Blockchains present new challenges for data protection under the GDPR. The document discusses how different actors on blockchains may be considered data controllers or processors under the GDPR, including miners, developers, third parties, nodes, and users. It notes that determining roles is complex, as actors have less individual control than in traditional systems. Developers set processing rules but are bound by consensus. Miners only validate data. Nodes follow consensus rules. Users control their own data but all share common processing rules. The document concludes that analyzing specific blockchains and use cases is needed, and the GDPR may need rethinking to account for distributed control and individual user responsibility in blockchains.

1. Distributed Data Protection and Liability on
Blockchains
Alexandra Giannopoulou and Valeria Ferrari
Blockchain and Society Policy Lab
Institute for Information Law (IViR)
University of Amsterdam
@alex_giann
@ferrari_bv
Blockchain for Science, Research and Knowledge creation
Berlin, 5-6 November 2018

2. Blockchain appears as a new and
decentralized paradigm for data
storage and management
GDPR is built for a world where
data is centrally collected,
stored & processed
Preliminary remarks
Is there a conceptual incompatibility with GDPR?
How does the GDPR apply to blockchains?

3. Preliminary remarks
Factors determining control and data processing on the blockchain:
 Architecture of the technical infrastructure at various layers of
its stack
 Activity of different actors in the blockchain governance
When and if the processing involves personal data then:
The combination of these attributes will determine the legal
qualification of the role of the actors as well as their legal
liability.

4. Which data do we store on the blockchain?
• Plain text data
• Transactional data

5. Which data do we store on the blockchain?
• Plain text data
Some plain text data is necessary BUT
in principle you probably don’t use it much
• Transactional data

6. Which data do we store on the blockchain?
• Plain text data
Some plain text data is necessary BUT
in principle you probably don’t use it much
• Transactional data
Metadata
Encrypted personal data
Hashed personal data

7. Anonymous data are not personal data according to the GDPR
What does the law say?

8. Anonymous data are not personal data according to the GDPR
BUT
Pseudonymous data are personal data subject to GDPR
What does the law say?

9. Definitions matter

10. What’s the difference?
Definitions matter
Anonymous data ≠ Pseudonymous data

11. What’s the difference?
Definitions matter
Anonymous data ≠ Pseudonymous data
information which does not relate to an
identified or identifiable natural person
or to personal data rendered anonymous
in such a manner that the data subject is
not or no longer identifiable.
personal data that can no longer be
attributed to a specific data subject
without the use of additional
information, provided that such
additional information is kept separately
and is subject to technical and
organizational measures to ensure that
the personal data are not attributed to
an identified or identifiable natural
person

12. What does that mean for the blockchain data?

13. What does that mean for the blockchain data?
Article 29 WP on anonymisation :
processing personal data in order to irreversibly prevent
identification
• Hashing ?
• Asymmetric cryptography?
NO

14. What does that mean for the blockchain data?
Data qualified as personal data are essential to the functioning of the
blockchain
Identification of irreversibly anonymous data and the respective processes that
produce them in the blockchain environment

15. Solutions ?
Technical solutions
Legal solutions

16. Solutions ?
Technical solutions
Legal solutions
• Store data off-chain
Is it possible for all types of personal data?

17. Solutions ?
Technical solutions
Legal solutions
• Store data off-chain
Is it possible for all types of personal data?
• Use privacy enhancing technologies
Which ones?
Are we going to standardize them?

18. Solutions ?
Technical solutions
Legal solutions
• Store data off-chain
Is it possible for all types of personal data?
• Use privacy enhancing technologies
Which ones?
Are we going to standardize them?
Data qualified as personal data are essential to the functioning of the
blockchain

19. Solutions ?
Technical solutions
Legal solutions
• Store data off-chain
Is it possible for all types of personal data?
• Use privacy enhancing technologies
Which ones?
Are we going to standardize them?
Data qualified as personal data are essential to the functioning of the
blockchain
Adopt the law to the blockchain standards?

20. Consequences
If the law accepts some technological standards for anonymization:
Can users turn to developers on the grounds of data minimization for not
using a more privacy-appropriate technology? How about enforcement of
user rights?
If the data is stored forever on the blockchain, do anonymous data become
pseudonymous after a process of technological evolution?

21. Blockchain actors and
GDPR compliance

22. Subjects of GDPR obligations
(art. 4)
DATA CONTROLLER
“determines the purposes and means of the
processing of personal data”
DATA PROCESSOR
“processes personal data on behalf of the
controller”

23. Actors of a blockchain network
NODES

24. Actors of a blockchain network
NODES
MINERS

25. Actors of a blockchain network
NODES
MINERS
DEVELOPERS

26. Actors of a blockchain network
NODES
MINERS
DEVELOPERS
THIRD
PARTIES

27. MINERS
VERIFY TRANSACTIONS AND ADD BLOCKS

28. MINERS
VERIFY TRANSACTIONS AND ADD BLOCKS
• CONTROLLERS?

29. MINERS
VERIFY TRANSACTIONS AND ADD BLOCKS
• CONTROLLERS?
They only validate submitted data, not determining means and
purposes of processing

30. MINERS
VERIFY TRANSACTIONS AND ADD BLOCKS
• CONTROLLERS?
They only validate submitted data, not determining means and
purposes of processing
• PROCESSORS?

