Blockchain obviously has not been the focus of the people that drafted the GDPR. It simply wasn’t there yet. The GDPR is written with some sort of central control in mind. That is not how blockchain is supposed to work. The consequences of that and the way Europechain deals with that are detailed in this blogpost.
One can give many rights to a human, but without knowing against whom he or she may invoke them, rights don’t mean anything. Therefore the GDPR introduces the “data controller”, That is the person towards whom the people may turn. A GDPR “data controller” basically controls the data. It determines the “what” and “how” of the use of the data. E.g. if a company stores and uses data to communicate with its clients, such company “controls” such use and is the controller. If a controller hires other parties to help him with the processing, those hired hands are called: “data processors”. “Use”, “store” and many other actions regarding data are called “processing” in the GDPR.
How does this work with blockchain? If a company uses blockchain to run software (dApps) on it, that company is the controller for the data that that dApp processes. Is the blockchain the hired hand? The “data processor”? There is no contract between the dApp and the “blockchain”. The blockchain is not an entity but software run decentrally. Nodes are often not known. The company just launches the dApp. So it is unclear. Yet the blockchain is not a controller: it just performs instructions from the dApp.
And what about the data the blockchain processes without a dApp? Processing such as transferring tokens and storing transactions? The blockchain should be data controller. But the blockchain is not an entity. Are in that event all the nodes controllers? But they don’t “control”. They just mine. How could they be controller? Blockchain is made to not have control.
A safe conclusion therefore is, that it is impossible for a public permissionless blockchain to establish or even determine the controller and processor. For this reason alone such blockchain, can never be GDPR compliant.
A GDPR compliant public blockchain is possible but it needs some form of centralization and control. There must be an entity where the people can turn to with their questions and demands. Also this entity needs to ensure that sensitive personal data are not stored on chain. This entity needs to have enough powers to ensure GDPR compatibility but not so many that it could tamper with the ablockchain’s immutability and threaten the very core of blockchain technology.
There are many blockchains that have central entities involved. Often a foundation that decides on e.g. code upgrades. Or that establishes some sort of conflict resolution or decides on funding. It is possible to give that entity enough controlling powers to make it the controller. Should the software and its concrete set up allow for that.
I am, as Chief Legal Officer (CLO), involved with Europechain, a blockchain built on EOS.IO DPOS software. We believe Europechain to be an example of a set up that is compatible in this respect.
As with everywhere else, with Europechain the dApps are data controllers. They must conclude a processing agreement with the limited liability company Europechain B.V. that will be the data processor. Before dApps are allowed onchain, they will have to prove that they will not store sensitive data on chain.
Europechain B.V.concludes sub-processor agreements with all the nodes (the block producers). Without concluding a (sub)processor agreement, a party cannot run a dApp or become a node. If there is no dApp (e.g. in the event of tokentransfers on the base layer) Europechain B.V. is controller. In that event the nodes are not sub-processors but processors. The agreements are drafted such that they allow for that. The agreements have dispute resolutions in them so that the powers of Europechain B.V. are in check and the nodes can be easily forced to comply with Europechain B.V.’s instructions.
This set up allows for enough control to ensure the people are informed and are able to submit their request with a competent identity. Further this allows for the contractual infrastructure required under the GDPR. Given that the powers Europechain B.V. has are tailored to its position as a data controller (which is basically to apply the law that is already there) and given that they are kept in check by the dispute resolution system, there is no way Europechain B.V.’s position may endanger the blockchain core values.
Europechain’s setup proves it is possible to find the right balance. A balance that is necessary for blockchain to become a mainstream infrastructure.
Amsterdam, 15 september 2019