During the drafting of the GDPR, the european legislator has clearly outlined data controller’s and data processor’s characteristics tailoring them on the classic centralized data management systems. For this reason it becomes so difficult (but still necessary) to understand to which category belongs every subject operating, with different roles, on a public blockchain. We will try to clarify some points about it, always keeping in mind that, for now, experiences are limited and that what described, even if can be considered generally valid, could change depending on the peculiar structure of every public blockchain.
The data controller determines the purposes for which and the means by which personal data is processed.
The data processor processes personal data only on behalf of the controller.
Let’s take a look to the various stakeholders operating in a public blockchain to determine whether ( and under which circumstances) they could be included into one of the two above-mentioned categories.
Software developer: The software developer only provides a data management tool and does not determine the purposes and means of processing data. As a consequence, can’t be considered a data controller. However, some responsibilities regarding the processing of personal data on behalf of the data controller can’t be excluded when the developer permanently plays a crucial role with a direct, autonomous and decisive impact on the processing of specific information. This could be the case, for example, of smart contracts developers.
Participants: According to the CNIL ( La Commission nationale de l’informatique et des libertés), participants who input data requesting validation from miners define, in some way, the purpose of the processing (for example a transaction) and the tools used (for example the blockchain technology), perfectly fitting into the definition of data controllers. However, the natural person who “writes” on blockchain in order to carry out only personal or domestic activities, as established by article 2 of the GDPR, is not considered a data controller. A participant would therefore qualify as data controller when his/her activity on blockchain is aimed at performing a commercial or professional activity.
If several participants decide to jointly process data on blockchain without joining in the form of an association or economic group of interest, they will be considered “joint controllers”, as required by article 26 of the GDPR, with the obligation to transparently define responsibilities for each involved person.
Miners: They could be considered data processors, since they follow indications from data controllers in the context of the transactions’ validation process. This dynamic raises some problems: According to what established by article 28 of the GDPR, infact, data processors should stipulate an agreement with the participants (which, as we have seen before, in some cases have to be considered data controllers), in order to define the respective obligations and responsibilities. This kind of fulfillment appears today difficult to be achieved.
It is therefore probable that, in the next years, we will need important implementations for an easy and effective fulfillment of the above-mentioned obligations.