Reconciling blockchain technology with the General Data Protection Regulation in light of controllership and the rights of data subjects.

(1)

Reconciling blockchain technology with the General Data Protection Regulation in light of controllership and the rights of data subjects.

Candidate number: 9015

Submission deadline: 1^st December 2021 Number of words: 17,024

(2)

i Abstract

This paper focuses substantially on the notion of controllership and the associated obligations thereof. Owing to the importance placed on controllers by the GDPR, the apparent difficulties in controller identification in relation to certain blockchain technologies results in large sections of the GDPR being rendered inoperable, and as a result, diminishes a number of rights of data subjects.

The concept of lex cryptographia is deliberated on in the context of data protection regulation and the suggestion of specific, targeted sectoral legislation for blockchain is made. This paper also highlights the lack of guidance provided by data protection authorities in this particular field of technology – whilst it is noted that some authorities have provided basic guidance, it often lacks nuance and the ability to keep up with a fast-moving area of technology.

Whilst there are many blockchain specific issues in relation to the GDPR, there are a number of general issues (such as further clarification as to the definition of erasure under Article 17 GDPR) which would provide benefits to the wider European data protection regime should they be rectified.

(3)

ii Table of contents

1 INTRODUCTION ... 1

1.1 Research methodology ... 2

1.2 Lex cryptographia ... 3

1.2.1 Sectoral legislation ... 3

1.2.2 Regulation by code ... 4

2 BLOCKCHAIN TECHNOLOGY ... 5

2.1 Blockchain ... 5

2.2 Distributed ledger technology ... 5

2.3 Consensus mechanisms ... 5

2.3.1 Proof-of-work ... 6

2.3.2 Proof-of-stake ... 7

2.3.3 Other consensus mechanisms ... 7

2.4 Participants in a blockchain ... 7

2.4.1 Nodes ... 7

2.4.2 Miners/Validators ... 7

2.4.3 Users (including investors) ... 8

2.4.4 Decentralised autonomous organisations ... 8

2.4.5 Software developers ... 8

2.4.6 Exchanges ... 9

2.5 ‘Cryptocurrency’ ... 9

2.6 Uses beyond digital currency ... 10

2.7 Decision to use blockchain ... 11

2.8 Types of blockchains ... 11

2.8.1 Public vs private blockchains ... 11

2.8.2 Permissioned vs permissionless blockchains ... 12

2.9 Smart contracts ... 12

2.10 Zero-Knowledge Proofs ... 13

3 GDPR CONCEPTS APPLIED TO BLOCKCHAIN ... 15

3.1 Territorial scope ... 15

3.1.1 Establishment ... 15

3.2 Data types ... 16

3.2.1 Personal Data ... 16

3.2.2 Transaction data ... 17

3.2.3 Hash data ... 17

(4)

iii

3.2.4 Personalised public keys ... 17

3.3 Pseudonymisation vs. Anonymisation ... 18

3.3.1 Identifiability ... 18

3.3.2 Anonymity of hashed data ... 18

3.3.3 Transaction analysis ... 19

3.4 Technological neutrality ... 19

3.5 Controllership ... 21

3.5.1 Legal functionalism or legal formalism? ... 22

3.5.2 Blockchain Fiduciaries ... 22

3.6 Joint controllership ... 24

3.6.1 CJEU Jurisprudence ... 24

3.6.2 Household exemption ... 26

3.6.3 Potential liability... 27

3.7 Ethereum Controllership Case Study ... 27

3.7.1 Ethereum nodes ... 27

3.7.2 Ethereum miners ... 28

3.7.3 Ethereum Users... 28

3.7.4 Ethereum developers ... 28

3.7.5 Exchanges ... 29

4 BLOCKCHAIN AND THE RIGHTS OF DATA SUBJECTS ... 30

4.1 Right to rectification ... 30

4.1.1 Supplementary notes... 31

4.2 Right to erasure ... 32

4.2.1 ‘Erasure’ ... 33

4.2.2 Off-chain storage ... 34

4.2.3 A blockchain that forgets? ... 34

4.3 Automated individual decision making ... 35

4.3.1 Human intervention ... 36

4.3.2 Decisions producing legal effects or similar ... 38

4.3.3 Controller obligations in relation to Article 22 ... 38

4.3.4 Necessity for a DPIA ... 38

4.4 Judicial remedies and blockchain ... 38

5 CONCLUSIONS ... 40

5.1 Data subjects as their own data controllers ... 40

5.2 Lack of regulatory guidance ... 40

5.3 Sectoral data protection legislation ... 41

(5)

iv

BIBLIOGRAPHY ... 42

(6)

1 1 Introduction

This paper seeks to address potential incompatibilities between blockchain technology and the General Data Protection Regulation.¹ Particular attention is paid to the infringement of data subjects’ fundamental rights as well as the implications of wrongly allocated controllership in relation to blockchain.

Once considered the home of criminals seeking an anonymous way to transfer illicit funds,² crypto-assets, and more importantly the blockchain technologies they are based on, have seen much greater acceptance amongst both the general public and industry, who see the underlying technology as a potential solution to many problems.³ Moreover, the creation of blockchains is not just limited to relatively anonymous small groups of developers; large blue-chip companies, such as IBM, Amazon and Microsoft have been developing their own blockchain offerings (or

‘Blockchain-as-a-Service').⁴

“Regulation plays catch-up with technology. The GDPR was written on the assumption that you have centralized services controlling access rights to the user's data, which is the opposite of what a permissionless blockchain does.”⁵

It is argued in this thesis that the GDPR in its current form is not sufficient to deal with blockchain technology. Structurally, it is designed to deal with traditional centralised data management processes and struggles to fit with the decentralised architecture of blockchain. It is also asserted that the jurisprudence of the CJEU regarding joint controllership has led to an uncom- fortable position that does not appropriately align with emerging technologies such as blockchain. Furthermore, there is an encroachment on fundamental data protection rights of data subjects, including inter alia the right to rectification, from certain implementations of blockchain.

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

2 For example, using Bitcoin to make anonymous purchases on the infamous Silk Road online marketplace. Tracey Alloway, ‘Bitcoin price continues to fall following Silk Road raid in US’ Financial Times (3rd October 2013) Available at: <https://www.ft.com/content/27ca2d60-2b89-11e3-a1b7-00144feab7de> Accessed on: 19th July 2021

3 A simplistic indicator of this is perhaps the extreme surge in crypto-asset prices over the last 18 months

4 J Singh & J D Michels, ‘Blockchain-as-a-Service: Providers and Trust’ Queen Mary School of Law Legal Studies Research Paper No. 269/2017 (2017) Available at: <https://ssrn.com/abstract=3091223> Accessed on: 20th August 2021

5 A quote from John Matthews, CFO at Bitnation. See D Meyer, ‘Blockchain technology is on a collision course with EU privacy law’ International Association of Privacy Professionals Article (27th February 2018) Avail- able at: <https://iapp.org/news/a/blockchain-technology-is-on-a-collision-course-with-eu-privacy-law/> Ac- cessed on 19th July 2021

(7)

2

Notwithstanding the above, it is recognised that blockchain technology can, in certain circumstances, provide greater protections to data subjects’ privacy rights. The abundance of blockchain services which exist to provide data subjects with greater control of their personal data are also considered in this paper.

