Applying European data protection law to blockchain

AuthorMichèle Finck
STOA | Panel for the Future of Science and Technology
2. Applying European data protection law to blockchain
This section maps EU data protection law applies to blockchains. Whereas it is important to bear in
mind that the compatibility of a specific use case with specific elements of the GDPR always needs
to be determined on the basis of a case-by-case analysis, there is room of general observations
regarding the interplay between blockchains and the GDPR. First, it is necessary to define the legal
framework's territorial scope of application to determine under which circumstances the use of DLT
will be subject to EU law.
2.1. Territorial scope
The analysis must commence with an overview of the circumstances under which the GDPR applies
to blockchains. This exercise will underline that although the GDPR is an instrument of EU law, its
effects do not stop at the European Union's borders.
Article 3 GDPR provides that the GDPR applies to the processing of personal data whenever certain
requirements are met. First, where personal data processing occurs 'in the context of the activities
of an establishment of a controller or a processor in the Union, regardless of whether the
processing takes place in the Union or not'.44 This implies that where a natural or legal person that
qualifies as the data controller or data processor under the GDPR is established in the EU and
processes personal data (through blockchains or other means), the European data protection
framework applies to such processing.45
The European Court of Justice (hereafter also referred to as 'the ECJ' or 'the Court') has confirmed
that establishment is a question of fact that ought to be determined on the basis of factors such as
'the degree of stability of the arrangements and the effective exercise of activities' which must be
'interpreted in the light of the specific nature of the economic activities and the provision of services
concerned'.46 Indeed, the concept of establishment 'extends to any real and effective activity even
a minimal one exercised through stable arrangements'.47 To assess whether a controller or
processor is established in the EU it ought to be determined whether the establishment is an
'effective and real exercise of activity through stable arrangements'.48 This underlines that a
functional approach ought to trump formal analysis. The GDPR applies even where the actual
processing of personal data is not carried 'by' the establishment concerned itself, but only 'in the
context of the activities' of the establishment'.49 In Google Spain, the Court indeed embraced a broad
take on this concept in deciding that even though Google's office in Spain only engaged in the sale
of advertising, this activity was 'inextricably linked' to the activities of the search engine as the latter
would not be profitable without the former. 50
Even where the establishment criterion does not trigger the GDPR's application other factors may
still do so. Indeed, the Regulation also applies where the personal data relates to data subjects that
are based in the EU even where the data controller and data processor are not established in the
Union where one of two conditions are met.51 First, where personal data processing occurs in the
44 Article 3(1) GDPR.
45 See further below for the definitions of data controller and data processor under the GDPR and the question of which
actors in a blockchain network are likely to qualify as such.
46 Case C-230/14 Weltimmo [2015] EU:C :2015:639, para 28.
47 Ibid, para 31.
48 Recital 22 GDPR.
49 Case C-131/12 Google Spain [2014] EU:C: 2014:317, para 52.
50 Ibid.
51 Article 3(2) GDPR.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT