GDPR Compliance for Steem - Who Is Responsible? An Update After Speaking With UK Gov.
Carrying on from my recent post that mentioned Steem's compliance with the new EU Privacy legislation - the GDPR - today I phoned the UK's Information Commissioner's Office to ask them some questions about it all..
The GDPR appears to represent one of the most far reaching changes to a general rule that is applied across the whole of Europe for a long time. The short version is that it places much more requirement on those who run online services and who store people's data than was the case previously. There are numerous 'rights' that are now enforced, under penalty of large fines - such as allowing people to view/edit/delete their data from any system that holds it. Big companies have been working for over a year to make sure they don't get fined.. However, smaller groups are having a few challenges getting to grips with how the legislation applies to them.
I have now spoken with a specialised lawyer on this subject, as well as listened to numerous professionals from various companies explaining how they are dealing with the situation and giving advice to website operators. Unfortunately, as I kind of expected, the lawyer didn't really seem to know as much as I did on the topics that I am most interested in and appeared to contradict the UK government's website. So today I called the government office responsible for all this, again, to get my questions answered.
Today's call was much more successful than my first one - even if I did have to wait on hold for over 90 minutes:
I learned that my own social network can be exempt from the entire process of compliance since I can define it as being a hobby - which it is, since hobbies are defined as being basically 'an activity that is done that is not your main business'. Ureka doesn't involve money, so it appears to be fine for me to just do nothing!
Steem & The GDPR
I also asked about Steem from the perspective of a witness. This took quite a lot of time and I explained the basics of what Steem witness servers are. The agent I spoke with was interested and agreed that the situation appears to be a grey area, in a sense. She stated to me that if there is no 'data controller' - e.g. a legal entity that is responsible for determining what kind of data is stored by the system/network, then the system cannot fall under the control of the GDPR!
I asked specifically if this meant that Steem would be deemed illegal automatically because there is no controller and she said 'no, it would not be illegal and would also not need to conform to the GDPR'. The reason why she thought there was no controller was because Steem, the blockchain, is an open source code project that - as far as I am aware - is not owned/controlled by a legal entity. If Steemit inc. wants to claim ownership of the code and it's copyright, then they are - as far as I am aware - then the data controller and may be subject to large fines if Steem is found to not be exempt after all.
I did not ask about Steemit.com, but I suspect that it will be much more difficult to class Steemit.com as being exempt and Steemit inc. will indeed need to add the kind of features that Google and other such sites have added to make their site compliant. Once again, the kinds of features that are required are listed here.
Aaand Relax?
So now I feel quite a bit more relaxed. The agent advised me to send them an email to get a more detailed answer to the questions from more 'expert' people - however, she said that it would take about 5 months to get a reply! LOL
I have been advised by experts that the government is mainly focused on getting compliance from banks and mega corporations - with less pressure being applied to everyone else for the foreseeable future. Top Tip: This does not mean though that Steemit inc. should think that they will not get hassled or fined for non compliance.
Wishing you well,
Ura Soul
Vote @ura-soul for Steem Witness!
View My Witness Application Here
(Witnesses are the computer servers that run the Steem Blockchain.
Without witnesses there is no Steem, Steemit, DTube, Utopian or
Busy... You can really help Steem by making your 30 witness votes count!
Don't forget, there are more than the 50 witnesses you see on the witness voting page in steemit.com)
I found this document from a legal firm too. Obviously I'm not sure about its accuracy, but it seems to make sense, and could be helpful:
https://www.hlengage.com/_uploads/downloads/5425GuidetoblockchainV9FORWEB.pdf
Having read the document I can see that they make a case for the scenario that I mentioned to @timcliff in the comments here, that each witness might be considered their own data controller and also a processor. The situation is far from clear and as they say at the end, it may require a thorough technical analysis to be carried out to find out exactly how this fits within the legislation.
I really do think this should be undertaken by Steemit Inc. since it represents an existential threat to their entire business and they have significant enough funds, plus contacts to do it.. That said, it would be easily afforded by the top witnesses too.
A useful document, but we still lack a precise answer. :/
The way I read it, the document hints towards users storing their own identity information off-chain using IPFS nodes or similar, and probably arbitrary data not being kept on-chain at all - but I agree it's far from clear.
It would take a huge development effort to move all the arbitrary Steem data off-chain, and update the existing front-ends. Would you want to pay to find out that there was an asteroid heading for earth and there was nothing we could do about it? That said, there seems to be some chance that the launch of SMTs could actually help pivot towards this kind of architecture if we wanted.
Oh thanks - I hadn't seen that one - it's the only one I've seen that directly addresses blockchains in this context, I will read.
