Article published in the journal "Computer Law & Security Review"

Thomas Buocz and Professor Iris Eisenberger, BOKU Institute of Law, have co-authored an article on "Bitcoin and the GDPR: Allocating Responsibility in Distributed Networks" together with Professor Tina Ehrke-Rabel and Dr. Elisabeth Hödl. It uses the example of the cryptocurrency Bitcoin and the General Data Protection Regulation (GDPR) to show how distributed networks challenge the mechanism of legal responsibility. The article will be published in the journal "Computer Law and Security Review: The International Journal of Technology Law and Practice" and is available online.

Abstract:

This article uses the example of the cryptocurrency Bitcoin and the General Data Protection Regulation (GDPR) to show how distributed networks challenge existing legal mechanisms of allocating responsibility. The Bitcoin network stores personal data by automated means. Furthermore, full nodes qualify as establishments and the network offers a service to citizens in the EU. The data processing within the Bitcoin network therefore falls into the material and territorial scope of the GDPR. To protect data subjects, the GDPR allocates responsibility to the controller, who determines the ‘how’ and the ‘why’ of the data processing. However, the distributed structure of the Bitcoin network blurs the lines between actors who are responsible and actors who are worth protecting. Neither the Bitcoin users running lightweight nodes or full nodes nor the miners determine the ‘how’ and the ‘why’ of the data processing. They carry out their network activities according to the Bitcoin protocol, which can only be adopted and enforced by a collective of full nodes and miners. Members of this collective are joint controllers under Article 26 GDPR, which obliges them to clearly and transparently determine their respective responsibilities for compliance with the GDPR. However, this mechanism fails because of the very structure it aims to eliminate. Therefore, a solution to allocating responsibility for data protection in distributed networks lies outside the GDPR.

Keywords:

Bitcoin, Blockchain, Distributed networks, General Data Protection Regulation, Legal responsibility, Data protection, Personal data

Full text:

Buocz/Ehrke-Rabel/Hödl/Eisenberger, Bitcoin and the GDPR: Allocating Responsibility in Distributed Networks, CLSR 2019, forthcoming.

DOI: https://doi.org/10.1016/j.clsr.2018.12.003


 

Already published within the research project "Kryptostaat":

Ehrke-Rabel/Eisenberger/Hödl/Zechner, Bitcoin-Miner als Prosumer: Eine Frage staatlicher Regulierung? Dargestellt am Beispiel des Glücksspielrechts, ALJ 3/2017, 188-223.

Ehrke-Rabel/Eisenberger/Hödl/Pachinger/Schneider,
Kryptowährungen, Blockchain und Smart Contracts: Risiken und Chancen für den Staat (Teil I), jusIT 2017, 87-92.

Ehrke-Rabel/Eisenberger/Hödl/Pachinger/Schneider,
Kryptowährungen, Blockchain und Smart Contracts: Risiken und Chancen für den Staat (Teil II), jusIT 2017, 129-133.

Eisenberger, Digitalisierung und Selbstbestimmung, ALJ 2/2017, 140-149.

Ehrke-Rabel, Der digitalisierte Steuerzahler, ALJ 2/2017, 150-159.

Zechner, Kryptowährungen: Sind Wechselstuben, Handelsplätze und Walletanbieter umsatzsteuerpflichtig?, taxlex 2017, 388-399.