Bitcoin and the GDPR: Allocating Responsibility in Distributed Networks

35(2) Computer Law & Security Review 2019, 182-198

36 Pages Posted: 2 Jan 2019 Last revised: 2 Apr 2019

See all articles by Thomas Buocz

Thomas Buocz

University of Natural Resources and Life Sciences, Institute of Law

Tina Ehrke-Rabel

University of Graz - Department of Tax and Fiscal Law

Elisabeth Hödl

Independent

Iris Eisenberger

University of Natural Resources and Life Sciences, Vienna – Institute of Law

Date Written: December 7, 2018

Abstract

This article uses the example of the cryptocurrency Bitcoin and the General Data Protection Regulation (GDPR) to show how distributed networks challenge existing legal mechanisms of allocating responsibility. The Bitcoin network stores personal data by automated means. Furthermore, full nodes qualify as establishments and the network offers a service to citizens in the EU. The data processing within the Bitcoin network therefore falls into the material and territorial scope of the GDPR. To protect data subjects, the GDPR allocates responsibility to the controller, who determines the ‘how’ and the ‘why’ of the data processing. However, the distributed structure of the Bitcoin network blurs the lines between actors who are responsible and actors who are worth protecting. Neither the Bitcoin users running lightweight nodes or full nodes nor the miners determine the ‘how’ and the ‘why’ of the data processing. They carry out their network activities according to the Bitcoin protocol, which can only be adopted and enforced by a collective of full nodes and miners. Members of this collective are joint controllers under Article 26 GDPR, which obliges them to clearly and transparently determine their respective responsibilities for compliance with the GDPR. However, this mechanism fails because of the very structure it aims to eliminate. Therefore, a solution to allocating responsibility for data protection in distributed networks lies outside the GDPR.

Keywords: Bitcoin, Blockchain, Distributed Networks, General Data Protection Regulation, Legal Responsibility, Data Protection, Personal Data

JEL Classification: K23

Suggested Citation

Buocz, Thomas and Ehrke-Rabel, Tina and Hödl, Elisabeth and Eisenberger, Iris, Bitcoin and the GDPR: Allocating Responsibility in Distributed Networks (December 7, 2018). 35(2) Computer Law & Security Review 2019, 182-198. Available at SSRN: https://ssrn.com/abstract=3297531

Thomas Buocz

University of Natural Resources and Life Sciences, Institute of Law ( email )

Vienna
Austria

Tina Ehrke-Rabel

University of Graz - Department of Tax and Fiscal Law

Universitaetsstrasse 15/B2
Graz, 8010
Austria

Elisabeth Hödl

Independent

Petersgasse 25a
Graz, 8010
Austria

Iris Eisenberger (Contact Author)

University of Natural Resources and Life Sciences, Vienna – Institute of Law

Vienna
Austria

Register to save articles to
your library

Register

Paper statistics

Downloads
181
Abstract Views
668
rank
167,836
PlumX Metrics