Key Points

• When it comes to online services, users have limited control over how their personal data are processed. This is partly due to the nature of the business models of those services, where data are typically stored and aggregated in data centres. This has recently led to the development of technologies aiming at leveraging user control over the processing of their personal data.
• Personal data stores (PDSs) represent a class of these technologies; PDSs provide users with a device, enabling them to capture, aggregate, and manage their personal data. The device provides tools for users to control and monitor access, sharing, and computation over data on their device. The motivation for PDSs are described as (i) to assist users with their confidentiality and privacy concerns, and/or (ii) to provide opportunities for users to transact with or otherwise monetize their data.
• While PDSs potentially might enable some degree of user empowerment, they raise interesting considerations and uncertainties in relation to the responsibilities under the General Data Protection Regulation (GDPR). More specifically, the designations of responsibilities among key parties involved in PDS ecosystems are unclear. Further, the technical architecture of PDSs appears to restrict certain lawful grounds for the processing, while technical means to identify certain special categories of personal data, as proposed by some, may remain theoretical.
• We explore the considerations, uncertainties, and limitations of PDSs with respect to some key obligations under the GDPR. As PDS technologies continue to develop and proliferate, potentially providing an alternative to centralized approaches to data processing, we identify issues that require consideration by regulators, PDS platform providers, and technologists.

中文翻译：

---

去中心化数据处理：个人数据存储和GDPR

关键点

• 当涉及在线服务时，用户对如何处理其个人数据的控制有限。部分原因是这些服务的业务模型的性质，通常在数据中心中存储和汇总数据。这最近导致了旨在利用用户对其个人数据的处理进行控制的技术的发展。
• 个人数据存储（PDS）代表了这些技术中的一类。PDS为用户提供了一种设备，使他们能够捕获，汇总和管理其个人数据。该设备为用户提供工具来控制和监视对其设备上数据的访问，共享和计算。PDS的动机被描述为（i）帮助用户解决其机密性和隐私问题，和/或（ii）为用户提供与他们的数据进行交易或通过其货币化的机会。
• 尽管PDS可能可以在某种程度上增强用户的权限，但它们会引起有关通用数据保护条例（GDPR）规定的职责的有趣考虑和不确定性。更具体地说，尚不清楚PDS生态系统涉及的主要各方之间的责任分配。此外，PDS的技术架构似乎限制了某些合法的处理依据，而某些人提出的识别某些特殊类别的个人数据的技术手段可能仍然是理论上的。
• 我们针对GDPR规定的一些关键义务，探讨了PDS的考虑因素，不确定性和局限性。随着PDS技术的不断发展和扩散，有可能为集中式数据处理方法提供替代方案，我们将确定需要监管机构，PDS平台提供商和技术人员考虑的问题。