Chapter 2 introduces some core concepts found in blockchain technologies and key definitions are elaborated on to establish further discussion. There is a plethora of unsettled terminology that arises when discussing blockchain,⁶ which is not only a source of confusion for those un- accustomed to blockchain, but it also makes creating regulation and guidance a difficult task for regulators.⁷Therefore this chapter seeks to provide some clarification of the nomenclature so that the legal analysis conducted throughout this thesis is conducted from a position of un- derstanding.

Chapter 3 provides a commentary on some of the core concepts found in the EU’s data protection regime, including the issues surrounding controllership in blockchain (with specific focus on the joint controllership conundrum), technological neutrality, territorial scope as well as a case study on the Ethereum blockchain.

Chapter 4 takes an in depth look at how blockchain technologies create the potentiality for infringement of data subjects’ key privacy rights, including those so important as to be included in the Charter of Fundamental Rights of the EU.⁸

1.1 Research methodology

This paper relies heavily on a doctrinal research methodology,⁹ particularly where establishing the boundaries of data protection law in the EU to provide an informed discussion on the effects of data protection law on blockchain technology. However, owing to the considerable technological advancements associated with blockchain and the relatively ‘youthful’ legal debates that have arisen in relation to it, it was deemed necessary to also utilise a socio-legal approach¹⁰ for this thesis in order to appreciate the ‘law in context’ perspective.¹¹ Guidance and opinions from data protection authorities, as well as the jurisprudence of the Court of Justice of the European

6 A Walch, ‘The Path of the Blockchain Lexicon (and the Law)’ Review of Banking & Financial Law 36 (2017) 713, 719

7 ibid 728

8 C 326/391 (2012) Charter of Fundamental Rights of the European Union.

9 M McConville & W H Chui (eds), Research Methods for Law, (OUP, 2^nd edn, 2017) 3

10 D N Schiff, ‘Socio-Legal Theory: Social Structure and Law’, The Modern Law Review, 39(3) [1976] 287

11 (n 9) 6

(8)

3

Union (CJEU) are considered, to provide an elucidation of blockchain technology in light of the GDPR. Additionally, some comparative analysis is conducted with regard to the developing data protection laws in the USA.

1.2 Lex cryptographia

The onset of blockchain technology over the last decade has led to increased debate regarding lex cryptographia¹² – i.e. the law of blockchain.¹³ It can be separated into two distinct concepts:

firstly, as a subset of a traditional legal structure (much in the same way data protection, tort or property law operate as a specific field within a legal system); and secondly, a form of ‘regulation by code’ (which has been similarly observed through the expansion of the internet and the development of lex informatica).¹⁴

1.2.1 Sectoral legislation

The first concept of lex cryptographia also gives rise to a discussion on sectoral legislation. For example, the EU is looking to develop its blockchain regulatory framework (as a part of the Digital Single Market¹⁵), in order to “avoid legal and regulatory fragmentation”.¹⁶ This also includes the creation of a pan-European regulatory sandbox for blockchain by 2022.¹⁷ So it is evident that the EU is considering the ramifications of blockchain specific laws, and in the context of financial regulation, has already proposed a regulation concerning the treatment of crypto-assets.¹⁸

There have historically been criticisms of this approach to new areas of law: Judge Frank Easter- brook, a former US judge,¹⁹ argued that a new technological creation does not require its own area of law (he used the example of the discovery of horses not requiring its own subset of law – ‘the law of the horse’ – but rather falling under the pre-existing legal structures).²⁰

12 A Wright & P De Filippi, ‘Decentralized blockchain technology and the rise of lex cryptographia’ (2015) Avail- able at: <https://dx.doi.org/10.2139/ssrn.2580664> Accessed on: 25th September 2021

13 G Dimitropoulos, ‘The law of blockchain’ Washington Law Review (2020) 24

14 (n 12) 45

15 COM (2015) 192 Communication from the Commission concerning A Digital Single Market Strategy for Eu- rope

16 European Commission, ‘Legal and regulatory framework for blockchain’ (2020) Available at: <https://digital- strategy.ec.europa.eu/en/policies/regulatory-framework-blockchain> Accessed on 29th August 2021

17 European Commission, ‘Digital Finance Package: Commission sets out new, ambitious approach to encourage responsible innovation to benefit consumers and businesses’ Press release (24 September 2020). Available at:

<https://ec.europa.eu/commission/presscorner/detail/en/IP_20_1684> Accessed on: 29th August 2021

18 COM (2020) 593 Proposal for a regulation of the European Parliament and of the Council on Markets in Crypto- assets, and amending Directive (EU) 2019/1937 (MiCA Regulation)

19 Court of Appeals for the 7^th Circuit

20 F H Easterbrook, ‘Cyberspace and the Law of the Horse’ University of Chicago Legal Forum (1996) 207, 208

(9)

4

However, just as it was difficult to apply this rationale to information and communication law at the outset of the internet age,²¹ it is also a simplification that cannot be applied to the growing complexity of blockchain ecosystems. As will be demonstrated through this thesis, blockchain technology does not readily fit into traditional legal structures (and in particular, data protection regulation).

1.2.2 Regulation by code

Without delving too far into a discussion of the definition of regulation, it can be said that the term ‘regulation’ extends beyond the typical notion of a codified law (or set of rules). One such example is the scope for computer code to be classified as a form of ‘regulation’, or more specifically as a form of transnational private regulation.²² There have been suggestions that a paradigm shift is inevitable as code becomes ever more important in regulating activity and therefore recognised as law,²³ and this itself can lead to the differences between law and code diminishing. This view of code as law is particularly pertinent in relation to blockchain, where complex mathematical algorithms cause (and restrict) certain behaviours on the blockchain. An example of this is the use of ‘smart contracts’ as a form of automated processing (see section 4.3).

21 L Lessig, ‘The Law of the Horse: What Cyberlaw Might Teach’ Harvard Law Review 113(2) (1999) 501, 517

22 Black defines regulation as the attempt to “alter the behaviour of others according to defined standards” in order to produce a predefined (or desired) outcome. J Black, ‘Critical Reflections on Regulation’ (2002) 27 AJLP 1, 26

23 G Dimitropoulos, ‘The law of blockchain’ Washington Law Review (2020) 25

(10)

5 2 Blockchain Technology 2.1 Blockchain

This chapter assesses the elements that are common to the majority of blockchain technologies.

