In our data-driven world, it is crucial to have systems in place to automate and streamline large amounts of data. That is why a data processor is key in today’s day and age.
But in order to understand what a data processor does, we first need to touch on what a data controller is.
A data controller is either a person or an entity that decides why and how personal data should be processed. Depending on their jurisdiction, they must abide by the data processing laws in place, like the GDPR. More on this later on.
The European Data Protection Board defines a data processor as an entity that:
“acts under the instructions of the controller only, by processing personal data on behalf of the controller. Similar to a data controller, a data processor can be a legal person, for example a business, an SME, a public authority, an agency or other bodies.”
To make this seem less abstract, let’s use Amazon Web Services (AWS) as an example of what this looks like in practice. If a company chooses to use AWS to store the personal data of its customers or employees, it would be considered the data controller. This is largely because it decides what data to store using AWS, how it wants to use this data, and for what purpose.
The data processor is the entity that processes the personal data on behalf of the data controller, or the company in this instance. The data processor in this example, would be AWS. It provides the storage and other services necessary for processing the data but does not determine the means for processing data.
In the EU, both the data processor and the data controller must be compliant with the GDPR. Regulatory compliance will of course vary depending on where the company operates, as regulations differ in places outside of the EU. In this article, I’ll go more in depth about what things look like on both sides of the fence, and then discuss how blockchain can fit into all of this.
Table of Contents
Data Processing Inside the EU
So far, we’ve briefly covered what a data controller is and what a data processor is. But I want to dive further into what the roles and responsibilities of a data processor consist of, specifically in the context of the EU.
In the EU, all companies must operate following GDPR requirements. I talk about this more in another article, but I’ll briefly go through the basics here for context.
The EU’s General Data Protection Regulation (GDPR) is likely the most well-known data-related regulation.
“The GDPR governs how the personal data of individuals in the EU may be processed and transferred and is the strongest privacy and security law in the world.”
— European Commission
The regulation is all about putting control back into the user’s hands by ensuring they provide clear consent to data processing, while maintaining the rights to revoke consent and to be forgotten. Importantly, for this topic, individuals also get a say in how data is transferred between service providers.
When it comes to how the data processor and controller must work together, the EU requires them to implement a contract, where the intentions to process personal data are all recorded. The goal is to ensure that both parties are restricted from sharing data outside of their own organisations without the original party’s consent, and acknowledges that individuals have rights over their own data. It also requires both parties (processor and controller) to notify of any data breaches and ensure they are transparent about complying with GDPR regulations.
This can make things tricky for non-EU companies operating within the jurisdiction. Let’s use Meta/Facebook as an example of what this looks like.
Meta, along with any other non-EU companies, has had to add additional information to its Privacy Policy in order to comply with GDPR and data processing regulations. The policy lists out the rights of individuals under data protection laws — including the rights to access and correct information, withdraw consent, download information, and object. It also highlights that users have the right to contact the Data Protection Officer for Meta Platforms (more on that coming up).
Last year, the European Data Protection Board imposed a ban on Meta in Ireland because,
“of the inappropriate use of the legal bases of contract and legitimate interest for the processing of personal data collected by Meta IE for the purpose of behavioural advertising.”
Meta has now had to ensure users have the option to choose whether or not their data will be processed for behaviour marketing. I see this as a drop in the ocean of several data requirement changes to come.
Data Processing Outside of the EU
Crucially, EU regulations apply to both organisations inside its jurisdiction and companies outside that process the personal data of EU citizens and residents. But what does that end up looking like?
To start, any non-EU organisation that processes the data of an EU-based entity is required to appoint a representative inside the EU.
The person responsible for monitoring how data is processed within a company is called a Data Protection Officer (like in the Meta example above). These are normally designated by a company and the main purpose is to advise on who can process personal information and how. The EU clearly lays out when a Data Protection Officer must be appointed.
Another key consideration for organisations is that they must ensure that citizens and residents understand what they are consenting to when they give permission to process their data. The EU outlines this as:
“Consent should be given by an affirmative act, such as checking a box online or signing a form. When someone consents to the processing of their personal data, you can only process the data for the purposes for which consent was given. You must also give them the opportunity to withdraw their consent.”
However, when data is transferred outside of the EU, all GDPR requirements are still in place. The EU has deemed certain non-EU data protection laws sufficient in certain places, but there must also be specific safeguards in place. The company must also get permission from individuals before exporting their data overseas. The EU and US provide a great example of what this relationship looks like.
