The full text of the article "Bitcoin and the GDPR: Allocating Responsibility in Distributed Networks" is available on the Computer Law & Security Review page.
The Computer Law and Security Review (CLSR) is an international journal of technology law and practice providing a major platform for publication of high quality research, policy and legal analysis within the field of IT law and computer security.
This article uses the example of the cryptocurrency Bitcoin and the General Data Protection Regulation (GDPR) to show how distributed networks challenge existing legal mechanisms of allocating responsibility. The Bitcoin network stores personal data by automated means. Furthermore, full nodes qualify as establishments and the network offers a service to citizens in the EU. The data processing within the Bitcoin network therefore falls into the material and territorial scope of the GDPR. To protect data subjects, the GDPR allocates responsibility to the controller, who determines the ‘how’ and the ‘why’ of the data processing. However, the distributed structure of the Bitcoin network blurs the lines between actors who are responsible and actors who are worth protecting. Neither the Bitcoin users running lightweight nodes or full nodes nor the miners determine the ‘how’ and the ‘why’ of the data processing. They carry out their network activities according to the Bitcoin protocol, which can only be adopted and enforced by a collective of full nodes and miners. Members of this collective are joint controllers under Article 26 GDPR, which obliges them to clearly and transparently determine their respective responsibilities for compliance with the GDPR. However, this mechanism fails because of the very structure it aims to eliminate. Therefore, a solution to allocating responsibility for data protection in distributed networks lies outside the GDPR.
Keywords: Bitcoin, Blockchain, Distributed networks, General Data Protection Regulation, Legal responsibility, Data protection, Personal data
This publication was written as a part of the research project 'KryptoStaat', which was funded by the Government of the Province of Styria.
More information on the research project 'Kryptostaat' is available here.