In simple terms, a blockchain could be described as a synchronised peer-to-peer database con- taining information that is verified according to a particular set of predetermined rules.²⁴ Trans- action data is grouped into a block and each block has a unique hash²⁵ generated, and importantly, also contains the hash information of the previous block.²⁶ It is in this way that each new block can attest to the validity of the previous block therefore allowing for a chain of transactions to manifest. It is pertinent to note that there are a multitude of blockchain designs with differing feature sets, however, some of the key characteristics of typical blockchains can be summarised to include the following elements:

- A ledger which is append only (and immutable);

- The ledger is usually decentralised and distributed amongst a network;

- The use of consensus mechanisms to ensure additions to the ledger are correct;

- Often community-based governance structures;

- The ability to automate transactions and processes.²⁷ 2.2 Distributed ledger technology

The distributed ledger is one of the key strengths of blockchain with regard to data being considered immutable. Each time a new transaction is made on the blockchain, every copy of the ledger is simultaneously updated on the peer-to-peer network. This ensures consistency across the system and is one of the security benefits of blockchain. If a malicious actor tried to edit the distributed ledger stored on one node, the ledger would not match the record held on the re- maining nodes in the network and would be rejected (see consensus mechanisms below).

2.3 Consensus mechanisms

Consensus mechanisms are a core feature of blockchain technology as they pertain to the immutability of the ledger as well as the governance of the blockchain. The use of consensus mechanisms in relation to governance occurs when new software is introduced to the chain and

24 M Finck, Blockchain Regulation and Governance in Europe (Cambridge University Press, 2018) 6

25 See section 3.2

26 With the exception of a ‘genesis block’. See S Sater, ‘Blockchain and the European Union’s General Data Protection Regulation: A Chance to Harmonize International Data Flows’ (2017) 21 Available at:

<https://dx.doi.org/10.2139/ssrn.3080987> Accessed on: 10th October 2021

27 J Singh & J D Michels, ‘Blockchain-as-a-Service: Providers and Trust’ Queen Mary School of Law Legal Stud- ies Research Paper No. 269/2017 (2017) 1 Available at: <https://ssrn.com/abstract=3091223> Accessed on:

23rd November 2021

(11)

6

when transactions are verified.²⁸ New transactions that are to be recorded on the distributed ledger need to be verified by a specific subset of the blockchain community (usually amounting to 51%). This verification is done in accordance with the consensus mechanism chosen for the blockchain.

2.3.1 Proof-of-work

Proof-of-work is perhaps the best known of all the consensus mechanisms used in blockchain technology and is used as the consensus mechanism for a number of blockchains including the Bitcoin protocol.²⁹ Under a proof-of-work system, miners compete for the chance to create a block by attempting to solve advanced mathematical equations (this is why mining blocks requires substantial computational power³⁰). The miners attempt, through a process of trial and error, to solve the correct ‘nonce’ value through the rehashing of the block header.³¹ When a miner correctly solves the problem, they ‘mint’ a new coin/token which they receive in reward for the processing they have completed.

From a security perspective, there exists a potential issue with proof-of-work consensus mechanisms concerning the threat of a so-called ‘51% attack’.³² Such an attack can manifest where more than 51% of the computational power of the blockchain is mobilised to act against the usual aims of that blockchain. With a single entity (or a group of associates) controlling so much of the blockchain’s computational power, a decision can be made to simply grind the blockchain’s processing to a halt. They could decide to not processes transactions and to double spend the coins of the transactions they do process.³³ As 51% attacks have been proven to cause significant negative impacts on the prices of the cryptocurrencies they target,³⁴ miners (and

28 A Walch, ‘The Fiduciaries of Public Blockchains’ (2016) 2 Available at: <http://blockchain.cs.ucl.ac.uk/wp- content/uploads/2016/11/paper_20.pdf> Accessed on: 19th September 2021.

29 S Nakamoto, ‘Bitcoin: A Peer-to-Peer Electronic Cash System’ Bitcoin White Paper (2008) 3 Available at: <

https://bitcoin.org/bitcoin.pdf> Accessed on: 28th September 2021.

30 The computational power requirements needed to power the bitcoin network are said to use more than the electricity demands of the entirity of Argentina and makes up 0.5% of global electricity consumption. C Criddle,

‘Bitcoin consumes more electricity than Argentina’ BBC (10th February 2021) Available at: <

https://www.bbc.com/news/technology-56012952> Accessed on: 28th September 2021. See also, Cambridge Centre for Alternative Finance, Bitcoin Comparisons (2021) Available at: <https://ccaf.io/cbeci/index/comparisons> Accessed on: 28th September 2021.

31 J Bacon, J D Michels, C Millard & J Singh, ‘Blockchain Demystified: A Technical and Legal Introduction to Distributed and Centralised Ledgers’ 25 Rich JL & Tech 1 (2018) 40.

32 S Shanaev, A Shuraeva, M Vasenin & M Kuznetsov, ‘Cryptocurrency Value and 51% Attacks: Evidence from Event Studies’ The Journal of Alternative Investments 22(3) (Winter 2020) 65 Available at:

<https://doi.org/10.3905/jai.2019.1.081> Accessed on: 21st November 2021.

33 (n 31) 47

34 (n 32 ) 65

(12)

7

large mining pools) generally have an interest in not taking advantage if they do amass a dom- inant position in the computational power of a blockchain.³⁵

2.3.2 Proof-of-stake

A proof-of-stake consensus mechanism uses significantly less computational power than a proof-of-work mechanism. This is due to a proof-of-stake system not requiring the solving of mathematical problems. Instead of having miners, proof-of-stake consensus mechanisms utilise

‘validators’ who 'stake' some of the blockchain's currency in order validate correct transactions.

Those who validate incorrect transactions lose their stake, and therefore the immutability of the distributed ledger is maintained. Moreover, a 51% attack is less likely with this model as an attacker is required to possess at least 51% of the stakeable coins/tokens in circulation for that particular blockchain. This in turn increases the risk for the attacker who may incur a substantial devaluation risk when attacking the network.³⁶

2.3.3 Other consensus mechanisms

There exists a plethora of other consensus mechanisms that are currently being utilised in blockchains today, such as “Byzantine Fault-Tolerant” and “Algorand”. However, these are not an- alysed with any specificity and are to be considered outside the scope of this thesis.

