To better understand the nuances of controllership in relation to blockchain it is worth attempt-ing to apply the GDPR to an existattempt-ing blockchain. For this case study, the Ethereum172 block-chain has been selected to demonstrate the difficulties in determining who a controller is. The Ethereum project was selected due to its size and ability to run applications (or DApps) rather than simply operating as a currency. As a “programmable blockchain”,173 it has significantly more types of participants, which adds substantial complexity to the analysis of controllership.
The different participants in the Ethereum blockchain are analysed below:
3.7.1 Ethereum nodes
It is hard to argue that the nodes in the Ethereum network are to be considered controllers. This is due to the very minor role they play in ensuring the immutability of the Ethereum distributed ledger. They are simply persons who have downloaded the Ethereum node and run it through a client application (such as Go Ethereum’s Geth174 client), thus essentially operating as a storage solution for verification purposes. Whilst there is processing being conducted by a node, they do not have any control over the ‘means or purposes’ of processing.
172 V Buterin, ‘Ethereum Whitepaper’ (2013) Available at: < https://ethereum.org/en/whitepaper/> Accessed on 15th October 2021.
173 Notably, Ethereum, unlike blockchain, has Turing completeness. Stiftung Ethereum, ‘What is Ethereum’ (2021) Available at: <https://ethereum.org/en/what-is-ethereum/> Accessed on 15th October 2021.
174 See <htttps://geth.ethereum.org>
28 3.7.2 Ethereum miners
The top two Ethereum mining pools, ‘Ethermine’ and ‘F2Pool Old’, are respectively responsi-ble for mining 26.8% and 25.3% of Ethereum’s blocks.175 This means that two collective or-ganisations are responsible for 52.1% of the mining of Ethereum’s blocks. Naturally, this is an uncomfortable position with regard to the potential of 51% attacks and the resulting ‘hard-forks’.176 When one considers the position of power these two mining pools have over the net-work, it is clear that some responsibility should be attributed to them. It is noted that this is contrary to the position submitted by CNIL, who argue that miners should not be considered controllers due to their role in validating transactions. However, from a practical regulatory perspective, it is wrong to state that all miners should be absolved of all controllership obliga-tions when there is substantial argument that certain tranches of miners have large sway over the means of processing.
Though the Ethereum network will be shifting to a proof-of-stake consensus mechanism in the future,177 the same arguments for miners will apply to validators operating under the proof-of-stake mechanism. This due to well-resourced staking pools who will still maintain a very strong hold over the de facto governance of the blockchain.
3.7.3 Ethereum Users
As the key users of the Ethereum blockchain it is likely that the Ethereum users group of par-ticipants should be considered controllers. They actively decide when transactions should be made and are often responsible for sharing personal data on the Ethereum network. They have a significant influence over the ‘how’ and ‘why’ of processing when they choose to use the Ethereum network to make a transaction. Moreover, it has been argued in this thesis that the household exemption should not apply to users of a blockchain – this should be considered to also apply to the Ethereum network. The scope of the Ethereum blockchain beyond mere cryp-tocurrency also potentiates a greater volume of more varied personal data being distributed on the distributed ledger.
3.7.4 Ethereum developers
There is a strong argument that the development team working to develop the Ethereum block-chain should be considered controllers under the GDPR. As new software is developed for the
175 According to Ethereum analytics website, Etherscan.io, in the seven days prior to submission of this thesis. See Etherscan, ‘Top 25 Miners by Blocks’ Available at: <https://etherscan.io/stat/miner?range=7&block-type=blocks> Accessed on: 1st December 2021
176 See section 4.1
177 Stiftung Ethereum, ‘Proof-of-Stake’ (3rd November 2021) Available at: <https://ethereum.org/en/develop-ers/docs/consensus-mechanisms/pos/> Accessed on: 14th November 2021
29
Ethereum blockchain, they are in a unique position to proposition new changes to the chain, which are then accepted through the consensus mechanism. The Ethereum Foundation (Stiftung Ethereum) is responsible for the majority of these suggestions proposed to the blockchain and therefore has a substantial power over the rules of the blockchain and how personal data is handled.
3.7.5 Exchanges
Centralised exchanges that make available services for trading Ethereum based coins or ETH itself are likely to be considered controllers in respect of the data they hold for the purposes of their exchange businesses. However, a distinction should be made between being a controller in terms of core business (as an exchange) and being a controller in relation to the Ethereum blockchain. For the latter, it is harder to argue that a centralised exchange which is operating a liquidity function is a controller for the purposes of the Ethereum network. This is particularly pertinent when one considers the mechanism used to enable trades. The exchange will often purchase and sell tokens on behalf of the customer and store them in a secure location, therefore anonymising the personal data of the data subject in relation to the distributed ledger. For de-centralised exchanges, this may be somewhat more complicated depending on the nuances of that exchange and whether there are only liquidity functions being offered or potential privacy enhancements also offered.
30
4 Blockchain and the rights of data subjects
When looking at how the proliferation of blockchain technologies may infringe the rights of data subjects, it is pertinent to note the level of importance attributed to the protection of such rights in the EU. Notably, the protection of personal data in the EU is of such importance it was enshrined in the Charter of Fundamental Rights.178 It is with this in mind that this chapter anal-yses the variety of ways in which blockchain technologies may infringe data subjects privacy rights. On the other hand, there are also many benefits for privacy rights flowing from block-chain, such as the data confidentiality that can arise from decentralised systems179 (providing protection from the state or other resourceful parties from discerning private information).