Smart Contracts and Smart Disclosure: Coding a GDPR Compliance Framework

  • Marcelo CorralesEmail author
  • Paulius Jurčys
  • George Kousiouris
Part of the Perspectives in Law, Business and Innovation book series (PLBI)


This chapter analyses some of the main legal requirements laid down in the new European General Data Protection Regulation (GDPR) with regard to hybrid Cloud Computing transformations. The GDPR imposes several restrictions on the storing, accessing, processing and transferring of personal data. This has generated some concerns with regard to its practicability and flexibility given the dynamic nature of the Internet. The current architecture and technical features of the Cloud do not allow adequate control for end-users. Therefore, in order for the Cloud adopters to be legally compliant, the design of Cloud Computing architectures should include additional automated capabilities and certain nudging techniques to promote better choices. This chapter explains how to fine tune and effectively embed these legal requirements at the earlier stages of the architectural design of the computer code. This automated process focuses on Smart Contracts and Service Level Agreements (SLAs) frameworks, which include selection tools that take an information schema and a pseudo-code that follows a programming logic to process information based on that schema. The pseudo-code is essentially the easiest way to write and design computer code, which can check automatically the legal compliance of the contractual framework. It contains a set of legal questions that have been specifically designed to urge Cloud providers to disclose relevant information and comply with the legal requirements established by the GDPR.


Smart contracts European general data protection regulation (GDPR) Smart disclosures Nudges Service level agreements (SLAs) Unified modeling language (UML) Pseudo-code 



This work has been partially supported by the EU within the 7th Framework Program under contract ICT-257115—OPTIMIS (Optimized Infrastructure Services) project. The authors would also like to thank all the researchers involved in the certification model of the ARTIST (Advanced Software-based Service Provisioning and Migration of Legacy Software) project. Without their technical explanations and support, this chapter would not contain a practical contribution to the state of the art.


  1. Agarwal B, Tayal M, Gupta S (2010) Software engineering and testing. Jones and Bartlett Publishers, Sudbury (MA)Google Scholar
  2. Anderson D (2015) A question of trust. Williams Lea Group, LondonGoogle Scholar
  3. Asharaf S, Adarsh S (2017) Decentralized computing using blockchain technologies and smart contracts: emerging research and opportunities. IGI Global, Hershey PAGoogle Scholar
  4. Balasubramanyam S (2013) Cloud-based development using classic life cycle model. In: Mahmood Z, Saeed S (eds) Software engineering frameworks for the cloud computing paradigm. Springer, LondonGoogle Scholar
  5. Bar-Gill O (2012) Seduction by contract: law, economics, and psychology in consumer markets. Oxford University Press, OxfordCrossRefGoogle Scholar
  6. Barlow R-J, Barnett A-R (1998) Computing for scientists: principles of programming with Fortran 90 and C++. Wiley, ChichesterGoogle Scholar
  7. Barnitzke B et al (2011) Legal restraints and security requirements on personal data and their technical implementation in clouds. In: Workshop for E-contracting for clouds. eChallenges. Accessed 1 Sept 2016
  8. Ben-Porath S (2010) Tough choices: structural paternalism and the landscape of choice. Princeton University Press, PrincetonGoogle Scholar
  9. Bernheim R et al (2015) Essentials of public health ethics. Jones and Bartlett Learning, Burlington (MA)Google Scholar
  10. Blanc I, Vento C (2007) Performing with microsoft office 2007: Introductory. Cengage Learning, BostonGoogle Scholar
  11. Bragg S (2006) Outsourcing: A guide to selecting the correct business unit, negotiating the contract, maintaining control of the process, 2nd edn. Wiley, HobokenGoogle Scholar
  12. Briggs P, Jeske D, Coventry L (2016) Behavior change interventions for cybersecurity. In: Little L, Sillence E, Joinson A (eds) Behavior change research and theory: psychological and technological perspectives. Academic Press, AmsterdamGoogle Scholar
  13. Brooks D (1997) Problem solving with Fortram 90: for scientists and engineers. Springer, New YorkCrossRefGoogle Scholar
  14. Busch C (2016) The future of pre-contractual information duties: from behavioral insights to big data. In: Twigg-Flesner C (ed) Research handbook on EU consumer and contract law. Edward Elgar Publishing, CheltenhamGoogle Scholar
  15. Caelli W, Longley D, Shain M (1989) Information security for managers. Stockton Press, New YorkCrossRefGoogle Scholar
  16. Cahn N (2013) The new kinship: constructing donor-conceived families. New York University Press, New YorkCrossRefGoogle Scholar
  17. Carnevale C (2017) Future of the CIO: towards an enterpreneurial role. In: Bongiorno G, Rizzo D, Vaia G (eds) CIOs and the digital transformation: a new leadership role. Springer, ChamGoogle Scholar
  18. Carpenter R (2010) Walking from cloud to cloud: the portability issue in cloud computing. Wash J Law Technol Arts 6(1):1–14Google Scholar
  19. Carstensen J, Morgenthal J, Golden B (2012) Cloud computing: assessing the risks. IT Governance Publishing, CambridgeshireGoogle Scholar
  20. Cavoukian A (2015) Evolving FIPPs: proactive approaches to privacy, not privacy paternalism. In: Gutwirth S, Leenes R, de Hert P (eds) Reforming European data protection law. Springer, DordrechtGoogle Scholar
  21. Chulani I et al (2012) Technical implementation of legal requirements, exploitation of the toolkit in use cases and component licenses, p 23, Cloud Legal Guidelines, OPTIMIS Deliverable Accessed 10 Oct 2017.