2.4 Participants in a blockchain

The core participants in a blockchain can be broken down as such:

2.4.1 Nodes

Nodes are the part of the blockchain network which stores the distributed ledger, and therefore allows for the validation of the single immutable ledger that is spread across many local storage facilities.³⁷ Nodes are usually numerous and spread out over a wide geographical area. There is some overlap between users and nodes but owing to the typically high download sizes for permissionless blockchains, not all users download a full copy of the ledger.³⁸

2.4.2 Miners/Validators

Miners form an important part of a blockchain as they create new blocks. As the creation of a new block provides verification against the previous block, they provide a valuable function in

35 J Bacon, J D Michels, C Millard & J Singh, ‘Blockchain Demystified: A Technical and Legal Introduction to Distributed and Centralised Ledgers’ 25 Rich JL & Tech 1 (2018) 49

36 Stiftung Ethereum, ‘Consensus Mechanisms – Proof of Stake’ (2021) Available at: <https://ethereum.org/en/developers/docs/consensus-mechanisms/pos/> Accessed on 10^th September 2021

37 European Parliamentary Research Service, ‘Blockchain and the General Data Protection Regulation – Can distributed ledgers be squared with European data protection law?’ (July 2019) 3

38 ibid 33

(13)

8

ensuring the immutability of the chain. In return for mining a block, a miner is rewarded with a newly minted coin and/or a transaction fee.³⁹

2.4.3 Users (including investors)

This group of participants are the active users of the blockchain, for whatever purpose the blockchain is designed for. Users engage in the buying and selling of coins and tokens either as a store of value⁴⁰ or for the provision of specific services provided on the relevant blockchain.

Speculative investors would fall into this category of blockchain participant. It is important to note the governance role users may play if they are holders of tokens which allow for the voting on rules or delegates in a Decentralised Autonomous Organisation. Additionally, a user is often required to download some software to participate in a blockchain (i.e. having their own transactions logged on the ledger).⁴¹ Therefore, it can be said that a user plays a larger role in a blockchain ecosystem than a typical website user (for example). This notably creates some issues concerning controllership, as discussed in sections 3.5 and 3.6.

2.4.4 Decentralised autonomous organisations

The proliferation of blockchain technology has led to the growing increase in importance of decentralised governance. Decentralised autonomous organisations (DAOs) are organisations that are responsible for the governance of a particular blockchain, and as their name suggests, they are without a centralised control function. Generally, the holders of ‘governance coins’ (or another predefined metric) relating to a specific blockchain will vote on matters that affect the blockchain. Additionally, some blockchains include a voting mechanism for coin holders to select a delegate to represent them on governance matters and act as a regulatory point of con- tact.⁴² DAOs may fall to be considered controllers of personal data, however, due to their organisational structure, the efficacy of allocating controllership may be futile.

2.4.5 Software developers

Whilst there sometimes may be an overlap between who the developers of blockchain are and who the developers of DApps are, there is a pertinent distinction between the two from a data protection perspective due to the different role each may have in creating technology that han- dles personal data. With each blockchain, there needs to be a software developer to update the

39 M Finck, Blockchain Regulation and Governance in Europe (Cambridge University Press, 2018) 20

40 Many coins are deliberately created with a deflationary pressure so as to improve it’s use as a store of value. See FM Ametrano, ‘Hayek Money: The Cryptocurrency Price Stability Solution’ (2016) 34 Available at:

<https://dx.doi.org/10.2139/ssrn.2425270>

42 For example, see the Tezos project which aims to provide users with an on-chain governance mechanism therefore removing decision-making power from miners/validators. See <https://tezos.com/learn/what-is-tezos/>

(14)

9

main blockchain network itself. Often this is a consortium of developers who work on patches and/or changes to the blockchain and then submit the proposals to the network. ‘DApps’ are simply ‘distributed apps’ that operate utilising blockchain technology (underpinned through the use of smart contracts),⁴³ and therefore, their development is conducted by DApp software developers.

2.4.6 Exchanges

There exist a number of centralised exchanges (i.e. those controlled by a traditional company) that provide a service to allow for the exchange of a variety of crypto-assets.⁴⁴ They operate in a traditional manner that is comparable to regular stock market exchanges (that market to non- professional investors). Exchanges provide an important liquidity function to the crypto-asset market, but their level of influence in any particular blockchain is limited to that liquidity function (though it is noted that some exchanges have launched their own blockchains, this conduct should be seen as an activity of a blockchain software developer rather than the typical activity of an exchange).

With the emergence of decentralised finance (DeFi), a number of decentralised exchanges have been developed to allow for the exchange of a variety of crypto-assets with greater security and stronger privacy protections than traditional exchanges.⁴⁵

2.5 ‘Cryptocurrency’

‘Cryptocurrency’ is perhaps the most well-known use of blockchain amongst the general public.

There are a number of high-profile projects from the private sector which have already launched (such as Bitcoin⁴⁶, Zcash⁴⁷ and Monero⁴⁸). There has also been increased interest from central banks in Europe who have been exploring blockchain based digital currencies,⁴⁹ such as the

43 Stiftung Ethereum, ‘Introduction to DApps’ <https://ethereum.org/en/developers/docs/dapps> Accessed on 21st November 2021.

44 For example, Binance, Coinbase or Bitpanda.

45It is argued that decentralised exchanges, which have no centralised system to target, are safer to use than centralised exchanges which are more susceptible to attacks from hackers and provide greater anonymity. A Aspris, S Foley, J Svec, &

L Wang, ‘Decentralized Exchanges: The 'Wild West' of Cryptocurrency Trading’ International Review of Financial Anal- ysis (July 2021) Available at: <http://dx.doi.org/10.2139/ssrn.3717330>

46 See <https://bitcoin.org/>.

47 See <https://z.cash/>.

48 See <https://www.getmonero.org/>.

49 Known as Central Bank Digital Currencies (CBDC).

(15)

10

Bank of England investigating the use cases for a ‘systemic stablecoin’⁵⁰ and the European Central Bank experimenting with a ‘Digital Euro Ledger’.⁵¹

In the private sector, the prices of many ‘tokens’ or ‘coins’ have received much publicity after periods of intense price speculation and growth despite the lack of a regulated market.⁵² Such speculation has notably increased the interest of regulators in blockchain technologies,⁵³ and whilst the political discourse has been primarily concerned with financial stability, AML,⁵⁴ and consumer/investor protection, there also exists an important data protection perspective.

2.6 Uses beyond digital currency

However, the above notwithstanding, the potential applications of blockchain technology ex- tend well beyond cryptocurrencies.⁵⁵ There are potential applications in, inter alia, healthcare, media, and supply chain management. An example of the latter includes diamond merchants⁵⁶ using blockchain technology to track the provenance of precious stones from mine to consumer.⁵⁷ There have been predictions that blockchain will change the landscape of the world economy in a similar way the internet has in the last few decades. This is where data protection authorities need to ensure they are well equipped ensure the protection of data subjects’ fundamental data rights. In the context of blockchain technologies, there exist a multitude of ways in which personal data can be processed and, depending on the idiosyncrasies of the chain in question, potentially involve a breach of the GDPR.

50 Bank of England, ‘Central Bank Digital Currency: Opportunities, challenges and design’ (Discussion Paper, March 2020) 13 Available at: < https://www.bankofengland.co.uk/-/media/boe/files/paper/2020/central-bank- digital-currency-opportunities-challenges-and-de-

sign.pdf?la=en&hash=DFAD18646A77C00772AF1C5B18E63E71F68E4593> Accessed on: 1^st October 2021.

51 European Central Bank, ’Digital Euro experimentation scope and key learnings’ (July 2021) 4 Available at:

<https://www.ecb.europa.eu/pub/pdf/other/ecb.digitaleuroscopekeylearnings202107~564d89045e.en.pdf>

Accessed on: 1^st October 2021.

52 J Oliver, ‘Crypto fever: the pressure grows on wealth managers’ Financial Times (19^th November 2021). Avail- able at: <ft.com/content/461ef12c-1db7-47a5-9210-aa0e7594adb5> Accessed on: 19^th November 2021.

53 For example see, European Banking Authority, ‘Report with advice for the European Commission on crypto- assets’ (January 2019).

54 Anti-Money Laundering

55 Where their use is perhaps most recognised by the public.

56 See De Beers Group’s “Tracr” technology. De Beer Group, ‘TracrTM’ Available at: <https://www.de- beersgroup.com/sustainability-and-ethics/leading-ethical-practices-across-the-industry/tracr> Accessed on:

10^th October 2021.

57 M Iansiti & KR Lakhani, The Truth About Blockchain, Harvard Business Review (Jan-Feb 2017) 118, 124.

(16)

11 2.7 Decision to use blockchain

Considering the frenzy that surrounds blockchain technology and it’s status as a technology that forward thinking companies are using;⁵⁸ it is important for data controllers to decide whether blockchain is actually the optimal method of achieving the controller’s aims and whether it is necessary for the processing to take place. This point was stressed by the French data protection authority (CNIL)⁵⁹ who call upon controllers to evaluate whether blockchain is the most suita- ble technology to process personal data in the circumstances of the controller.⁶⁰ This is a re- quirement of controllers to act in accordance with the principles of data protection by design and by default, which states that, inter alia, controllers must implement technical and organisational measures to ensure that only personal data which is necessary (for each specific purpose) is processed.⁶¹

2.8 Types of blockchains 2.8.1 Public vs private blockchains

There are many similarities between public and private blockchains. They both exist as decentralised peer-to-peer networks which usually share an immutable ledger of encrypted transactions that is verifiable across the blockchain.⁶² However, an important distinction must be noted between public and private blockchains. A private blockchain may be controlled by a single individual, entity or consortium who determine the userbase. It is not open for any willing participant to join but is restricted to those who the blockchain administrator wishes to invite; not surprisingly, a public blockchain is open to the public to join.

This distinction is also pertinent from a practical perspective concerning the implementation of the GDPR at an organisational level. Blockchains can be created under different circumstances which may cause the practical efficacy of the GDPR to differ. For example, the way in which the GDPR influences, at the early developmental stages, the design of a private blockchain created by specific undertaking (who will maintain the permissions of the system) is likely to be much different from an anonymous group of developers launching a permissionless (public) blockchain application. Due to the likelihood that (in the former example) a private blockchain is operated by an undertaking or organisation with a more traditional governance structure, the

58 I Kaminska, ‘Blockchain hype storms Davos’ Financial Times (20^th January 2016)

59 Commission nationale de l'informatique et des libertés

60 Commission nationale de l'informatique et des libertés, ‘Blockchain: Solutions for a responsible use of the blockchain in the context of personal data’ (September 2018) 5

61 GDPR, Article 25.

62 P Jayachandran, ‘The difference between public and private blockchain’ IBM Supply Chain and Blockchain Blog (2017) Available at <https://www.ibm.com/blogs/blockchain/2017/05/the-difference-between-public- and-private-blockchain/>

(17)

12

‘ex ante elements’⁶³ of the GDPR are likely to have greater effect. The principle of DPbDbD,⁶⁴ under Article 25 GDPR (which is essentially ex ante regulatory control that is delegated to data controllers⁶⁵), is much more likely to be followed by an institution with a traditional governance model. Conversely, a permissionless blockchain, with a decentralised governance model may have been created with weaker ex ante controls and (due to issues with allocation of controllership, see sections 3.5 and 3.6) may not necessarily protect data subjects’ rights ex post. To utilise the most well-known example of this, one may question to what extent principles such as DPbDbD were observed by ‘Satoshi Nakamoto’ – the anonymous creator (or creators) of Bitcoin.⁶⁶

2.8.2 Permissioned vs permissionless blockchains

In contrast to permissionless blockchains, such as Bitcoin, permissioned blockchains contain a limited number of nodes that can only be accessed by persons who have be given the authority (or permission) to view or propose changes to the distributed ledger.⁶⁷ Due to this difference in structure, this type of blockchain is more prevalent amongst companies installing internal blockchain solutions where there is also likely to be a centralised governance mechanism. From a data protection perspective, concepts such as territorial establishment and controllership are easier to apply to this type of blockchain.

2.9 Smart contracts

Smart contracts are not a recent invention. The notion of a smart contract was first suggested by the so-called ‘father of smart contracts’,⁶⁸ Nick Szabo in the early 1990s. He defined the smart contract as ‘a computerized transaction protocol that executes the terms of a contract’, thus minimising the need for trusted intermediaries.⁶⁹ Blockchain has, therefore, been seen as an ideal mechanism for allowing the proliferation of smart contracts. Example uses for smart

63 K Yeung & L A Bygrave, ‘Demystifying the modernized European data protection regime: Cross-disciplinary insights from legal and regulatory governance scholarship (2021) 7 Available at: <https://onlineli- brary.wiley.com/doi/full/10.1111/rego.12401> Accessed on: 13th October 2021.

64 Data Protection by Design and by Default.

65 (n 64)

66 S Nakamoto, ‘Bitcoin: A Peer-to-Peer Electronic Cash System’ Bitcoin White Paper (2008) Available at: <

https://bitcoin.org/bitcoin.pdf> Accessed on: 28th September 2021

67 Y Bakos & H Halaburda, ‘Tradeoffs in Permissioned vs Permissionless Blockchains: Trust and Performance’

(2021) 2 Available at: < http://dx.doi.org/10.2139/ssrn.3789425> Accessed on 13th October 2021.

68 Nick Paumgarten, ’The Prophets of Cryptocurrency Survey the Boom and Bust’ The New Yorker (8^th October 2018) Available at: <https://www.newyorker.com/magazine/2018/10/22/the-prophets-of-cryptocurrency-survey-the-boom-and-bust> Accessed on: 25^th September 2021.

69 Szabo N, 'Smart Contracts: Building Blocks for Digital Markets' Extropy: The Journal of Transhumanist Thought (1996)

(18)

13

contracts include the automation of settlement of derivatives contracts,⁷⁰ preventing voter fraud in elections⁷¹ and for the sale of property.⁷²

Smart contracts are not ‘smart’ in that they require external assistance to interpret real world information and language (such as the arrival of a shipment to trigger the payment to a seller).⁷³Additionally, smart contracts should not be considered contracts in the legal sense, but rather as “if/then”⁷⁴ computer scripts that do not necessarily conform to the contractual formal- ities of a given jurisdiction. However, due to the automated nature of smart contracts (that a contract could be executed without human intervention), there is scope for potential infringement of data subject’s rights under Article 22 of the GDPR. This is discussed further in section 4.3.

2.10 Zero-Knowledge Proofs

A zero-knowledge proof is a process which allows for the verification of information from one party to another without the actual information itself being revealed. Created in 1985 by MIT researchers,⁷⁵ zero-knowledge proofs have the potential to allow for the verification of sensitive personal data without the sensitive data having to be stored or known by the party conducting the verification. It has been described as “an elegant technique to limit the amount of information transferred from a prover A to a verifier B in a cryptographic protocol”.⁷⁶ For example, a company seeking to verify the age of its customers may do so without processing the date of birth or the age of the customer – it simply receives a verification that the customer is in the required age range.

Though referred to as ‘zero-knowledge’, some knowledge transfer is required for a zero- knowledge proof to operate. In the age verification example above, the company clearly gains the knowledge that the person they are dealing with is in the required age range (and either can or cannot continue a business relationship). However, there is also the possibility for systems

70 Santander Innoventure, ‘The FinTech 2.0 Paper: Rebooting financial services (June 2015) 15 Available at:

<https://www.finextra.com/finextra-downloads/newsdocs/the%20fintech%202%200%20paper.pdf> Ac- cessed on: 2nd November 2021.

71 Department for Business, Energy and Industrial Strategy (UK), ‘Electronic Balloting Review: The Report of the Independent Review of Electronic Balloting for Industrial Action’ (2017) 37

72 D B Rawat, V Chaudhary & R Doku, ‘Blockchain Technology: Emerging Applications and Use Cases for Secure and Trustworthy Smart Systems’ Journal of Cybersecurity and Privacy 1 (2020) 4, 11

73 M Finck, ‘Smart Contracts as a Form of Solely Automated Processing under the GDPR’ (2021) 4

74 ibid

75 S Goldwasser, S Micali and C Rackoff, ‘The knowledge complexity of interactive proof-systems' STOC 85 (December 1985) 291 Available at: <https://doi.org/10.1145/22145.22178> Accessed on: 3^rd October 2021.

76 U Feige, A Fiat & A Shamir, ‘Zero-Knowledge Proofs of Identity’, Journal of Cryptology 1 (1988) 77

(19)

14

that are based on ‘knowledge about knowledge’ when the transfer of information takes place, which provide even greater protection of personal information.⁷⁷

A drawback of zero-knowledge proofs is that, historically, they required some dialogue between the provider of information and verifier in order to establish verification (which requires a greater volume of information to be sent across a network). To combat this there is a type of zero knowledge proof known as Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (‘zk-SNARK’), which do not require interaction between the supplier of information or from the verifier and relatively few bytes of information to operate.⁷⁸

For ‘privacy coin’⁷⁹ projects such as Zcash, this interaction is replaced with verification provided by ‘multi-party consensus’ through the use of advanced mathematical equations (to prevent false verifications from manipulating the consensus).⁸⁰ Such privacy coin projects can be viewed in light of the principle of data minimisation under the GDPR.⁸¹

77 U Feige, A Fiat & A Shamir, ‘Zero-Knowledge Proofs of Identity’, Journal of Cryptology 1 (1988) 77

78 Zcash, ‘What are zk-SNARKs?’ Available at: <https://z.cash/technology/zksnarks/>

79 There are a number of blockchain based digital currencies that have been launched with the explicit purpose of improving the privacy of those using the currency. The largest and most well-known of these digital currencies is Zcash and Monero.

80 See <https://z.cash/technology/zksnarks/>

81 GDPR, Article 5(1)(c)

(20)

15

3 GDPR concepts applied to blockchain

This chapter establishes a discussion on some of the fundamental concepts found in the GDPR and how they pertain to blockchain technology.

3.1 Territorial scope

A discussion on the territorial scope of the GDPR vis-à-vis blockchain is particularly relevant when one considers the inherent design of many blockchains – a decentralised and distributed system of miners, nodes and users potentially spread across the world.⁸²

The territorial scope of the GDPR is contained under Article 3 of the GDPR, which states that the GDPR applies to the “processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”. Moreover, the GDPR also applies in processing situations where the controller or processor is not established in the EU if the processing relates to either

“the offering of goods or services” to data subjects in the EU or if there is a monitoring of data subjects’ behaviour in the EU.⁸³ This provision would likely encompass a large volume of blockchains who are marketing a digital product, currency or app to data subjects in the EU.

3.1.1 Establishment

Though the GDPR does not provide an explicit definition of ‘establishment’, Recital 22 does clarify that it ‘implies the effective and real exercise of activity through stable arrangements [emphasis added]’.⁸⁴ In Weltimmo, the CJEU stated that the threshold for what is considered a stable arrangement was low.⁸⁵ In Google Spain, the Court gave a broad interpretation for the definition of the ‘context of the activities of an establishment’ where it considered Google’s Spanish sales office to be established in the EU despite the processing taking place in Google’s headquarters in California, USA, due to them being “inextricably linked”.⁸⁶

It can be seen that the CJEU has taken a wide view of the definition of establishment in order to ensure that data subjects’ rights are adequately protected. In light of the many services provided on through blockchain technology, it is unlikely that public blockchains will fall outside of the scope of the GDPR. Private blockchains, on the other hand, could limit EU data subjects

82 Blockchain has been described as ‘global and transnational, by nature and design’. See G Dimitropoulos, ‘The Law of Blockchain’, Washington Law Review (2020) 1 Available at:

<https://dx.doi.org/10.2139/ssrn.3559970> Accessed on: 20^th September 2021.

83 GDPR, Article 3(2).

84 GDPR, Recital 22.

85 Case C‑230/14 Weltimmo [29]

86 Case C‑131/12 Google Spain SL v AEPD & Mario Costeja Gonzalez [56]

(21)

16

from gaining the relevant permissions to join and therefore fall outside of the jurisdiction of the GDPR.

3.2 Data types

It is pertinent to understand the type of data contained on a blockchain when ascertaining the relationship between EU data protection law and blockchain based technologies. This is due to the scope of the GDPR being limited to personal data only.⁸⁷

3.2.1 Personal Data

Personal data is defined in short as ‘any information relating to an identified or identifiable natural person’.⁸⁸ Pertinent to blockchain technologies, Article 4 GDPR provides a non-exhaus- tive list of identifiers that may be used to identify a person (such as their name, location data, online identifiers).⁸⁹ However, clarifications by the CJEU on the definition and scope of personal data have also demonstrated that personal data should be interpreted broadly. This was explicitly addressed in the case of Nowak,⁹⁰ where the Court stated that due to the wording of the definition of personal data (found then in Article 2(a) of the DPD⁹¹), that the EU legislature would have wanted to capture a wide amount of information by using the phrase ‘any information…’.⁹² Additionally, the Court has established a variety of examples of personal data such as: information on hobbies,⁹³ tax information,⁹⁴ fingerprints,⁹⁵ and ISP addresses.⁹⁶ There is an issue that concerns the processing of data which is not prima facie personal but through advanced identification techniques can have personal information attributed to it. The European Parliament’s Panel for the Future of Science and Technology highlight the difficulties that arise from the ‘binary perspective’ between personal and non-personal data.⁹⁷ From a practical perspective, there can be data that falls into a grey area somewhere between the two. This is particularly notable where companies placing much value on large non-personal datasets coupled with the rapid onset of advances in computational science and processing power, allows

87 GDPR, Article 1.

90 Case C-434/16 Nowak

91 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Article 2(a)

92 (n 90) [34]

93 Case C101/01 Lindquist

94 Case C-201/14 Smaranda Bara et al v Presedentiele Casei Nationale de Asigurari de Sanatate (CNAS) et al

95 Case C-291/12 Schwarz v Bochum

96 Case C-70/10 Scarlet Extended SA v Societe Belge des Auteurs, Compsoiteurs et Editeurs (SABAM)

97 European Parliamentary Research Service, ‘Blockchain and the General Data Protection Regulation – Can distributed ledgers be squared with European data protection law?’ (July 2019) 14

(22)

17

for personal identifiers⁹⁸ to be attributed to non-personal data with greater accuracy (see section 3.3.3).

3.2.2 Transaction data

Transaction data refers to both the data contained within an individual block and the data recorded on the distributed public ledger. Whether transaction data is to be considered personal data depends on the circumstances of the transaction.⁹⁹ It is dependent on what information is included alongside the transaction as well as the potentiality for a data subject to be identified by inference or linkability.¹⁰⁰

3.2.3 Hash data

Hashing is a fundamental part of blockchain. It allows for the verification of the distributed ledger and contributes to the security of the network. A hash is a unique identifier for a file (or block) that is generated via a hashing function.¹⁰¹ The block passes through the hashing function and is allocated a unique string of digits.¹⁰² Should the block be changed the hash value would also change so it would be possible to determine that the underlying transaction data has been interfered with.

3.2.4 Personalised public keys

As the public key for a user on a blockchain usually consists of a long alphanumeric string, it should be seen as personal data falling under the definition of GDPR Article 4, as it is an identifier.¹⁰³ Moreover, the introduction of blockchain naming projects, such as Ethereum Naming System (ENS)¹⁰⁴, Handshake (HNS)¹⁰⁵ and Namecoin (NMC)¹⁰⁶, allow for a blockchain user’s public key to be tied to a user selected domain or subdomain name. Aside from the potential internet governance issues which may arise from such naming protocols being awarded outside the scope of a centralised organisation such as ICANN¹⁰⁷ (and the underlying network governance model of registries/registrars) there exists an issue from a data protection perspective.

Users of such a naming service may disclose personal information in their chosen address, such

98 Such as a name, online identifier or other identifier as laid out in Article 4(1) GDPR.

99 European Parliamentary Research Service, ‘Blockchain and the General Data Protection Regulation – Can distributed ledgers be squared with European data protection law?’ (July 2019) 28.

100 ibid 27

102 ibid

103 See section 3.3.1

104 See <https://ens.domains>.

105 See <https://handshake.org>.

106 See <https://namecoin.org>.

107 Internet Corporation for Assigned Names and Numbers.

(23)

18

as their name, date of birth, or gender. Whilst this is not an issue of itself, it is something a controller may need to consider if relying on public keys as a way to create anonymity in a blockchain.

3.3 Pseudonymisation vs. Anonymisation

A key concept in how the GDPR applies to blockchain concerns the line between pseudonymised data and anonymised data – with the latter falling outside of the scope of the GDPR.¹⁰⁸ The GDPR provides a definition of pseudonymisation in Article 4(5), which states that it is the

‘processing of data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information’.¹⁰⁹

3.3.1 Identifiability

Fundamental to the notion of pseudonymisation is the concept of identifiability – that with the addition of other data or knowledge, personal data (that has been pseudonymised) can be made to identify a data subject, through inference, linking multiple datasets or through singling out.¹¹⁰

This notion has been applied to other forms of data by the CJEU. In Breyer v Germany the Court was asked on whether IP addresses should amount to personal data.¹¹¹ Considering the form of an IP address (a string of numbers and decimal points), at face value they may not give away information of a personal nature; however, coupled with other information (e.g. geoloca- tion data) it may be possible to identify a data subject. Advocate General Manuel Campus Sanchez-Bordona highlighted that if there existed a third party who could use the IP addresses in addition to other data held to identify a data subject, then the IP addresses would fall under the description of personal data.¹¹² Such an analysis could similarly be applied to public keys on a blockchain.

3.3.2 Anonymity of hashed data

The issue of whether hashed data is considered anonymous can have substantial implications for whether a blockchain is operating under the GDPR. The process of putting personal data through a hashing function is usually one way; it is not reasonably possible with today’s

110 Article 29 Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques WP216 (10th April 2014) 11

111 Case C-582/14 Breyer v Germany

112 Case C-582/14 Breyer v Germany, Opinion of Advocate General Manuel Campus Sanchez-Bordona (12^th May 2016).

(24)

19

computing standards to reverse the hashing process to find the original personal data.¹¹³ There- fore the only way to ascertain the underlying personal data is by using other information alongside the hashed data to draw inferences from the dataset. The anonymity of hashed data then turns on how strictly the GDPR is interpreted. With a strict interpretation, much of the processing on a blockchain would likely be in breach of several rights of data subjects (as demonstrated in section 4).

