The newly implemented General Data Protection Regulation (GDPR) applies to processing of personal data by “Data Controllers” and “Processors”. GDPR defines Controller and Processor as follows:
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…”
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller ”
The roles of Data Controller and Processor as defined in the GDPR are quite easy to identify in most centralized businesses, however when it comes to identifying the roles in a blockchain/distributed ledger, the lines become blurred and the application of GDPR more complex.
Since GDPR is intended to be technology neutral, any entity established in the EU or processing the personal data of data subjects in the EU, regardless of the technology deployed, needs to identify who are the Data Controllers and who are the Processors in order for them to fulfil their respective obligations. One obligation of Data Controllers is to enter into Data Processing Agreements with their Processors. Disregarding it will amount to violation of the law.
However, as not all decentralized systems work the same way, identifying who is the Data ‘Controller’ and who is the ‘Processor’ requires a closer analysis of the specific technologies and how they are being used. Any business that intends to process the personal data of data subjects in the EU should ideally take the GDPR requirements into consideration in the design phase, before deciding on technology platforms — one of the tenets of GDPR is ‘Privacy by Design’!
Determining who the Data Controller is and who the Processors are, will be more challenging for public permissionless systems such as Bitcoin or Ethereum than in private/permissioned systems, like Hyperledger Fabric.
The fact that there is no central authority on a public/permissionless blockchain and almost anyone can theoretically add personal data in a block, could be interpreted to mean that the user who enters the personal data is the Data Controller and everyone who possesses a copy of the block is a Data Processor.
On the other hand, in the case of a private/permissioned distributed ledger, the entity responsible for operating the ledger may be deemed to be the Data Controller and Processor, depending on the specifics of the implementation.
Some implementations will give rise to challenging questions such as: are miners and other nodes Data Processors? If so, how should Data Controllers enter into processing agreements with a constantly changing list of thousands of nodes distributed around the world?
As far as Data Processing Agreements are concerned, other implementations may be easier to manage because it may not be difficult for the Data Controller to enter into clear processing agreements with a known set of Processors.
Regardless of how easy or challenging this may be, identifying the Data Controller and Processors in the system is crucial to fulfilling legal obligations for all entities that process personal data on the blockchain to avoid the risk of onerous fines!
The truth is that there are no clear answers to many of these questions, yet. As the Data Protection Authorities consider and the courts rule on specific cases, clarity will gradually be achieved. For now, make sure that your Data Protection Officer is engaging with the Data Protection Authorities in the EU jurisdictions where you operate, to ensure that you make the best decisions you can with the limited information available.