  22. Corrales M, Jurčys P (2016) Cass Sunstein, Why nudge: the politics of libertarian paternalism, New Haven/London: Yale University Press, 2014, 208 pp, pb, £10.99. Modern Law Rev 79(3):533–536Google Scholar
  23. Cwalina W, Falkwoski A, Newman B (2015) Persuasion in the political context: opportunities and threats. In: Stewart D (ed) The handbook of persuasion and social marketing, vol 1: Historical and social foundations. Praeger, Santa Barbara (CA)Google Scholar
  24. D’Aquisto et al. (2015) Privacy by design in big data: an overview of privacy enhancing technologies in the era of big data analytics. European Union Agency for Network and Information Security (ENISA)Google Scholar
  25. Debbabi M et al (2010) Verification and validation in systems engineering: assessing UML/SysML design models. Springer, BerlinCrossRefGoogle Scholar
  26. Detels R, Gulliford M (2015) Oxford textbook of global public health, 6th edn, vol 1. Oxford University Press, OxfordGoogle Scholar
  27. Diamond P, Vartiainen H (2007) Behavioral economics and its applications. Princeton University Press, PrincetonGoogle Scholar
  28. Ford W (2015) Numerical linear algebra with applications: using MARLAB. Elsevier, AmsterdamGoogle Scholar
  29. Forgó N, Nwankwo I, Pfeiffenbring J (2013) Cloud legal guidelines final report, Deliverable OPTIMIS European funded projectGoogle Scholar
  30. Fung A, Graham M, Weil D (2007) Full disclosure: the perils and promise of transparency. Cambridge University Press, CambridgeCrossRefGoogle Scholar
  31. Galis A (2000) Multi-domain communication management systems. CRC Press, Boca RatónGoogle Scholar
  32. Gjermundrød H, Dionysiou I, Costa K (2016) privacyTracker: A Privacy-by-Design GDPR-compliant framework with verifiable data traceability controls. In: Casteleyn S, Dolog P, Pautasso C (eds) Current trends in web engineering. ICWE 2016 international workshops DUI, TELERISE, SoWeMine, and Liquid Web, Lugano Switzerland, 6–9 June 2016, Revised Selected Papers. Springer, ChamCrossRefGoogle Scholar
  33. Goodman M (2015) Future crimes: inside the digital underground and the battle for our connected world. Transworld Publishers (Bantam Press), LondonGoogle Scholar
  34. Gries D, Gries P (2005) Multimedia introduction to programming using Java. Springer, New YorkGoogle Scholar
  35. Griggs S (2013) 5 Hidden problems with cloud SLAs. Accessed 10 May 2017
  36. Grynbaum M, Taylor K (2012) Bloomberg defends grading system derided by restaurateurs, The New York Times. Accessed 10 May 2017
  37. Hamilton D, Zufiaurre B (2014) Blackboards and bootstraps: revisioning education and schooling. Sense Publishers, RotterdamCrossRefGoogle Scholar
  38. Hennicker R, Koch N (2001) Modeling the user interface of web applications with UML. In: Evans A et al (eds) Practical UML-based rigorous development methods—countering or integrating the eXtremists, Workshop of the pUML-Group held together with UML 2001, Toronto, Canada. GI, Gesselschaft für Informatik, BonnGoogle Scholar
  39. Heshmat S (2015) Addiction: a behavioral economic perspective. Routledge, New YorkCrossRefGoogle Scholar
  40. Hijmans H (2016) The European union as guardian of internet privacy: the story of art. 16 TFEU. Springer, ChamGoogle Scholar
  41. Ho D (2012) Fudging the nudge: information disclosure and restaurant grading. Yale Law J 122(3):574–688Google Scholar
  42. Hogan J (2017) Lawyers learning to code? To do or not to do, that is the question! Accessed 10 Oct 2017
  43. Horrigan J (2008) Use of cloud computing applications and services. Accessed 10 Oct 2017
  44. Hossain S (2013) Cloud computing terms, definitions and taxonomy. In: Bento A, Aggarwal A (eds) Cloud computing service and deployment models: layers and management. Business Science Reference (IGI Global), Hershey (PA)Google Scholar
