Data Protection Issues for Smart Contracts

Smart Contracts: Technological, Business and Legal Perspectives (Marcelo Corrales, Mark Fenwick & Stefan Wrbka, eds., Hart Publishing/Bloomsbury, 2021), https://www.bloomsburycollections.com/book/smart-contracts-technological-business-and-legal-perspectives/

22 Pages Posted: 14 Dec 2021 Last revised: 8 Feb 2022

See all articles by W. Gregory Voss

W. Gregory Voss

TBS Business School; Toulouse Business School; University of Toulouse - Toulouse Business School

Date Written: June 3, 2021

Abstract

Smart contracts offer promise for facilitating and streamlining transactions in many areas of business and government. However, they also may be subject to the provisions of relevant data protection laws such as the European Union’s General Data Protection Regulation (GDPR) if personal data is processed. Initially, this chapter discusses the data protection/data privacy distinction in the context of differing legal models. However, the focus of analysis is the GDPR, as the most significant and influential data protection legislation at this time, given in part to its omnibus nature and extraterritorial scope, and its application to smart contracts.

By their very nature, smart contracts raise difficulties for the classification of the various actors involved, which will have an impact on their responsibilities under the law and their potential liability for violations. The analysis in this chapter turns on the roles of the data controller in the context of smart contracts, and this contract review the definition of that term and of ‘joint controller’ considering supervisory authority guidance. In doing so, the signification of the classification is highlighted, especially in the case of the GDPR.

Furthermore, certain rights granted to data subjects under the GDPR may be difficult to provide in the context of smart contracts, such as the right to be forgotten/right to erasure, the right to rectification and the right not to be subject to a decision based solely on automated processing. This chapter addresses such issues, together with relevant supervisory authority advice, such as the use of encryption to make data nearly inaccessible to approach as nearly as possible the same result as erasure. On the way, the important distinction between anonymized data and personal data is explained, together with its practical implications, and requirements for data integrity and confidentiality (security) are detailed.

In addition, the GDPR requirement of privacy by design and by default must be respected, when that that legislation applies. Data protection principles such as purpose limitation and data minimisation in the case of smart contracts are also scrutinized in this chapter. Data protection and privacy must be considered when smart contracts are designed. This chapter will help the reader understand the contours of such requirement. Even for jurisdictions outside of the European Union, privacy by design will be interesting as best practice.

Finally, problems related to cross-border data transfers in the case of public blockchains are debated, prior to this chapter setting out key elements to allow for a GDPR-compliant blockchain and other concluding remarks.

Keywords: GDPR, general data protection regulation, EU law, European Union, smart contracts, blockchain, blockchain technologies, data privacy, data protection, GDPR compliance, data controller, data processor, cross-border data flows, data protection principles, cybersecurity, data security

JEL Classification: K2, K3, K12, K23

Suggested Citation

Voss, W. Gregory, Data Protection Issues for Smart Contracts (June 3, 2021). Smart Contracts: Technological, Business and Legal Perspectives (Marcelo Corrales, Mark Fenwick & Stefan Wrbka, eds., Hart Publishing/Bloomsbury, 2021), https://www.bloomsburycollections.com/book/smart-contracts-technological-business-and-legal-perspectives/, Available at SSRN: https://ssrn.com/abstract=3977477

W. Gregory Voss (Contact Author)

TBS Business School ( email )

1 Place Alphonse Jourdain
CS 66810
Toulouse Cedex 7, Occitanie 31068
France

Toulouse Business School ( email )

20, bd Lascrosses
Toulouse, 31068
France

University of Toulouse - Toulouse Business School ( email )

20, bd Lascrosses
BP 7010
Toulouse, 31068
France

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
311
Abstract Views
904
rank
143,912
PlumX Metrics