GDPR - Challenges for Reconciling Legal Rules with Technical Reality
         
                  Miroslaw Kutylowski, Anna Lauks-Dutka 
                Wroclaw University of Science and Technology
        
                                  Moti Yung
                        Columbia University, Google Inc.


The main real impact of the GDPR regulation of the EU should be improving the protection 
of data concerning physical persons. The sharp GDPR rules have to create a controllable 
information environment, and to prevent misuse of personal data. The general legal norms 
of GDPR may, indeed, be regarded as justified by the existing threats, however, substantial
problems emerge when we attempt to implement GDPR in a real information processing systems setting. 

This paper aims at bringing attention to some critical challenges related to the GDPR regulation 
from this technical implementation perspective. Our goal is to alert the community that 
due to incompatibility between the legal concepts and the technical state-of-the-art, 
a literal implementation of the GDPR regulation may lead to a decrease in the attainable 
real security level, thus hurting privacy. Further, this situation may create barriers 
for information processing environments -- including in critical areas which are very important 
for citizens' security and safety. Demonstrating the problem, we provide a (possibly incomplete) 
list of concrete clashes between the legal concepts of GDPR and security technologies. 
We also discuss some possible solutions to these problems. 


Keywords:
GDPR, compliance, privacy, security   

ESORICS 2020, LNCS 12308, pp. 736-755, Springer Verlag