Blockchain technology, a form of distributed ledger technology, has come to prominence since the creation of Bitcoin back in 2009. As further use cases beyond crypto-assets have come to the fore, there has been growing concern that there may be some fundamental incompatibility between blockchain technology and obligations under data protection law. However, this is an overly simplistic view, particularly where blockchain technology is a class of technology and no two blockchains are the same. As noted in the EU Blockchain Observatory and Forum’s report in October 2018, General Data Protection Regulation (“GDPR”) compliance is not about the technology, it is about how the technology is used. There is no such thing as a GDPR-compliant blockchain technology, only GDPR-compliant use cases and applications.
The recent European Parliament’s study “Blockchain and the General Data Protection Regulation – Can distributed ledgers be squared with European data protection law” (the “Study”) in July 2019 states there are many tensions between the GDPR and blockchain technology, but they are due to two overarching factors:
- The first is that the GDPR requires an identifiable controller against whom data subjects can enforce their legal rights under EU data protection law. The decentralised nature of many blockchains replaces a single actor with many players. This along with the lack of consensus on how (joint-) controllership should be defined can make it difficult to allocate responsibility and accountability.
- Second, the GDPR requires that data can be modified or erased where necessary to comply with legal requirements. Blockchains tend to be immutable, or are at the very least onerous to unilaterally modify data, so as to ensure data integrity and create trust in the network. Personal data that is stored “on-chain” is unlikely to adhere to the principals of data minimisation and purpose limitation. However, new and improving pruning techniques may help solve this problem as this process allows for data to be removed from blockchains when it is no longer wanted. Best practice is to store all personal data “off-chain” which can then be linked back to the ledger by a hash. Whether this hash (which cannot be deleted from the ledger) constitutes personal data is still unclear. The Study seeks regulatory guidance to answer this question.
Below we focus in on the Study’s commentary regarding the identification of a (joint-) controller for blockchain-enabled processing of personal data. While the Study makes reference to possible changes depending on the outcome of the Fashion ID case (as the study was published pre judgment), we think its opinion is unlikely to have changed in light of publication of that judgment.
Who or what is a Controller?
The controller is the entity which determines the purposes and means of processing of personal data and is responsible for complying with the obligations arising under the GDPR. This includes responsibility for maintaining a record of processing activities and providing the data subject with information, including its identity and contact details. As highlighted in the Study, the relevant controller must be pinpointed in relation to each personal data processing operation. In Fashion ID, the Court of Justice of the European Union (the “CJEU”) once again reiterated that there should be a broad interpretation of the concept of ‘controller’, as this ensures the effective and complete protection of data subjects.
Article 26 of the GDPR sets out that joint-controllership is “[w]here two or more controllers jointly determine the purposes and means of processing”. Article 26 goes on further to state that the joint-controllers must have an arrangement between them and that a data subject may exercise his or her rights under the GDPR in respect of and against each of the controllers. The Study refers to the CJEU’s judgment in Wirtschaftsakademie Schleswig-Holstein, where the court emphasised the importance of taking up a broad interpretation of joint-controllership to ensure the effective and complete protection of data subjects. In Fashion ID the court reiterated that joint responsibility of several actors for the same processing does not require each of them to have access to the personal data concerned. The court went further to state that the existence of joint responsibility does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data. The level of liability for theses operators must be assessed in each case, as operators may be involved at different stages of that processing of personal and to different degrees. However, the practical reality of this analysis remains uncertain.
Controllers for Blockchain Applications
The Study states that when assessing who is a controller for blockchain-enabled processing of personal data it is necessary to not only consider who determines the purpose and means of the data processing in that use case, but it is also necessary to examine the governance design of the given blockchain. It further notes that there is little consensus on who should be considered a controller for blockchain-enabled processing and the commentary provided is only of a general nature. Each scenario will have to be assessed on a case-by-case basis.
Blockchains are distributed databases that are designed to be operated by many parties. As such, many actors influence the determination of the means of processing. As indicated by the CJEU’s recent case law, an influence over any purpose of processing may be enough for an actor to qualify as a controller. Therefore, and as noted in the Study, many different entities could potentially qualify as (joint-) controllers when using blockchain technologies. There are many different factors to take into account when assessing who qualifies as a controller. Below are some general pieces the Study considers in relation to identifying the (joint-) controller(s) for blockchain applications:
Application layer – It is possible to have a multi-layered blockchain, which includes an application layer. Where such an application layer exists, it is possible that the legal entity determining the purposes of personal data processing at the application layer qualifies as the controller.
Private Blockchains – In a private distributed ledger there is generally a legal entity that determines the means and often times also the purposes of the personal data processing. This legal entity would qualify as the controller. However other parties, such as those using the distributed ledger infrastructure, may also qualify as joint-controllers.
Public and Permissionless Blockchains:
- Software Developers – The Study considers that software developers are highly unlikely to qualify as data controllers as they usually exercise no influence over the purposes of a specific personal data processing operation and have a limited role in determining the means of processing.
- Nodes – These are the computers that store a full or partial copy of a blockchain and participate in the validation of new blocks. There is no agreement on the matter, but it has been argued by some that nodes are joint-controllers.
- Miners – These entities run the protocol, can add to the blockchain and store a copy of the shared ledger on their computers. While they have significant control over the means of the processing, they have very little control over the purpose and as such, in the view of the Study, they are unlikely to qualify as controllers. This begs the question of whether they are therefore processors, with the practical implications of this being potentially significant. However, the Study does not fully engage with this point.
- Users – It is possible for a user to be the controller of personal data (even in some circumstances where they process data for their own purposes). A natural user may qualify for the household exemption under Article 2 of the GDPR, however, this is unlikely to apply where a public and permissionless blockchain is used as then personal data would be shared with an indefinite amount of people.
There is still little consensus on how participants of a blockchain technology should be construed for data protection purposes. There may be a lot more room for interpretation in relation to how nodes and miners are identified, in particular. However, as noted throughout the Study, each use case is likely to differ from others and will need to be analysed based on its own structures and implementation.
The Study refers to new and on-going technical developments, which while they remain immature and require further development to render them useful for their envisaged purpose, could help solve issues such as scalability or improve governance structures to enable the allocation of responsibility among multiple actors. Some of the technical developments introduced in the Study attempt to overcome the GDPR’s anonymisation threshold, so as to bring the data outside the scope of the GDPR. The techniques described in the Study include zero knowledge proofs, stealth addresses, homomorphic encryption, state channels and ring signatures, the addition of noise etc. Although some of these techniques hold more promise than others, it will likely require a combination of technical developments to fully address all of the GDPR concerns that the Study raises in the context of public blockchains.
The Study concludes by recommending the following:
- Specific regulatory guidance from the European Data Protection Board (the “EDPB”) on blockchain technologies and to also update related Article 29 Working Group guidance that has not been approved by the EDPB;
- Funding to be provided for interdisciplinary research into blockchain technology; and
- Encouragement for codes of conduct and certification mechanism within industries that use blockchain technology.