Are Blockchain companies capable of being Data Controllers under the GDPR?
A Data Controller in the GDPR is defined as the natural or legal person which, ‘alone or jointly with others, determines the purposes and means of the processing of personal data’. This means that a Data Controller is the person or company that decides why that data is processed and how.
The GDPR was envisaged in light of a centralised world where a typical Data Controller would be something like a retail company. Take ASOS as an example. By giving them your data, ASOS would be deciding what to do with that data i.e. sending you an email to confirm your purchase, sending you the items to your house by courier to fulfill their contractual obligation and tracking your preferences on their platform next time you use their app to go shopping so that they can offer you a better experience. In this example, ASOS are a typical Data Controller as they have full control over what and how your data is processed. If you ask ASOS to delete your data, then they can do that quite simply by going into their CRM and other databases and deleting all the data they hold about you.
Now take an example of a blockchain company. A blockchain company will usually be an application that sits on top of the blockchain protocol. Once your data goes through the application and onto the chain, the blockchain company that enabled you to put that data onto the chain, is no longer in control of that data. Anything that happens with that data shall be your decision and can be effected through the use of your private key.
If by virtue of putting data on the blockchain, the blockchain company no longer has control of the data since it is decentralised, then how can the blockchain company be said to be determining the purpose of the processing of that data?
Take the Royal Mail as an example. If a company wants to send a letter containing personal data to another person and they use a post-box which belongs to the Royal Mail to achieve that, the Royal Mail can under no circumstances be considered to be the Data Controller even though it has provided you with the means by which to transmit that data. Although the letter might be the responsibility of the Royal Mail during its transmission, once that data is out of the Royal Mail’s hands, the Royal Mail has no more responsibility for that data. I see blockchain companies like mail-boxes. They enable you with their infrastructure to transmit your data onto the blockchain, but what happens to that data thereafter, is not their responsibility.
This of course does not apply to the blockchain company’s application feature where they may be collecting data to send out newsletters etc as this would mean that the blockchain company is now behaving like a centralised entity to which GDPR clearly applies.
This position then raises the question, if the blockchain company isn’t the data controller, then who is? The answer to that might perhaps be that it is the Data Subject themselves. They control what happens to their data and who it’s shared with through their private key. Of course, conceptual issues arise with this position since the GDPR sets out two distinct roles, one for the data subject and one for the controller so if the two are merged, the regulation is diluted or obscured in some way. Further legal issues arise when a private key is stolen or compromised but I’ll leave that for another time.
In conclusion, it would seem that the GDPR is already antiquated and creates huge conflict when it comes to defining roles for those that want to us technologies like blockchain or IPFS. If a blockchain company were to take the position that I am suggesting above, then that would be a risk because at the moment, we have no case law or legal guidance as to how this would be played out in practice. I think it’s a matter of having to wait and see how this will pan out in real life and in the meantime, let’s make as much noise as possible about it and hope to get some attention to this space.