, under what assumptions (including threat model characterization) and cost (time, space, infrastructure). To achieve this, we create an interdisciplinary group of CS and Law experts to design and implement TracE2E, a customizable middleware for end-to-end traceability of data within IoT applications. The legal members of our group will perform a legal assessment of the resulting system to legally argue that it enforces R1-3 under specific assumptions. To also assess the feasibility of the enforcement in practice, TracE2E will be ported into an existing IoT application for combating fishery crimes, and the incurred cost (time, space, software and hardware needs) will be estimated.

GDPR has been characterized as “the toughest privacy and security law in the world”. However, practice shows that enforcing GDPR is challenging. The demand for its lifelong enforcement on personal data is particularly strong: GDPR should “travel with the data”, and thus, follow the data as it is being transferred and processed. A technological solution that seems essential to satisfy this demand is data traceability. This project focuses on three GDPR requirements---right to erasure, purpose limitation, and rights in relation to automated decision making and profiling---and asks whether data traceability can enable the lifelong enforcement of these requirements (R1-3) within a common data-processing pipeline, under what assumptions (including threat model characterization) and cost (time, space, infrastructure). To achieve this, we create an interdisciplinary group of CS and Law experts to design and implement TracE2E, a customizable middleware for end-to-end traceability of data within IoT applications. The legal members of our group will perform a legal assessment of the resulting system to legally argue that it enforces R1-3 under specific assumptions. To also assess the feasibility of the enforcement in practice, TracE2E will be ported into an existing IoT application for combating fishery crimes, and the incurred cost (time, space, software and hardware needs) will be estimated.