Decentralised Data Processing: Personal Data Stores and the GDPR
International Data Privacy Law, Volume 10, Issue 4 Pages 356–384, https://doi.org/10.1093/idpl/ipaa016 (28 December 2020). Please note that the SSRN-version of this article includes an analysis of the ePrivacy Directive in the lawful grounds section.
39 Pages Posted: 6 May 2020 Last revised: 4 Feb 2021
Date Written: December 28, 2020
When it comes to online services, users have limited control over how their personal data is processed. This is partly due to the nature of the business models of those services, where data is typically stored and aggregated in data centres. This has recently led to the development of technologies aiming at leveraging user control over the processing of their personal data.
Personal Data Stores (“PDSs”) represent a class of these technologies; PDSs provide users with a device, enabling them to capture, aggregate and manage their personal data. The device provides tools for users to control and monitor access, sharing and computation over data on their device. The motivation for PDSs are described as (i) to assist users with their confidentiality and privacy concerns, and/or (ii) to provide opportunities for users to transact with or otherwise monetise their data.
While PDSs potentially might enable some degree of user empowerment, they raise interesting considerations and uncertainties in relation to the responsibilities under the General Data Protection Regulation (GDPR). More specifically, the designations of responsibilities among key parties involved in PDS ecosystems are unclear. Further, the technical architecture of PDSs appears to restrict certain lawful grounds for processing, while technical means to identify certain category data, as proposed by some, may remain theoretical.
We explore the considerations, uncertainties, and limitations of PDSs with respect to some key obligations under the GDPR. As PDS technologies continue to develop and proliferate, potentially providing an alternative to centralised approaches to data processing, we identify issues which require consideration by regulators, PDS platform providers and technologists.
Keywords: Federated data processing, personal data stores, data protection, responsibility, transparency, control, GDPR, lawful grounds, personal and household exemption, special categories of data
Suggested Citation: Suggested Citation