  45. Howard A (2012) What is smart disclosure? “Choice engines” are helping consumers make smarter decisions through personal and government data. Accessed 10 May 2017
  46. Hustinx P (2010) Privacy by design: delivering the promises. Identity Inf Soc 3(2):253–255CrossRefGoogle Scholar
  47. ISRD Group (2007) Structured system analysis and design. Tata McGraw-Hill Publishing, New DelhiGoogle Scholar
  48. ITL Education Solutions (2006) Introduction to information technology. Dorling Kindersley, New DelhiGoogle Scholar
  49. John P et al (2013) Nudge, nudge, think, think: experimenting with ways to change civic behavior. Bloomsbury, LondonGoogle Scholar
  50. Jolls C (2010) Behavioral economics and the law. Found Trends Microecon 6(3):176–263CrossRefGoogle Scholar
  51. Kamthane A, Kamal R (2012) Computer programming and IT. ITL Education Solutions Ltd., New DelhiGoogle Scholar
  52. Kimball G (2010) Outsourcing agreements: a practical guide. Oxford University Press, OxfordGoogle Scholar
  53. King A, Squillante M (2005) Service level agreements for web hosting systems. In: Labbi A (ed) Handbook of integrated risk management for e-business: measuring, modeling, and managing risk. J. Ross Publishing, Boca RatónGoogle Scholar
  54. Kost de Sevres N (2016) The blockchain revolution, smart contracts and financial transactions. Accessed 10 Oct 2017
  55. Kousiouris G, Vafiadis G, Corrales M (2013) A cloud provider description schema for meeting legal requirements in cloud federation scenarios. In: Douligeris et al (eds) Collaborative, trusted and privacy-aware e/m-services. Proceedings of 12th IFIP WG 6.11 conference on e-business, e-services, and e-society, I3E 2013, Athens, Greece. Springer, HeidelbergGoogle Scholar
  56. La Fors-Owezynik K (2017) Profiling ‘Anomalies’ and the anomalies of profiling: digitilized risk assessments of Dutch youth and the new European data protection regime. In: Adams S, Purtova N, Leenes N (eds) Under observation: the interplay between ehealth and surveillance. Springer, ChamGoogle Scholar
  57. Leitzel J (2015) Concepts in law and economics: a guide for the curious. Oxford University Press, OxfordCrossRefGoogle Scholar
  58. Lessig (2001) The Future of ideas, 1st edn. Random House, New YorkGoogle Scholar
  59. Lessig L (2006) Code. Version 2.0. Basic books, New YorkGoogle Scholar
  60. Lindahl T, Stikvoort B (2015) Nudging—The new black in environmental policy? Tryckt hos ScandBooks, FalunGoogle Scholar
  61. Lindsay D (2014) The right to be forgotten in European data protection law. In: Witzleb N, Lindsay D, Paterson M (eds) Emerging challenges in privacy law. Cambridge University Press, CambridgeGoogle Scholar
  62. Lindstrom M (2011) Brandwashed: tricks companies use to manipulate our minds and persuade us to buy, 1st edn. Crown Business, New YorkGoogle Scholar
  63. Lori A (2012) I know who you are and i saw what you did: social networks and the death of privacy. Free Press, New YorkGoogle Scholar
  64. Luzak J (2010) One click could save your soul, recent developments in European consumer law. Accessed 10 Dec 2016
  65. Lynskey O (2015) The foundations of EU data protection law. Oxford University Press, OxfordGoogle Scholar
  66. Marc et al. (2015) Indexing publicly available health data with medical subject headings (MeSH): an evaluation of term coverage. In: Sarkar I, Georgiou A, Mazzoncini de Azevedo Marques, P (2015) MEDINFO 2015: eHealth-enabled Health, Proceedings of the 15th World congress on health and biomedical informatics. IOS Press, AmsterdamGoogle Scholar
  67. Mc Nealy J, Flowers A (2015) Privacy law and regulation: technologies, implications and solutions. In: Zeadally S, Badra M (eds) Privacy in a digital, networked world: technologies, implications and solutions. Springer, ChamGoogle Scholar
