Thomas Buocz and Professor Iris Eisenberger, BOKU Institute of Law, have co-authored an article on "Bitcoin and the GDPR: Allocating Responsibility in Distributed Networks" together with Professor Tina Ehrke-Rabel and Dr. Elisabeth Hödl. The article will be published in the journal "Computer Law and Security Review: The International Journal of Technology Law and Practice" and is now available online. It uses the example of the cryptocurrency Bitcoin and the General Data Protection Regulation (GDPR) to show how distributed networks challenge the mechanism of legal responsibility. The article was written as a part of the research project 'KryptoStaat', funded by the Government of the Province of Styria.

 

The full text of the article "Bitcoin and the GDPR: Allocating Responsibility in Distributed Networks" is available on the Computer Law & Security Review page.

The Computer Law and Security Review (CLSR) is an international journal of technology law and practice providing a major platform for publication of high quality research, policy and legal analysis within the field of IT law and computer security.


Full text: Thomas Buocz, Tina Ehrke-Rabel, Elisabeth Hödl and Iris Eisenberger, 'Bitcoin and the GDPR: Allocating Responsibility in Distributed Networks' (2019) CLSR, forthcoming.

DOI: https://doi.org/10.1016/j.clsr.2018.12.003


Abstract:

This article uses the example of the cryptocurrency Bitcoin and the General Data Protection Regulation (GDPR) to show how distributed networks challenge existing legal mechanisms of allocating responsibility. The Bitcoin network stores personal data by automated means. Furthermore, full nodes qualify as establishments and the network offers a service to citizens in the EU. The data processing within the Bitcoin network therefore falls into the material and territorial scope of the GDPR. To protect data subjects, the GDPR allocates responsibility to the controller, who determines the ‘how’ and the ‘why’ of the data processing. However, the distributed structure of the Bitcoin network blurs the lines between actors who are responsible and actors who are worth protecting. Neither the Bitcoin users running lightweight nodes or full nodes nor the miners determine the ‘how’ and the ‘why’ of the data processing. They carry out their network activities according to the Bitcoin protocol, which can only be adopted and enforced by a collective of full nodes and miners. Members of this collective are joint controllers under Article 26 GDPR, which obliges them to clearly and transparently determine their respective responsibilities for compliance with the GDPR. However, this mechanism fails because of the very structure it aims to eliminate. Therefore, a solution to allocating responsibility for data protection in distributed networks lies outside the GDPR.

Keywords: Bitcoin, Blockchain, Distributed networks, General Data Protection Regulation, Legal responsibility, Data protection, Personal data


Authors:

Thomas Buocz, Institute of Law, BOKU

Professor Dr. Iris Eisenberger, M.Sc. (LSE), Institute of Law, BOKU

Professor Dr. Tina Ehrke-Rabel, Department of Tax and Fiscal Law, University of Graz

Dr. Elisabeth Hödl, Ubifacts


Kryptostaat:

This publication was written as a part of the research project 'KryptoStaat', which was funded by the Government of the Province of Styria.

More information on the research project 'Kryptostaat' is available here.


31.01.2019