by Reguzzoni Marco and Tauber Mathias
Bitcoin, as the most popular cryptocurrency worldwide, allows two parties to transact directly with each other without the need for a trusted third party, e.g. a bank.
In practice every user owns at least one Bitcoin wallet with a public key and a private key. To compare it to the standard banking system, the wallet is the bank account, the public key is the IBAN code and the private key is the password to the bank account.
If user A wants to transfer Bitcoins to user B, user A needs to know his own private key and the public key of user B. At this point, normally a so called middlemen would come into play and verify the transfer. In the Bitcoin network the users assume this role. Given that the entire transfer history of every user is stored in a publicly accessible and practically immutable form, everybody with Internet access is able to see and control the accuracy of the transfer. [1]
The missing of a central authority and the fact that only the public keys of the users are displayed online, make people believe that the transfers are completely anonymous. Initially also Satoshi Nakamoto, the inventor of Bitcoin, claimed that the user’s privacy is given by keeping public keys anonymous.[2] Afterwards the Bitcoin community has changed belief and does not describe Bitcoin as anonymous anymore.[3] Studies have shown, that the public key does not directly identify a Bitcoin user, but with the use of additional information (e.g. IP address) the natural person behind the key can be identified.[4]
So public keys are just pseudonymized instead of being anonymized. Therefore, Bitcoin transfers constitute personal data in light of Recital 26 GDPR.[5] As a final outcome we can deem that the processing of personal data in the Bitcoin network falls within the material and territorial scope of the GDPR.[6]
Thus the fundamental question arises: who is the responsible controller of the data?
Art. 4(7) GDPR defines controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. The typical feature of a permissionless blockchain network, like the Bitcoin one, is that all users together determine the purposes and means of the processing. So either every user is a joint controller in the sense of art. 26 GDPR or the whole network qualifies as controller under art. 4(7) GDPR. At the moment there is no definitive answer to these question.
An appropriate starting point can be the analysis of two particular players involved in the Blockchain network. Namely, wallet providers and exchangers.
A wallet provider is an entity that provides a virtual currency wallet for holding, storing and transferring Bitcoins. A wallet holds the user’s private keys.[7]
An exchanger is a person or entity engaged as a business in the exchange of virtual currency for real currency, funds, or other forms of virtual currency and also precious metals, and vice versa, for a fee (commission).[8]
Bitcoin users need to disclose their personal data, like public and private keys, in order to use the services of these actors.
In addition, wallet providers and exchangers are obliged under the new EU Anti-Money Laundering Directive (AMLD5) to verify the real identity of their customers.
They control therefore huge amounts of personal data and are definitely in the position to determine the purposes and means of the processing of this data. In the sense of art. 4(7) GDPR they qualify as controllers and need to comply with the GDPR.
Users or rather data subjects still have a hard life enforcing their rights to access, to information, to rectification and to erasure the data. That’s not only because most wallet providers and exchangers are established outside of the EU, but also because the Bitcoin network as a whole is distributed worldwide. So data subjects simply have no entity where they could enforce their rights.
NOTES
[1] https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3297531 page 29
[2] Satoshi Nakamoto, “Bitcoin: A Peer-to-Peer Electronic Cash System”, https://bitcoin.org/bitcoin.pdf, page 6
[3] Bitcoin.org, “Frequently Asked Questions”, https://bitcoin.org/en/faq#is-bitcoin-fully-virtual-and-immaterial
[4] Thomas Buocz and others, “Bitcoin and the GDPR: Allocating Responsibility in Distributed Networks”, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3297531 page 8
[5] Recital 26 GDPR: “Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person”
[6] That’s because the storing of data in the blockchain qualifies as processing by automated means under art. 2(1) GDPR and the activities carried out within the Bitcoin network constitute a service offered to data subjects who are in the EU within the meaning of Art. 3(2) GDPR.
[7] FATF, “Virtual Currencies – Key Definitions and Potential AML/CFT Risks”, June 2014, http://www.fatfgafi.org/media/fatf/documents/reports/Virtual-currency-key-definitions-and-potential-aml-cft-risks.pdf, 8.
[8] FATF, “Virtual Currencies – Key Definitions and Potential AML/CFT Risks”, June 2014, http://www.fatfgafi.org/media/fatf/documents/reports/Virtual-currency-key-definitions-and-potential-aml-cft-risks.pdf, 7.