22 October 2019
Blockchain technology, a form of distributed ledger technology, has come to prominence since the creation of Bitcoin back in 2009. As further use cases beyond crypto-assets have come to the fore, there has been growing concern that there may be some fundamental incompatibility between blockchain technology and obligations under data protection law. However, this is an overly simplistic view, particularly where blockchain technology is a class of technology and no two blockchains are the same. As noted in the EU Blockchain Observatory and Forum’s report in October 2018, General Data Protection Regulation (‘GDPR’) compliance is not about the technology, it is about how the technology is used. There is no such thing as a GDPR-compliant blockchain technology, only GDPR-compliant use cases and applications.
The recent European Parliament’s study ‘Blockchain and the General Data Protection Regulation – Can distributed ledgers be squared with European data protection law’ (the ‘Study’) in July 2019 states there are many tensions between the GDPR and blockchain technology, but they are due to two overarching factors:
Below we focus in on the Study’s commentary regarding the identification of a (joint-) controller for blockchain-enabled processing of personal data. While the Study makes reference to possible changes depending on the outcome of the Fashion ID case (as the study was published pre judgment), we think its opinion is unlikely to have changed in light of publication of that judgment.
Who or what is a controller?
The controller is the entity which determines the purposes and means of processing of personal data and is responsible for complying with the obligations arising under the GDPR. This includes responsibility for maintaining a record of processing activities and providing the data subject with information, including its identity and contact details. As highlighted in the Study, the relevant controller must be pinpointed in relation to each personal data processing operation. In Fashion ID, the Court of Justice of the European Union (the ‘CJEU’) once again reiterated that there should be a broad interpretation of the concept of ‘controller’, as this ensures the effective and complete protection of data subjects.
Article 26 of the GDPR sets out that joint-controllership is ‘[w]here two or more controllers jointly determine the purposes and means of processing’. Article 26 goes on further to state that the joint-controllers must have an arrangement between them and that a data subject may exercise his or her rights under the GDPR in respect of and against each of the controllers. The Study refers to the CJEU’s judgment in Wirtschaftsakademie Schleswig-Holstein, where the court emphasised the importance of taking up a broad interpretation of joint-controllership to ensure the effective and complete protection of data subjects. In Fashion ID the court reiterated that joint responsibility of several actors for the same processing does not require each of them to have access to the personal data concerned. The court went further to state that the existence of joint responsibility does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data. The level of liability for theses operators must be assessed in each case, as operators may be involved at different stages of that processing of personal and to different degrees. However, the practical reality of this analysis remains uncertain.
Controllers for blockchain applications
The Study states that when assessing who is a controller for blockchain-enabled processing of personal data it is necessary to not only consider who determines the purpose and means of the data processing in that use case, but it is also necessary to examine the governance design of the given blockchain. It further notes that there is little consensus on who should be considered a controller for blockchain-enabled processing and the commentary provided is only of a general nature. Each scenario will have to be assessed on a case-by-case basis.
Blockchains are distributed databases that are designed to be operated by many parties. As such, many actors influence the determination of the means of processing. As indicated by the CJEU’s recent case law, an influence over any purpose of processing may be enough for an actor to qualify as a controller. Therefore, and as noted in the Study, many different entities could potentially qualify as (joint-) controllers when using blockchain technologies. There are many different factors to take into account when assessing who qualifies as a controller. Below are some general pieces the Study considers in relation to identifying the (joint-) controller(s) for blockchain applications:
Application layer – It is possible to have a multi-layered blockchain, which includes an application layer. Where such an application layer exists, it is possible that the legal entity determining the purposes of personal data processing at the application layer qualifies as the controller.
Private blockchains – In a private distributed ledger there is generally a legal entity that determines the means and often times also the purposes of the personal data processing. This legal entity would qualify as the controller. However other parties, such as those using the distributed ledger infrastructure, may also qualify as joint-controllers.
Public and permissionless blockchains:
There is still little consensus on how participants of a blockchain technology should be construed for data protection purposes. There may be a lot more room for interpretation in relation to how nodes and miners are identified, in particular. However, as noted throughout the Study, each use case is likely to differ from others and will need to be analysed based on its own structures and implementation.
The Study refers to new and on-going technical developments, which while they remain immature and require further development to render them useful for their envisaged purpose, could help solve issues such as scalability or improve governance structures to enable the allocation of responsibility among multiple actors. Some of the technical developments introduced in the Study attempt to overcome the GDPR’s anonymisation threshold, so as to bring the data outside the scope of the GDPR. The techniques described in the Study include zero knowledge proofs, stealth addresses, homomorphic encryption, state channels and ring signatures, the addition of noise etc. Although some of these techniques hold more promise than others, it will likely require a combination of technical developments to fully address all of the GDPR concerns that the Study raises in the context of public blockchains.
The Study concludes by recommending the following: