Blockchain GDPR: Data Controllers and Data Processors

Blockchain GDPR: Data Controllers and Data Processors

Jetse Sprey
November 18, 2019

Blockchain is here as a future economic foundation. According to Gartner, the business value-add of blockchain will grow to slightly more than $176 billion by 2025, and then it will exceed $3.1 trillion by 2030. It is vital that as with all new economies foundations that it grows in tandem with standards… Europechain has developed a systematic solution to enable blockchain services to be compliant with the GDPR standard.

Blockchain obviously has not been the focus of the people that drafted the GDPR. It simply wasn’t there yet. The GDPR is written with some sort of central control in mind. That is not how blockchain is supposed to work. The consequences of that and the way Europechain deals with that are detailed in this blogpost.

One can give many rights to a human, but without knowing against whom he or she may invoke them, rights don’t mean anything. Therefore the GDPR introduces the “data controller”, That is the person towards whom the people may turn. A GDPR “data controller” basically controls the data. It determines the “what” and “how” of the use of the data. E.g. if a company stores and uses data to communicate with its clients, such company “controls” such use and is the controller. If a controller hires other parties to help him with the processing, those hired hands are called: “data processors”. “Use”, “store” and many other actions regarding data are called “processing” in the GDPR.

How does this work with blockchain? If a company uses blockchain to run software (dApps) that company is the controller for the data which the dApp processes. Is the blockchain the hired hand? The “data processor”? There is no contract between the dApp and the “blockchain”. The blockchain is not an entity but software runs decentrally. Nodes are often not known. The company just launches the dApp. So it is unclear. Yet the blockchain is not a controller: it just performs instructions from the dApp.

And what about the data the blockchain processes without a dApp? Processing such as transferring tokens and storing transactions? The blockchain should be data controller. But the blockchain is not an entity. Are in that event all the nodes controllers? But they don’t “control”. They just mine. How could they be controller? Blockchain is made to not have control.

A safe conclusion therefore is, that it is impossible for a public permissionless blockchain to establish or even determine the controller and processor. For this reason alone such blockchain, can never be GDPR compliant.

A GDPR compliant public blockchain is possible but it needs some form of centralization and control. There must be an entity where the people can turn to with their questions and demands. Also this entity needs to ensure that sensitive personal data is not stored on chain. This entity needs to have enough powers to ensure GDPR compatibility but not so many that it could tamper with the blockchain’s immutability and threaten the very core of blockchain technology.

There are many blockchains that have central entities involved. Often a foundation that decides on e.g. code upgrades. Or that establishes some sort of conflict resolution or decides on funding. It is possible to give that entity enough controlling powers to make it the controller – if the software and its concrete set up, allows for that.

Europechain, built on EOS.IO DPOS software, is an example of a set up that is compatible in this respect. As with everywhere else, with Europechain the dApps are data controllers. They must conclude a processing agreement with the limited liability company Europechain B.V. which will be the data processor. Before dApps are allowed on chain, they will have to prove that they will not store sensitive data on chain.

Europechain B.V. concludes sub-processor agreements with all the nodes (the block producers). Without concluding a (sub)processor agreement, a party cannot run a dApp or become a node. If there is no dApp (e.g. in the event of token transfers on the base layer) Europechain B.V. is controller. In that event the nodes are not sub-processors but processors. The agreements are drafted such that they allow for that. The agreements have dispute resolutions in them so that the powers of Europechain B.V. are in check and the nodes can be easily forced to comply with Europechain B.V.’s instructions.

This set up allows for adequate control to ensure the people are informed and are able to submit their request with a competent identity. Further, this allows for the contractual infrastructure required under the GDPR. Given that the powers Europechain B.V. has are tailored to its position as a data controller (which is basically to apply the law that is already there) and given that they are kept in check by the dispute resolution system, there is no way Europechain B.V.’s position may endanger the blockchain core values.

Europechain’s setup proves it is possible to find the right balance. A balance that is necessary for blockchain to become a mainstream infrastructure.

Jetse Sprey

CLO Europechain

Amsterdam, 15 November 2019


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Europechain Newsletter

EU Blockchain Insights

Get the latest blockchain news, views and reviews from the Europechain team in your inbox every month or so. 

You have Successfully Subscribed!

Share via
Copy link