Thanks for your great work on this! Helping to sort through all of these legal issues for all of the witnesses to be able to navigate through them is of great benefit.
Thanks Tim, you are welcome. It's worth remembering though that there are currently numerous different interpretations floating around for some of the terms and definitions involved and it would not surprise me if i phoned the ICO again tomorrow and got a different answer - overall it is a bit of a mess.
As far as the witness issue goes, with the question of who is the 'data controller', I can also possibly imagine a situation where it is claimed that because the witnesses ultimately choose whether or not to adopt a particular hard fork that they somehow collectively become a kind of group of data controllers who share responsibility. It might be one of the most complicated version of modelling a system for GDRP, but a particularly adventurous government worker might want a challenge and decide to push that through.. I'm not sure if that's possible or not.
In any case, we might not know there is an issue until someone tries to launch a court case against.. someone. I am guessing that no witness has ever received a legal notice for anything so far - is that right, to your knowledge? I'm not sure if Steemit inc. would make it public if they had done.
Steemit receives DMCA takedown requests for content hosted on the site, but afaik nobody has filed any cases against witnesses or node operators yet.
Yes, ok - I see the blacklisted posts in Github for Condenser sometimes. Maybe the complexity of the situation puts off some people - it's an interestingly and refreshingly weird situation ;)
Technically it sounds like you may be breaking the law but like they say there are loopholes and it sounds highly unlikely they will waste their time and money to prosecute you.
https://steemit.com/steem/@xyzashu/are-witnesses-liable-for-data-privacy-issues-on-steem-blockchain
interesting, good to hear the blockchain won't suddenly need to be entirely reprogrammed to enable deletion of information in perpetuity (which would kind of be in the opposite direction of the whole concept of permanent storage X/)
I've seen an... interesting... reaction to the GDPR:
stop dealing with europeans
Got an email from one of the more irritating newsletters that I never remember where I subscribed to, and noticed this disclaimer at the bottom:
I sens some.. sidestepping... of the compliance part of the regulation here XD
hehe.. I'm pretty sure that that attempt to sidestep is irrelevant as far as the EU is concerned as the legislation states that it applies everywhere as long as EU people are the data 'subjects'.. That said, I think they misunderstood the terms of the legislation, since as far as I know it is also irrelevant whether links point to the EU or not as all that is at issue is whether private data of identifiable humans is being stored.
yeah, I imagine a lot of people must have given it VERY fast read through or read a summary somewhere, and this particular person though she's found an "easy" way out.
Though it IS kind of the same principle as ICO's who inform you that you can't invest in them if you're a citizen of the US, or X other countries.
Yes, that's bullshit, too. If the SEC wants to make an example of EOS, they'll nail them for advertising on Time Square. Their terms and conditions won't save them when they aren't in line with reality.
that is the most loyal work for steem it that I have seen in here, great work and thank you for making things easier for us and answering question that are yet to come into our minds.
Even though it makes sense from a legal standpoint not to regulate businesses with the same standards as non-commercial hobbies, it seems a bit strange to me that a free social network would be allowed to give less freedom to people in terms of the information they give and are free to modify than for-profit social networks.
People still have the same needs and makers can still misuse the information in the same way, but the for-profit trait makes the whole difference? Seems that the new legal system lacks a bit of thought in my opinion.
Ureka has absolutely no enforcement of identity and no trade/commerce involved. Essentially, I place absolutely no requirement for people to be who they say they are and so it is a bit of a stretch to say that I should be liable for massive fines if people's privacy is breached when I actually don't really have any way of identifying the vast majority of them and do not require them to give me any information at all.
That said, I am working with the creators of the open source software that the site is based on to get their framework compliant anyway, which will not really be that hard. Most of what is needed is in there anyway since it is best practise for social systems.
I absolutely agree that the GDPR system lacks coherent logic, but I would expect nothing less!
Good to know. Thanks for looking into this.
getting notifications for these across all my platforms !
Yes, it goes live on the 25th May.
So glad this seems to be resolving itself, @ura-soul! It would have been a sad day to have lost one of my favorite witnesses over it. 😎
Well, this is a lie.
All of the big banks and mega corporations have been fined over and over for ILLEGAL activities. So much so, that the only conclusion is that the big banks are just "sharing the wealth" with the enforcers.
What govern-cement is up to is being able to crack down on any medium sized guy that they can extort for money.
Steemit has very little user data. And all of it is on the blockchain. You can view it all with steemd.com
However, you can't change any of it, all you can do is add new information on top of it.
It is not a lie, since I have spoken directly with some of the people who have been doing the work for the large corporations and banks. Whether or not they enforce the rules with fines is a different issue, but the companies definitely have been doing a lot of work to become compliant.