  68. Millham R (2012) Software asset re-use: migration of data-intense legacy system to the cloud computing paradigm. In: Yang H, Liu X (eds) Software reuse in the emerging cloud computing era. Information Science Reference (IGI Global), HersheyGoogle Scholar
  69. Molinaro V (2016) The leadership contract: the fine print to becoming an accountable leader. Wiley, HobokenGoogle Scholar
  70. Morabito V (2017) Business Innovation Through Blockchain: The B3 Perspective. Springer, ChamCrossRefGoogle Scholar
  71. Moskowitz S (2017) Cybercrime and business: strategies for global corporate security. Elsevier, OxfordCrossRefGoogle Scholar
  72. Mougayar W (2015) Understanding the blockchain: we must be prepared for the blockchain’s promise to become a new development environment. Accessed 10 Jan 2019
  73. Muresan G (2009) An integrated approach to interaction design and log analysis. In: Jansen B, Spink A, Taksa I (eds) Handbook of research on web log analysis. Information Science Reference (IGI Global), HersheyGoogle Scholar
  74. Müthlein T (ed) (2017) Datenschutz-Grundverordnung—general data protection regulation. Datakontext, FrechenGoogle Scholar
  75. Myler H (1998) Fundamentals of engineering programming with C and Fortram. Cambridge University Press, CambridgeCrossRefGoogle Scholar
  76. Naughton J, Dredge S (2011) Cloud computing: the lowdown. Accessed 10 Oct 2017
  77. Olislaegers S (2012) Early lessons learned in the ENDORSE project: legal challenges and possibilities in developing data protection compliance software. In: Camenish J et al (eds) Privacy and identity management for life. Springer, HeidelbergGoogle Scholar
  78. Oveergaard G (1999) A formal approach to collaborations in the unified modeling language. In: France R, Rumpe B (eds) Proceedings of the second international conference on UML’99—The unified modeling language: beyond the standard for collins, CO, USA, 28–30 Oct. Springer, BerlinGoogle Scholar
  79. Patel N (2005) Critical systems analysis and design: a personal framework approach. Routledge, New YorkCrossRefGoogle Scholar
  80. Pearson S, Charlesworth A (2009) Accountability as a way forward for privacy protection in the cloud. In: Jaatun M, Zhao G and Rong C (eds) Proceedings of 1st international conference on cloud computing, CloudCom 2009, Beijing, China, December 2009. Springer, BerlinGoogle Scholar
  81. Post D (2009) In search of Jefferson’s Moose: notes on the state of cyberspace. Oxford University Press, OxfordGoogle Scholar
  82. Quelle C (2016) Not just user control in the general data protection regulation: on the problems with choice and paternalism, and on the point of data protection. In: Lehmann A et al (eds) Privacy and identity management: facing up to next steps. Springer, ChamGoogle Scholar
  83. Quigley M, Stokes E (2015) Nudging and evidence-based policy in Europe: problems of normative legitimacy and effectiveness. In: Alemanno A, Sibony A-L (eds) Nudge and the law: a European perspective, modern studies in European Law. Hart Publishing, OxfordGoogle Scholar
  84. Rosenthal E (2012) I Disclose…Nothing. The New York Times. Accessed 10 Dec 2016
  85. Schweizer M (2016) Nudging and the principle of proportionality. In: Mathis K, Thor A (eds) Nudging—possibilities, limitations and applications in European law and economics. Springer, ChamGoogle Scholar
  86. Sobkow B (2016) Forget me, forget me not—redefining the boundaries of the right to be forgotten to address current problems and areas of criticism. In: Schweichhofer E et al (eds) Privacy technologies and policy, 5th Annual Privacy Forum, APF 2017, Vienna, Austria, 7–8 June 2017, Revised selected papers. Springer, ChamGoogle Scholar
  87. Spindler G, Schmechel P (2016) Personal data and encryption in the European general data protection regulation. JIPITEC 7:163–177Google Scholar
  88. Sunstein C (2000) (ed) behavioral law & economics. Cambridge University Press, CambridgeGoogle Scholar
