Voss on Data Protection Issues for Smart Contracts

W. Gregory Voss (TBS Business School) has posted “Data Protection Issues for Smart Contracts” (Smart Contracts: Technological, Business and Legal Perspectives (Marcelo Corrales, Mark Fenwick & Stefan Wrbka, eds., 2021) on SSRN. Here is the abstract:

Smart contracts offer promise for facilitating and streamlining transactions in many areas of business and government. However, they also may be subject to the provisions of relevant data protection laws such as the European Union’s General Data Protection Regulation (GDPR) if personal data is processed. Initially, this chapter discusses the data protection/data privacy distinction in the context of differing legal models. However, the focus of analysis is the GDPR, as the most significant and influential data protection legislation at this time, given in part to its omnibus nature and extraterritorial scope, and its application to smart contracts.

By their very nature, smart contracts raise difficulties for the classification of the various actors involved, which will have an impact on their responsibilities under the law and their potential liability for violations. The analysis in this chapter turns on the roles of the data controller in the context of smart contracts, and this contract review the definition of that term and of ‘joint controller’ considering supervisory authority guidance. In doing so, the signification of the classification is highlighted, especially in the case of the GDPR.

Furthermore, certain rights granted to data subjects under the GDPR may be difficult to provide in the context of smart contracts, such as the right to be forgotten/right to erasure, the right to rectification and the right not to be subject to a decision based solely on automated processing. This chapter addresses such issues, together with relevant supervisory authority advice, such as the use of encryption to make data nearly inaccessible to approach as nearly as possible the same result as erasure. On the way, the important distinction between anonymized data and personal data is explained, together with its practical implications, and requirements for data integrity and confidentiality (security) are detailed.

In addition, the GDPR requirement of privacy by design and by default must be respected, when that that legislation applies. Data protection principles such as purpose limitation and data minimisation in the case of smart contracts are also scrutinized in this chapter. Data protection and privacy must be considered when smart contracts are designed. This chapter will help the reader understand the contours of such requirement. Even for jurisdictions outside of the European Union, privacy by design will be interesting as best practice.

Finally, problems related to cross-border data transfers in the case of public blockchains are debated, prior to this chapter setting out key elements to allow for a GDPR-compliant blockchain and other concluding remarks.