The main difference between the EU and US data processing and privacy laws is that the EU’s GDPR regulation is an overarching framework for all data processing, whereas the US’s version is much narrower. Another good way to differentiate between the two is that the EU assumes that the answer for sharing data is automatically ‘no,’ whereas the US assumes the answer is ‘yes,’ but with further information on exceptions.
Of course, this causes plenty of hiccups for tech giants processing and transferring data from EU citizens and residents to the US, especially for big tech giants like Meta. To allow data sharing to still take place, the EU and the US implemented the EU-US Data Privacy Framework, which is an upgrade from the previous Privacy Shield. In short, the framework allows data transfers and processing from the EU to the US without additional safeguarding measures, as I mentioned above.
This is mostly because the framework provides several safeguarding caveats itself, including limiting access for US intelligence services to access EU data and establishing a Data Protection Review Court that investigates complaints from EU citizens and residents.
“An adequate protection of our personal data is a fundamental right, and one whose importance only continues to grow in our day-to-day lives. Today’s decision is the result of intense cooperation with our partners in the US, working together to ensure that Europeans’ data travels safely, wherever it goes. The new adequacy decision will provide legal certainty for businesses and will help further consolidate the EU as a powerful player in transatlantic markets, while remaining uncompromising on respecting fundamental right of Europeans for their data to be always protected.”
— Věra Jourová, Vice-President for Values and Transparency, European Commission
I could write about this for days, but hopefully you get the gist.
Blockchain & Data Processing
Let’s start with the challenges. While blockchain can be an extraordinary tool for organising and managing data, there are some key challenges with the EU’s data processing regulations.
One of them being that one of the main requirements of the GDPR, as discussed above, is the need for a data controller and data processor. However, blockchain is inherently decentralised, and advocates for several actors rather than just one or two. While the role of the data controller may be clear, the processor might be less so.
Other concerns relate to the right to be forgotten and the right to correct. Blockchains are immutable. This offers several benefits when it comes to trust and transparency, but in the case of the GDPR, it is at a crossroads.
Dr. Michèle Finck, writing on behalf of the Panel for the Future of Science and Technology, articulates that it isn’t all doom and gloom.
“On the one hand, there is a significant tension between the very nature of blockchain technologies and the overall structure of data protection law. It has also been stressed that the relationship between the technology and the legal framework cannot be determined in a general manner, but must rather be determined on a case-by-case basis. On the other hand, it has also been highlighted that this class of technologies could offer distinct advantages that might help to achieve some of the GDPR’s objectives.”
This is because blockchain can offer several tangible benefits, such as enhanced security and privacy, along with transparency. There is great potential for it to provide more oversight on how data is used by allowing users to see who access their data, when, and for what purpose. And for some of the other challenges like the right to be forgotten or its decentralised nature, the right resources and attention can still ensure GDPR compliance.
Dr. Finck suggests that rather than revising the GDPR, it’s better to provide regulatory guidance for those wanting to use blockchain through coordination with the European Data Protection Board. She also suggests that further funding for research into this area would be extremely beneficial.
The GDPR’s ultimate goal is to give EU citizens and residents control over their data, and there is evidence of how this can work with blockchain.
mintBlue’s latest presentation on BSV blockchain-powered wearables provides a great example of enabling control over personal health data.
In partnership with NoWatch, mintBlue have identified a way that all health data collected by smart watches (e.g. heartrate) can be owned directly by the user rather than large companies. At the 2023 London Blockchain Conference, mintBlue CEO Niels van den Bergh stated:
“You’re the owner of your own biometric information encrypted in a on-chain wallet that can be authenticated and accessed on your own device.”
Without stepping into data ownership territory, which you can read more about here, here’s the golden question: Are we ready to move on to being our own data processors to eliminate the middlemen?
I don’t have an answer, but I could be convinced.
Data Processing Conclusion
If you’ve read some of my other articles, you’ll see that blockchain often provides a relatively clear and simple tool to help navigate data requirements and international policies. The topic of data processing underscores where things can be a bit more complicated. That’s not to say it doesn’t offer significant value, it just means that there is more problem-solving to be done to integrate it in a meaningful way.
That being said, and without sounding like a broken record, blockchain has the ability to transform the data world and I hope I’ve outlined above what that might look like. It feels like society is pushing back against big companies processing their data, and it’s encouraging to see government policy supporting that instinct.
Me personally? I’m excited to see where the future of data processing is headed, and, like I said, it could be us holding the reigns one day.