GDPR, Liability, and DAOs

GDPR, Liability, and DAOs

In this part of our legal series surrounding Decentralized Autonomous Organizations (DAOs), we will explore the General Data Protection Regulation (GDPR) framework focusing on how it addresses liability. The GDPR was built on the assumption that all personal data points to an individual or organization that controls that data in a centralized way. DAOs, on the contrary, achieve a decentralized network arrangement without a unitary leading entity. The personal data circulating via a DAO is technically controlled and owned by all DAO participants. One of the primary challenges preventing DAOs from growing in popularity and attracting new participants is the difficulty in allocating risks within a DAO in a way that matches the GDPR's legal requirements.

Why is liability in blockchain important?

Blockchain technology offers immutability, security, and transparency. We could conclude that laws and other constraining rules are therefore dispensable. However, this doesn't mean that we should ignore important issues like liability from a legal point of view; blockchains enable operations that have consequences and impact the real world. DAOs can engage in illegal activity and directly harm people. Also, DAOs can have technical flaws, as seen in the hack of 'The DAO' in 2016, which led to the theft of an equivalent of 60 million dollars. Wrongdoers must be able to be held accountable, but the blockchain's unique features should not remain an obstacle to legal proceedings.

When we look at data protection rules, the GDPR distinguishes two types of roles for organizations that handle personal data. First, there are 'data controllers,' who "control" the data. They determine how data is collected and used and define how the data is processed. Second, there are 'data processors,' who "process" data for others. They perform operations on personal data on behalf of one 'data controller'. These two roles define different sets of obligations. According to the GDPR, both the data controller and the data processor are liable for data protection in their organization.

Because a DAO is a decentralized organization without a unitary entity making decisions, anyone involved could be considered a controller or a processor, and therefore liable for any breach of the GDPR. This seems problematic for several reasons. The first significant problem with DAOs is that every participant in one is equally responsible for the entire organization. There's no individual protection like in a Limited Liability Company. Secondly, the execution of the law is cumbersome. Identifying a DAO's participants could be difficult since pseudonymity is common. Members are identified not by their names but by pseudonyms or other information that does not directly lead to their identity. Once identified, participants can be jointly required to pay fines up to 20 million euros. Shortly said, the GDPR's current liability framework is not suitable for decentralized organizations. As decentralized technologies mature, it's essential to create frameworks that address their decentralized nature.

As previously explained in this series, complying with the current laws implies establishing robust governance in DAOs. When joining a DAO, participants should be informed and required to consent to a suitable legal framework that includes data protection principles and protects individuals' rights. Liability in these matters should be carefully defined.

Legal specialists must look into the topic of decentralized liability to define where it is needed and where it is not applicable. At this moment, it seems that the only option is for each member to be fully liable for the whole organization. Currently, DAOs are considered a general partnership in the European Union by default. This means that every participant is a "partner" representative of the DAOs' interests and jointly and fully liable for the whole organization. Legal experts are looking into solving this issue. For example, some propose to introduce a mandatory insurance scheme for every blockchain operator. Even if an insurance scheme does not solve the problem of allocating responsibilities, it could fully compensate people whose data protection rights have been violated. However, it would restrict the accessibility and scalability of DAOs because every participant in a DAO would be seen as an operator. And secondly, it would put a restraint on the DAO itself as not everyone would be able to pay the insurance fee.

One alternative legal option for a DAO would be to allocate risks and responsibility by setting up a separate entity, preferably a limited liability structure, to act as a data controller. Within this legal entity, the parties involved would know their boundaries, roles, and responsibilities. This would make sure all participants know their legal standing in the organization. It would also help individuals exercise their data protection rights and sue the DAO for breach of the GDPR. However, creating a traditional legal entity to give DAOs a legal personality is a questionable option. From a legal perspective, it does not necessarily protect the DAOs' participants. Anyone acting as a controller is responsible for the GDPR, whether or not they are part of the entity. From a general perspective, this goes against the core philosophy of DAOs, which are based on decentralized and collective decision making. Introducing a centralized legal structure at the top of a DAO would require that there is a defined set of managerial and strategic individuals that legally represent the DAO — similar to a limited liability entity.

Giving DAOs legal recognition while maintaining their centralized nature is not impossible. Some jurisdictions have already created sui generis (unique) legal frameworks for decentralized organizations, such as Malta' Innovative Technology Arrangement or the Blockchain-Based Limited Liability Company in Vermont, United States. However, these legal structures do not always take into account data protection and privacy rights. The GDPR was set up to ensure these human rights are taken into account. Therefore, a legal framework for decentralized technology shouldn't just eliminate liability for the whole. It should also address decentralized liability to ensure the human right to privacy.


This article has been funded through GenesisDAO, but is not biased towards it. This article presents our own views for general information purposes only and does not constitute legal advice.

Show Comments