GDPR aims to identify the data controller. Article 4 paragraph 7 of GDPR does provide that the data controller is the person or entity that determines the purposes and the data processing means.
When an entity decides to rely on a blockchain as opposed to another centralized database, it has decided on the means of processing personal data and qualifies as a data controller.
It is worth noting that the identification of the data controller is crucial even if the processing of the data is carried out illegally. This means that even when data processing takes place in a context that is illegal, the entity that controls the data processing in this context remains the data controller and must comply with the relevant obligations.
It is obvious that in data processing there are often multiple controllers who are responsible for their compliance with the GDPR. This is also often the case with the operation of a distributed database, such as a blockchain in which many participants can contribute to identifying the purposes and means of data processing.
Data Control in Private Blockchain Networks
In private blockchain networks, there is a defined legal entity (such as a company) that determines the means and in many cases the purposes of data processing. In this case, this entity is characterized as a data controller. However, there may be joint controllers in such cases. Those who use such infrastructure for their own purposes are also joint controllers.
When a team decides collectively to use a blockchain application
for its own purposes, the data controller should be designated from the outset. When different entities are joint controllers, they should conclude an agreement, defining the respective responsibilities, identifying
the entity to which they must contact to enforce their rights, and provide a contract for data protection authorities
Data Control in Public Blockchain Networks
When a data category is directly related to the infrastructure level of the blockchain, it becomes necessary to determine controllership at the infrastructure level. It is important to note that the identity of the data controller depends on their perspective. From a macroeconomic point of view, the purpose of the processing is to provide the relevant service, while the means are related to the software used by the nodes and the miners. At the microeconomic level, the purpose of editing is to record a specific transaction in a blockchain, while the means refers to the choice of platform. The microeconomic level is the most appropriate approach, as the data protection law deals with specific personal data elements.
Given this, the following is an analysis of which participants in a public blockchain may be classified as data controllers.
Of all the participants who use or contribute to the creation and maintenance of the software, developers are the least likely to be classified as data controllers. The developers have a role to play in designing the relevant software as they suggest updates. However, they do not decide whether or not these updates will be adopted. Thus, their influence on the means is limited. Software updates are based on the relevant governance structure of each blockchain in which decisions are made by miners, nodes, or other entities such as asset owners. As a result, developers have a limited role in defining the means of processing and generally have no influence on the purposes of data processing. Therefore, developers are unlikely to be classified as data controllers under the GDPR.
As proof of work is the consensus protocol that allows new data to be added to a blockchain, miners are responsible for adding such information. Mines are nodes that add transactions to new blocks and transmit them to the network according to the consensus algorithm. In exchange for their offer on the network, they are rewarded with cryptocurrencies and may also receive mining fees for transactions.
Miners execute the consensus protocol and can therefore add data to the public ledger. However, there is a debate as to whether their influence is such as to determine its aims and means. Miners exercise considerable control over the media when choosing the version of the protocol to be executed. However, miners do not specify the means and purpose of a particular transaction, so it is unlikely that designated as data controllers.
Nodes are computers that store a complete or partial copy of a blockchain and participate in the validation of new blocks. Once a miner detects a valid hash for a block, it passes it to other nodes, which then perform a calculation to verify that the hash is valid. When they manage to verify it, they add the new block to their own local copy of the public ledger. In this way, the nodes check if the transactions have the correct digital format and the necessary signatures. The nodes also check if the input items have been spent beforehand, to avoid the problem of double-spending.
Each node that creates a transaction or which stores a transaction in the local copy of the public ledger, should be considered a data controller, considering that in this way it pursues its own purpose which is its participation in the network. In this way, the node records and stores data and can freely use the data entered in its node.
Users who can be natural or legal persons sign and submit transactions to the network. It has been suggested that users should be considered as data processors when a transaction takes place directly from the user. The blockchain network architecture leads to the fact that only users who make the transaction can specify the purposes and means of data processing. This happens as the user directly installs the client software that connects to the network and sends transactions to other nodes. The client software can also be used to hold the private key.
Users can be data controllers where they determine the purposes of the processing, while also defining the means using a specific blockchain to execute their transactions.