It is understood that there are many nodes (computers) which make up a blockchain network but what does need addressing is the jurisdictions that each node is held. This has been addressed in the new General Data Protection Regulation (GDPR 2016/679) but would be complex to apply in a blockchain network. Chapter 5, particularly section 45, provides that a third country involved in the transfer of data will be examined as to the adequacy of their level of protection. If the level of protection is not deemed as high enough, then the Information Commissioner’s Office will either monitor the protection by way of a review, or work with the country in question to provide international mutual assistance in the enforcement of legislation for the protection of personal data.
The above points are helpful but difficult to implement to a blockchain network. Maybe the best application of this would be to work on a transaction by transaction basis to determine where the nodes are held, but also to put the burden solely on the parties involved. They could simply assign a controller within the chain to frequently monitor the published ÂOfficial Journal of the European UnionÂ which shows the list of countries that have been considered as having an adequate protection in place.
The Google Spain case (Google Spain, Google Spain SL and Google Incorporated v Agencia EspaÃ±ola de ProtecciÃ³n de Datos and Costeja GonzÃ¡lez C-131/12.) offers an interesting approach that could be applied to a blockchain network. The transferring of data that may originate outside of the EU could be subject to European law if it can be found that there is an ÂestablishmentÂ within the EU which means that the GDPR can be interpreted as an international data protection law. In the Google case, Google Inc, which is based outside the EU in America, had an establishment in Spain. The case concerned a Spanish citizen who complained that his right to be forgotten was infringed by Google, and also a newspaper in Spain. The search engine was found liable, as GoogleÂs activities were classified as Âprocessing of personal data.Â On appeal, the CJEU found Google Spain to be Âinextricably linkedÂ to Google Inc and so deemed as a controller for the purposes of data protection laws. If a blockchain network is made up of even one EU citizen then it could be argued that they are a member of a larger chain, no different to a branch of a divisional office as in the Google Spain case.
This would rule out any issues with over-complicating the cross-border issues with a blockchain network that may have several extra territorial jurisdictions to work with. It has been argued by scholars that this judgment may have made this decision in preparation for the extending virtual world and borderless nature and wide spread use of the internet as well as the technological advancements that has ultimately required a broader approach necessary than taken in previous years.Â