Data Control in Blockchain Networks

GDPR aims to identify the data controller. Article 4 paragraph 7 of GDPR does provide that the data controller is the person or entity that determines the purposes and the data processing means.

When an entity decides to rely on a blockchain as opposed to another centralized database, it has decided on the means of processing personal data and qualifies as a data controller.

It is worth noting that the identification of the data controller is crucial even if the processing of the data is carried out illegally. This means that even when data processing takes place in a context that is illegal, the entity that controls the data processing in this context remains the data controller and must comply with the relevant obligations.

It is obvious that in data processing there are often multiple controllers who are responsible for their compliance with the GDPR. This is also often the case with the operation of a distributed database, such as a blockchain in which many participants can contribute to identifying the purposes and means of data processing.

Data Control in Private Blockchain Networks

When a team decides collectively to use a blockchain application
for its own purposes, the data controller should be designated from the outset. When different entities are joint controllers, they should conclude an agreement, defining the respective responsibilities, identifying
the entity to which they must contact to enforce their rights, and provide a contract for data protection authorities

Data Control in Public Blockchain Networks

Given this, the following is an analysis of which participants in a public blockchain may be classified as data controllers.

Developers

Miners

Miners execute the consensus protocol and can therefore add data to the public ledger. However, there is a debate as to whether their influence is such as to determine its aims and means. Miners exercise considerable control over the media when choosing the version of the protocol to be executed. However, miners do not specify the means and purpose of a particular transaction, so it is unlikely that designated as data controllers.

Nodes

Each node that creates a transaction or which stores a transaction in the local copy of the public ledger, should be considered a data controller, considering that in this way it pursues its own purpose which is its participation in the network. In this way, the node records and stores data and can freely use the data entered in its node.

Users

Users can be data controllers where they determine the purposes of the processing, while also defining the means using a specific blockchain to execute their transactions.

Department of Electronics and Computer Science, University of Southampton