Many organ­iz­a­tions use pub­lic block­chains to, know­ingly or unknow­ingly, pro­cess per­son­al data; this may, how­ever, cause issues with com­pli­ance with the GDPR (and pos­sibly, fines of up to EUR 20 mil­lion), if the miners on these block­chains qual­i­fy as pro­cessors under the GDPR.

In an upcom­ing post, we will dis­cuss the extent of these issues fur­ther, it is first import­ant though to determ­ine when miners qual­i­fy as pro­cessors. Once an organ­iz­a­tion has determ­ined that a miner is likely to qual­i­fy as a pro­cessor, it is often neces­sary to change the approach to pro­cessing, such as by switch­ing to a private block­chain or by stop­ping per­son­al data pro­cessing alto­geth­er.

In order for miners to qual­i­fy as pro­cessors, they need to pro­cess per­son­al data under the GDPR (i.e. any inform­a­tion relat­ing to an iden­ti­fied or iden­ti­fi­able nat­ur­al per­son), on behalf of the con­trol­ler.* Gen­er­ally, per­son­al data is pro­cessed on-chain only in pseud­onym­ized form. Pseud­onym­ized data may still qual­i­fy as per­son­al data, how­ever. This may be the case even if the third party recip­i­ent (in this case, the miner) does not have the inform­a­tion required to identi­fy data sub­jects. This approach fol­lows from the Brey­er v. Ger­many CJEU rul­ing, in which the CJEU stated that pseud­onym­ized data con­sti­tutes per­son­al data if means exist, such as leg­al chan­nels, that are likely reas­on­ably used to re-identi­fy data sub­jects. It is also import­ant wheth­er or not such re-iden­ti­fic­a­tion is for­bid­den by law or prac­tic­ally impossible.

Many super­vis­ory author­it­ies in the field of data pro­tec­tion have, for a long time, assumed that this means that pseud­onym­ized data auto­mat­ic­ally con­sti­tutes per­son­al data. They have held that this is the case even in the hands of a third party that does not have the required inform­a­tion to revert the pseud­onym­iz­a­tion, as long as the con­trol­ler (or a third party) still has this inform­a­tion.

Due to the recent SRB v. EDPS case, how­ever, this view may be more nuanced. In this case, the EDPS took the opin­ion that the SRB had shared per­son­al data with Deloitte, even though Deloitte did not have the inform­a­tion neces­sary to re-identi­fy data sub­jects. The Gen­er­al Court of the CJEU annulled this EDPS decision, fol­low­ing a stricter inter­pret­a­tion of Brey­er v. Ger­many: it should be assessed, from the per­spect­ive of the recip­i­ent, wheth­er the recip­i­ent has leg­al means avail­able to it which could in prac­tice enable it to access the addi­tion­al inform­a­tion neces­sary to re-identi­fy data sub­jects.

Prac­tic­ally, for block­chain, this means that a case-by-case ana­lys­is of the leg­al rights of miners is neces­sary to defin­it­ively determ­ine the qual­i­fic­a­tion of miners as either pro­cessors or simply as recip­i­ents of effect­ively anonym­ous data. This may not be dir­ectly impact­ful for organ­iz­a­tions using pub­lic block­chains, as such an ana­lys­is is impossible in large pub­lic per­mis­sion­less block­chains and many jur­is­dic­tions have such leg­al means avail­able (through, for instance, crim­in­al law). It may, how­ever, be taken into account by the European Data Pro­tec­tion Board in their upcom­ing Guidelines on Block­chain. As such, we may finally see a more prac­tic­al approach to the rela­tion­ship between the con­trol­ler and the miner on a block­chain. If you are inter­ested in learn­ing more about the data pro­tec­tion con­sid­er­a­tions sur­round­ing block­chain and dis­trib­uted ledger tech­no­logy, please feel free to con­tact the HVG Law Block­chain team.

[1] *In this blog, we will only review wheth­er miners pro­cess per­son­al data. Although oth­er require­ments need to apply to miners for them to meet this qual­i­fic­a­tion, they are (in gen­er­al) eas­ily met by miners accord­ing to exist­ing guid­ance from reg­u­lat­ors.