THE BLOCKCHAIN DATA GATEKEEPERS LIMITED LIABILITY FOR VIOLATIONS OF THE GDPR

Abstract

Data gatekeepers (data controllers and processors) that use blockchain for data transfer effectively enjoy limited liability for violations of the GDPR. This is due to the fact that applying the GDPR’s data gatekeeper system of liability to a decentralized technology such as blockchain is difficult for three reasons. Firstly, identifying data gatekeepers on the blockchain can only be done by either assigning data gatekeeper roles to actors on the blockchain, or structuring the blockchain as private or permissioned one, so as to fit with GDPR requirements. Neither of these approaches provides a universally applicable and satisfactory method for privacy protection. Secondly, because of their knowledge and investment in infrastructure, large data gatekeepers such as IBM, Amazon and Microsoft have an informational advantage over data protection authorities (DPAs) and an additional protective layer against liability, as their blockchain infrastructure is used by other businesses and corporations that are primarily liable for data processing. Finally, administrative fines and reputational damages for non-compliance with the GDPR are insufficient deterrents for large data gatekeepers, whereas damages awarded to individual data subjects for data gatekeepers’ violations of GDPR are extremely low and too costly to obtain.