Who is the data controller in a blockchain?
In the latest Rzeczpospolita Report on the legal aspects of blockchain and its applications, I briefly discussed the challenges related to applying data protection regulations in this context. It is a complicated issue as it appears that blockchain can potentially challenge the basic assumptions and regulatory approaches provided by the GDPR.
In fact, this problem is not limited just to this regulation. It applies to numerous areas of public law where the provisions identify an entity responsible for a particular activity and place various obligations upon it. Blockchain and related technologies, on the other hand, frequently allow for such entities (particularly ones which play intermediary roles) to be entirely eliminated from economic activities. This leaves the question of who will be subject to these regulations unresolved.
Within the context of personal data protection laws, the key question is: who is the data controller in a blockchain? Under the GDPR definition, a controller is an entity or person that “determines the purposes and means of the processing of personal data.”
Initially, we should differentiate between the various types of entities that are identified in the operation of blockchain applications. In many instances there is no doubt that operators or creators of products which use blockchain will be classified as the ‘controllers’ under GDPR. This might also include organisers and participants in at least some private and consortium networks. It is within this context that the institution of ‘joint controllers’ established in Art. 26 of GDPR may be applicable. However, the most interesting questions arise in analysing public and permissionless blockchains and the entities which maintain these decentralised networks and process transactions (participate in the process of achieving distributed consensus).
In light of the general tendency toward an expansive interpretation of the types of entities which may be classified as data controllers, we seem to be bound to conclude that data controllers do exist within the blockchain context. This view sometimes leads to the conclusion that all network nodes should be identified as data controllers, since all of them store an identical ledger. A plausible alternative option is based on the assumption that the data controller is the node (e.g. a miner in a Proof of Work blockchain) which adds specific personal data to the blockchain (mines a block and adds it to the chain of blocks). The intuitive answer usually holds that a blockchain has at least one controller, but that all entities maintaining the network can potentially be recognised as controllers.
However, can it be said that miners or the entities working to achieve consensus under Proof of Stake methods actually determine the ‘purposes and means of processing of personal data’? Often that is not the case, as they simply mechanically process transactions which fulfil specified criteria. Thus, their role is limited to simply providing the necessary infrastructure and they frequently maintain complete neutrality toward the processed transactions, the parties and contents. Of course, the answer can often be more complex, as in blockchains which use Delegated Proof of Stake consensus mechanisms. Delegated Proof of Stake systems identify a group of selected users who make the final decision to validate (or not) a particular transactions.
This suggests that network nodes should perhaps be considered ‘processors’ or an entity which processes personal data on behalf of the controller. However, such a designation carries the burden of numerous obligations which are impossible to fulfil given the realities of blockchain operations.
In instances of fully decentralised networks where large numbers of nodes function as a distributed infrastructure subordinated to a neutral (automated and non-discretionary) consensus mechanisms it is difficult to identify or meaningfully discuss the institution of a data controller. A simple test to establish whether the legal institution is applicable in this context involves the question whether node operators would be objectively capable of fulfilling the obligations placed on data controllers by the GDPR? There’s much to suggest that they would not.
The implication is that when a network satisfies a set of decentralisation criteria (which would need to be legally specified), its nodes should not be considered potential data controllers for GDPR purposes. Data controllers may still be found among other entities such as the developers and operators of products and services which utilise blockchain technology. This is simply one approach to the Gordian knot issue which has the potential to slow the growth of blockchain technology in the future.
Jacek Czarnecki