  89. Sunstein C (2014a) Simpler: the future of government. Simon & Schuster, New YorkGoogle Scholar
  90. Sunstein C (2014b) Why nudge? The politics of libertarian paternalism, Storrs lectures on jurisprudence. Yale University Press, New HavenGoogle Scholar
  91. Sunstein C (2015) Choosing not to choose: understanding the value of choice. Oxford University Press, OxfordGoogle Scholar
  92. Svantesson D (2013) Extraterritoriality in data privacy law. Ex Tuto Publishing, CopenhagenGoogle Scholar
  93. Svirskas B (2004) Dynamic management of business service quality in collaborative commerce systems. In: Mendes M, Suomi R, Passos C (eds) Digital communities in a networked society: e-commerce, e-business and e-government. Kluwer Academic Publishers, New YorkGoogle Scholar
  94. Swan M (2015) Blockchain: blueprint for a new economy, 1st edn. O’Reilly, Sebastopol (CA)Google Scholar
  95. Tereszkiewicz P (2016) Neutral third-party counselling as nudge toward safer financial products? In: Mathis K, Tor A (eds) Nudging—possibilities, limitations and applications in European law and economics. Springer, ChamGoogle Scholar
  96. Thaler R (2009) Opting in vs. Opting out, The New York Times. Accessed 20 Dec 2016
  97. Thaler R, Sunstein C (2009) Nudge: improving decisions about health, wealth, and happiness. Penguin Books Ltd., LondonGoogle Scholar
  98. Thouvenin F (2017) Big data of complex networks and data protection law: an introduction to an area of mutual conflict. In: Dehmer M et al (eds) Big Data of Complex Networks. CRC Press, Boca RatónGoogle Scholar
  99. Van Alsenoy B et al (2015) From social media service to advertising network: analysis of Facebook’s revised policies and terms, report, draft version 1.2Google Scholar
  100. Varshney A (2017) Types of blockchain—public, private and permissioned. Accessed 10 Jan 2018
  101. Villaronga F (2018) Legal frame of non-social personal care robots. In: Husty M, Hofbaur M (eds) New trends in medical and service robots: design, analysis and control. Springer, ChamGoogle Scholar
  102. Voigt P, von dem Bussche A (2017) The EU general data protection regulation (GDPR): a practical guide. Springer, ChamCrossRefGoogle Scholar
  103. Wattenhofer R (2016) The science of the blockchain. Inverted Forest Publishing, s. l.Google Scholar
  104. Weale D (2001) The smart guide to excel 2000 further skills: a progressive course for more experienced users. Continuum, LondonGoogle Scholar
  105. Whyte K et al. (2015) Nudge, nudge or shove, shove—the right way for nudges to increase the supply of donated cadaver organs. In: Caplan A, Mc Cartney J, Reid D (eds) Replacement parts: the ethics of procuring and replacing organs in humans. Georgetown University Press, Washington (DC)Google Scholar
  106. Williams G (2007) Online business security systems. Springer, New YorkCrossRefGoogle Scholar
  107. Willis O (2015) Behavioral economics for better decisions, Thaler Accessed 25 June 2015
  108. Wisman T (2017) Privacy, data protection and e-commerce. In: Lodder A, Murray A (eds) EU regulation of e-commerce. Edward Elgar Publishing, CheltenhamGoogle Scholar
  109. Zamir E, Teichman D (2014) (eds) The Oxford handbook of behavioral economics and the law. Oxford University Press, OxfordGoogle Scholar
  110. Zanfir G (2012) The right to data portability in the context of the EU data protection reform. Int Data Privacy Law 2(3):149–162CrossRefGoogle Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  • Marcelo Corrales
    • 1
    Email author
  • Paulius Jurčys
    • 2
  • George Kousiouris
    • 3
  1. 1.Institute of European and American StudiesAcademia SinicaTaipeiTaiwan
  2. 2.Nanomolar, Inc.CaliforniaUSA
  3. 3.Department of Informatics and TelematicsHarokopio University of AthensAthensGreece

Personalised recommendations