However, there is argument that due to the very low chance of a data subject being traced on a private, permissioned blockchain (where there is many similarities with a private database), a looser interpretation should be utilised specifically for private blockchains, such that the use of private blockchains would be unlikely to be considered operating contrary the GDPR.¹¹⁴ How- ever, the EU would find itself in between a rock and a hard place from a regulatory perspective.

If hashed data is considered to be anonymous for a permissioned blockchain, it is hard to argue that such a determination should not also apply to permissionless systems (where there is a greater potential risk of harm from data being traced to a specific individual – see below, section 3.3.3).

3.3.3 Transaction analysis

There are multiple examples of permissionless blockchain users having their identities revealed through transaction analysis. This is an issue of particular pertinence where the entire transac- tional dataset is available for a blockchain, e.g. Bitcoin. A real-life example of this manifested when the US Federal Bureau of Investigation (FBI) used Bitcoin transaction data¹¹⁵ to establish the identities of individuals in a ‘ransomware’ group known as ‘DarkSide’.¹¹⁶ It is worth noting that it appears the FBI used other law enforcement tactics to establish the identities,¹¹⁷ however, it is not unreasonable to posit that other (non-law enforcement) parties with nefarious aims may also be able to replicate such activity (for example through the use of malware).

3.4 Technological neutrality

The technological neutrality of the GDPR is stated in Recital 15 of the GDPR, which states that

‘the protection of natural persons should be technologically neutral’ and not dependent on the

113 A Mirchandani, ‘The GDPR-Blockchain Paradox: Exempting Permissioned Blockchains from the GDPR’ 29 Fordham Intell. Prop. Media & Ent. Law Journal (2019) 1201, 1225

114 ibid 1226

115 The Bitcoin public ledger.

116 US Department of Justice Office of Public Affairs, ‘Department of Justice Seizes $2.3 Million in Cryptocur- rency Paid to the Ransomware Extortionists Darkside’ (Press Release, 7^th June 2021) Available at:

<https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside> Accessed on: 20^th October 2021

117 ibid

(25)

20

techniques used.¹¹⁸ The rationale provided is to ‘prevent creating a serious risk of circumven- tion’.¹¹⁹ Indeed, during the negotiations of the initial drafting of the GDPR, the European Data Protection Supervisor stressed the importance of facilitating ‘innovation with a legal framework that is neutral towards the technology’ so as to future proof the protection of fundamental rights.¹²⁰ This was in light of predictions that the next round of data protection laws would not be instituted until the 2030’s (based on the legislative ‘journey’ the GDPR took).¹²¹ However, this technological future-proofing has not materialised. In his interview with the Financial Times, Axel Voss,¹²² described the GDPR as “not made for blockchain” and that it is already out of date.¹²³

Former Advocate General Jääskinen, in his opinion on the Google Spain case, highlighted several times how the Data Protection Directive was drafted prior to the beginning of the internet age, and therefore was not adequately equipped to deal with the data protection challenges aris- ing from the changing technological landscape.¹²⁴ He argued that the DPD was given a ‘wide scope of application ratione materiae’ and therefore it suffered when there was a wholesale change in the way information was disseminated.¹²⁵ One could argue that the technological neutrality of the GDPR has resulted in a similar situation for blockchain technologies. With such a general approach to protecting data rights, the GDPR may be unable to adequately be adapted to the nuances of emerging technologies such as blockchain. Though blockchain technology has been a known technology for more than a decade, it appears that little attention was given to blockchain when drafting the GDPR.

There is some argument that the language of the GDPR is not able to handle the technological nuances of the most recent iterations of private blockchains, which were not established when the GDPR was drafted.¹²⁶ This manifests as a concern that the tangible benefits of blockchain will be stifled due to businesses worrying about the ramifications of large GDPR related fines,

119 ibid

120 European Data Protection Supervisor, ‘EDPS recommendations on the EU’s options for data protection reform’

(2015/C 301/01) 5

121 ibid 4

122 MEP for Germany, dubbed ‘one of the fathers of the GDPR’. See J Espinoza, ‘EU must overhaul flagship data protection laws, says a ‘father’ of policy’ Financial Times (03 March 2021).

123 J Espinoza, ‘EU must overhaul flagship data protection laws, says a ‘father’ of policy’ Financial Times (03 March 2021).

124 Niilo Jääskinen, Opinion of Advocate General Jääskinen delivered on 25 June 2013 in Case C‑131/12 Google Spain.

125 ibid 26

(26)

21

particularly if a strict interpretation of the GDPR is used in determining that a private blockchain is making available personal data (see section 3.3.2).¹²⁷

3.5 Controllership

The notion of controllership is a core tenent of the EU’s data protection regime. The controller’s relationship with the processor is fundamental in determining how the GDPR is applied.¹²⁸ This is particularly pertinent when looking at controllership in the context of distributed ledger technology, where the judicially elaborated definitions of traditional data processing relationships cannot necessarily be readily applied to the (relatively) new technology. This is because the notion of controllership has traditionally rested on the concept of centralised data management,¹²⁹ whereas blockchain provides opportunity for the decentralisation of data management.

The GDPR defines the role of controller as the entity (or natural person) who ‘determines the purposes and means of processing’.¹³⁰ It can be said that the controller is responsible for the

‘why’ and ‘how’ of processing.¹³¹ In its guidance, the European Data Protection Board breaks the definition of controller down into “five main building blocks”: the entity; which determines;

alone or jointly; the means and purposes; of processing. In the case of blockchain, it is not a simple task establishing which participants can be aligned with those “building blocks”.

In the case of Jehovan todistajat, the CJEU contemplated on whether the Jehovah’s Witnesses (as a religious group) should be considered a controller of personal data due to their religious door-to-door evangelism, which often resulted in the collection of sensitive personal data when taking notes of discussions with home occupants. The Court held that where someone (or several people¹³²) holds such an influence over the processing of personal data, they must be considered to be involved in determining the purposes and means of processing.¹³³ Viewing this in a blockchain context, as the level of influence is spread wider than a traditional entity (from a data management perspective) there is immense difficulty in simply selecting who is mostly responsible for the correct handling of personal data on the chain (disregarding the efficacy of the controllership or the ability for them to affect any meaningful protection over data subject’s

128 European Data Protection Board, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 7

129 Commission nationale de l'informatique et des libertés, ‘Blockchain: Solutions for a responsible use of the blockchain in the context of personal data’ (September 2018) 1

131 European Data Protection Board, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, 3

132 See section 3.6 for a discussion on joint controllership.

133 Case C-25/17 Jehovan todistajat [68]