Decentralised Data Processing: Personal Data Stores and the GDPR

52 Pages Posted: 6 May 2020

See all articles by Heleen Janssen

Heleen Janssen

University of Cambridge - Computer Laboratory

Jennifer Cobbe

University of Cambridge - Computer Laboratory

Chris Norval

University of Cambridge - Computer Laboratory

Jatinder Singh

University of Cambridge -- Dept. Computer Science & Technology (Computer Laboratory)

Date Written: April 10, 2020

Abstract

When it comes to online services, users have limited control over how their personal data is processed. This is partly due to the nature of the business models of those services, where data is typically stored and aggregated in data centres. This has recently led to the development of technologies aiming at leveraging user control over the processing of their personal data.

Personal Data Stores (“PDSs”) represent a class of these technologies; PDSs provide users with a device, enabling them to capture, aggregate and manage their personal data. The device provides tools for users to control and monitor access, sharing and computation over data on their device. The motivation for PDSs are described as (i) to assist users with their confidentiality and privacy concerns, and/or (ii) to provide opportunities for users to transact with or otherwise monetise their data.

While PDSs potentially might enable some degree of user empowerment, they raise interesting considerations and uncertainties in relation to the responsibilities under the General Data Protection Regulation (GDPR). More specifically, the designations of responsibilities among key parties involved in PDS ecosystems are unclear. Further, the technical architecture of PDSs appears to restrict certain lawful grounds for processing, while technical means to identify certain category data, as proposed by some, may remain theoretical.

We explore the considerations, uncertainties, and limitations of PDSs with respect to some key obligations under the GDPR. As PDS technologies continue to develop and proliferate, potentially providing an alternative to centralised approaches to data processing, we identify issues which require consideration by regulators, PDS platform providers and technologists.

Keywords: Federated data processing, personal data stores, data protection, responsibility, transparency, control, GDPR, lawful grounds, personal and household exemption, special category data

Suggested Citation

Janssen, Heleen and Cobbe, Jennifer and Norval, Chris and Singh, Jatinder, Decentralised Data Processing: Personal Data Stores and the GDPR (April 10, 2020). Available at SSRN: https://ssrn.com/abstract=3570895 or http://dx.doi.org/10.2139/ssrn.3570895

Heleen Janssen (Contact Author)

University of Cambridge - Computer Laboratory ( email )

15 JJ Thomson Avenue
William Gates Building
Cambridge, CB3 0FD
United Kingdom

Jennifer Cobbe

University of Cambridge - Computer Laboratory ( email )

15 JJ Thomson Avenue
William Gates Building
Cambridge, CB3 0FD
United Kingdom

Chris Norval

University of Cambridge - Computer Laboratory ( email )

15 JJ Thomson Avenue
William Gates Building
Cambridge, CB3 0FD
United Kingdom

Jatinder Singh

University of Cambridge -- Dept. Computer Science & Technology (Computer Laboratory) ( email )

15 JJ Thomson Avenue
William Gates Building
Cambridge, CB3 0FD
United Kingdom

Here is the Coronavirus
related research on SSRN

Paper statistics

Downloads
86
Abstract Views
561
rank
324,540
PlumX Metrics