31. MINERS
VERIFY TRANSACTIONS AND ADD BLOCKS
• CONTROLLERS?
They only validate submitted data, not determining means and
purposes of processing
• PROCESSORS?
May be! (this is the opinion of the CNIL)

32. DEVELOPERS
DEFINE HOW DATA IS PROCESSED BY
WAY OF THE PROTOCOL

33. DEVELOPERS
DEFINE HOW DATA IS PROCESSED BY
WAY OF THE PROTOCOL
• CONTROLLERS?

34. DEVELOPERS
DEFINE HOW DATA IS PROCESSED BY
WAY OF THE PROTOCOL
• CONTROLLERS?
They may considered to determine the means and
purposes of processing. But…

35. DEVELOPERS
DEFINE HOW DATA IS PROCESSED
BY WAY OF THE PROTOCOL
• CONTROLLERS?
They may considered to determine the means
and purposes of processing. But…
they are bound to the consensus and to
technological requirements: they don’t
determine the means and purpose of processing
autonomously

36. DEVELOPERS
DEFINE HOW DATA IS PROCESSED BY WAY
OF THE PROTOCOL
• CONTROLLERS?
They may considered to determine the means and
purposes of processing. But…
• they are bound to the consensus and to technological
requirements: they don’t determine the means and
purpose of processing autonomously
• …should, then, all open source software developers be
liable under the GDPR?

37. THIRD PARTIES
PROCESS AND ANALYZE BLOCKCHAIN
DATA FOR COMMERCIAL PURPOSES

38. THIRD PARTIES
PROCESS AND ANALYZE BLOCKCHAIN DATA
FOR COMMERCIAL PURPOSES
• May qualify as data controllers for the data they
request from users

39. THIRD PARTIES
PROCESS AND ANALYZE BLOCKCHAIN DATA FOR
COMMERCIAL PURPOSES
• May qualify as data controllers for the data they request
from users
• Most of the data they are responsible for will be off-chain

40. THIRD PARTIES
PROCESS AND ANALYZE BLOCKCHAIN DATA FOR
COMMERCIAL PURPOSES
• May qualify as data controllers for the data they request
from users
• Most of the data they are responsible for will be off-chain
• If responsible for on-chain data: who can they identify as
data processor?

41. (FULL) NODES
DOWNLOAD BLOCKS AND TRANSACTIONS
AND VERIFY THEM AGAINST CONSENSUS
RULES

42. (FULL) NODES
DOWNLOAD BLOCKS AND TRANSACTIONS
AND VERIFY THEM AGAINST CONSENSUS
RULES
• JOINT CONTROLLERS?

43. (FULL) NODES
DOWNLOAD BLOCKS AND TRANSACTIONS
AND VERIFY THEM AGAINST CONSENSUS
RULES
• JOINT CONTROLLERS?
No joint determination. The system is shaped by nodes’
individual behaviors (Fink, 2017).

44. (FULL) NODES
DOWNLOAD BLOCKS AND TRANSACTIONS
AND VERIFY THEM AGAINST CONSENSUS
RULES
• JOINT CONTROLLERS?
No joint determination. The system is shaped by nodes’
individual behaviors (Fink, 2017).
• EACH OF THEM INDIVIDUAL CONTROLLER?

45. (FULL) NODES
DOWNLOAD BLOCKS AND TRANSACTIONS
AND VERIFY THEM AGAINST CONSENSUS
RULES
• JOINT CONTROLLERS?
No joint determination. The system is shaped by nodes’
individual behaviors (Fink, 2017).
• EACH OF THEM INDIVIDUAL CONTROLLER?
They are subject to the system rules designed by developers

46. (FULL) NODES
DOWNLOAD BLOCKS AND TRANSACTIONS AND
VERIFY THEM AGAINST CONSENSUS RULES
• JOINT CONTROLLERS?
No joint determination. The system is shaped by nodes’
individual behaviors (Fink, 2017).
• EACH OF THEM INDIVIDUAL CONTROLLER?
They are subject to the system rules designed by developers
No individual ability to influence the consensus rules or modify
the ledger

47. USERS
BOTH DATA SUBJECTS AND CONTROLLERS?

48. USERS
BOTH DATA SUBJECTS AND CONTROLLERS?
– Data subjects have control over their data through their
private key

49. USERS
BOTH DATA SUBJECTS AND CONTROLLERS?
– Data subjects have control over their data through their
private key
– all users share the same information and are subject to
common, consensus-based, processing rules

50. USERS
BOTH DATA SUBJECTS AND CONTROLLERS?
– Data subjects have control over their data through their
private key
– all users share the same information and are subject to
common, consensus-based, processing rules
– everyone is entitled to become an active participant in the
storage and processing mechanism set out by the
blockchain protocol

51. Conclusions:
• Need to look at specific governance structure of a
given blockchain, and specific use cases
• The GDPR principle of controllership could be re-
thought in consideration of the greatest responsibility
which is granted to individuals users of BC
infrastructures, and of the decentralization of data
processing in BC networks

52. THANK YOU