Olga Stepanova is an Attorney at Law and certified Data Protection Officer based in Frankfurt. She advises companies and associations on digitalisation, especially on the implementation of GDPR and securing Intellectual Property Rights. Her focus is on Big Data companies and companies using Artificial Intelligence. Her motivation is to fight the prejudice that the blockchain technology is not compatible with data protection laws, so that much more companies get encouraged to use it.
Public Blockchains with Nodes in Third Countries
Nodes in the public blockchain are distributed across the network and spread across the globe. Where a node is situated is neither foreseeable nor can it be controlled. Since nodes can enter and leave the network at any time, the location where a node stores blockchain information might shift e.g. from USA to China. However, the ideal image of the GDPR is a data controller who is in charge of the data flow and can determine the recipient located in a third country. Considering that, the GDPR predefines instruments (e.g. adequacy decision (Privacy Shield), Binding Corporate Rules or Standard Contractual Clauses) to ensure an adequate level of data protection taking in account the data protection regime of third countries. Therefore, a different set instruments might apply to separate countries and the data controller must have them in place before the data transfer takes place. In this matter, the GDPR and an open blockchain application follow different concepts. Since nodes could be in any third country at any time without the data controller being aware of, it is difficult to tackle the requirements of the GDPR. Thus, this question cannot be easily answered by referring to the standard tools, so that some extraordinary solutions need to be found.