Welcome to the first post in our legal blog post series around Decentralized Autonomous Organizations (DAOs). In this series we will explore the current legal landscape as it relates to DAOs. DAOs' decentralized nature leads to legal challenges. For the success of DAOs, it is important that they can thrive in legal environments. We will therefore not only analyse the current laws, but also look for promising legal opportunities and recommendations for change.
We start the series by looking at the applicability of one of the most feared laws in the tech scene: the GDPR. The GDPR is the newest European data privacy law, which came into effect May 2018 and will be relevant for any organization that handles data of EU citizens. We aim to shed some light upon its applicability and explore its core topic: data privacy.
What is a DAO
Before we dive into legal matters, we will first define what a DAO is. Grasping the concept of what a DAO precisely is, can be tricky. We will focus upon the basic technical explanation, tied to blockchain technology.
DAOs, as we define them, are organizations run without a central operating authority. The rules of the organization are enforced by code running on a blockchain. Bitcoin can be considered to be the first operational DAO, as it has a pre-programmed set of rules, coordinated through a distributed consensus protocol and functions in a distributed manner. Since the creation of the Ethereum blockchain, DAOs are able to make use of smart contracts which encode the rules of the DAO.
Blockchain-based DAOs enable the storage of various types of data on the blockchain, such as proposals details, votes, or members’ identification. Members of a DAO can use other tools to discuss or exchange information such as chats and can make use of off-chain databases to store information. These other tools are not part of a DAO itself, and therefore will not be part of our focus regarding DAOs and the law.
How data is treated is a question many people who want to join a DAO ask. One common concern is how privacy issues are handled. Privacy is a human right and should be a core value of any form of human organization. With the GDPR, the European Union has chosen an extensive legal instrument to regulate the use of personal data by organizations and businesses.
The GDPR’s first purpose is to strengthen and expand individuals’ personal data rights, and setting high security standards for the use of personal data. It has been designed to give individuals more control over how their information is used online. The regulation is effective in every member state of the European Union. Its applicability is however not limited to organizations based in the EU, but extends towards all companies and organizations that process data from EU individuals. The regulation is feared by many companies since its implementation is difficult, as the framework is unwieldy and complex. Organizations that do not comply face onerous penalties up to 4% of their global annual revenue or €20 million.
This GDPR has been designed with a centralized approach as it makes organizations accountable for data privacy compliance. It contains a set of rules deriving from seven core privacy values - the “Data Protection Principles”:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
More detailed explanations about the seven principles can be found in the text of the GDPR, Article 5.
For instance, the GDPR requires a mechanism allowing individuals to get their data erased under certain conditions, the so-called “Right to be forgotten”. This right gives individuals the ability to ask for their data to be deleted in cases, such as if the data previously collected is no longer relevant for the initial purposes. In the context of DAOs, the immutability that comes with blockchain technology makes the permanent erasure of data a difficult task. One of the challenges the GDPR poses for blockchain-based applications. Before further talking about those challenges, we should understand why and how the GDPR is relevant for DAOs.
Applicability of the GDPR
The determination of whether DAOs must follow the GDPR depends upon if the data inside the DAO qualifies as personal data. If such data is the personal data of EU citizens it will trigger the (mandatory) application of EU privacy laws.
Data comes in many shapes. Personal data, according to law, is any information which can lead to the identification of a person - either alone or combined with other information. For that reason, data which does not seem to identify a person at first sight, such as a string of numbers, can be deemed personal data if it leads to someone’s identification when combined with other types of data. A good illustration of this is a judgement handled by the Court of Justice of the European Union in 2016. The Court ruled that dynamic IP addresses are personal data, although identifying someone with a dynamic IP address is generally not possible. However, internet service providers have data that, when combined with the IP address, can identify the person. Therefore, the Court concluded that dynamic IP addresses are sometimes personal data.
Even pseudonyms can be considered personal data. The person using the pseudonym may have other accounts that can contain other personal information using the same pseudonym. By combining the accounts, it might be possible to determine the person's real-life identity. Therefore, even if a company or organization only lets its users register by a pseudonym, it can be subject to the GDPR.
Shortly said, any data tied to a person that is not rendered completely and irreversibly anonymous, is considered as personal data. What does this mean for encrypted data? Encrypted data as well can as well continue to qualify as personal data - when the identification by an identifier remains possible. If data can still be accessed with the appropriate keys, it is thus not irreversibly anonymized. Additionally, with most hashing techniques, it is still possible to link the data to the person.
Should DAOs comply with the GDPR?
The GDPR applies when a DAO holds personal data concerning an EU citizen. DAOs can contain various personal data related to their members. This data, though maybe encrypted or hashed, could potentially lead to a member’s real-life identity. This happened for example in the Bitcoin network, when a research conducted by Cornell University in 2014 unveiled that IP addresses could be found from public keys, leading to identification. Changes were made in the protocol in order to prevent this from happening again, but it definitely showed that anonymization was not guaranteed by its original design.
To be GDPR compliant is not an easy task. For DAOs it is even more challenging than for traditional organizations. Even though the GDPR is intended to be a technology neutral legal instrument, the GDPR framework is made for organizations with a central authority and centralized databases. Recital 15 of the regulation explains that “the protection of natural persons should be technologically neutral and should not depend on the techniques used”. However, the major shift brought by decentralized technologies led to a fundamental rethinking of the relation between data and applications. With no single point of authority, some GDPR requirements will be very difficult or even impossible to meet.
Most DAOs still exist as legally "virtual structures" not tied to any legal structure. With no central entity, in these non-legally defined DAOs, members are fully accountable and as well obliged to follow the rules of the GDPR. With no legal structure tied to the DAO, the form of the "general partnership" applies by default. This means that every member is liable for the whole, and in theory could be sued for example for breaching the GDPR, as each is individually responsible for the entire DAO.
Following this, members have to justify legal grounds (such as consent) on which personal data is collected and used, and ensure that minimum security standards imposed by the GDPR are met. Also, each DAO should appoint a Data Protection Officer in charge of the organization’s general compliance with the GDPR.
Reaching GDPR compliance would thus require an extended and ongoing coordination between all members of the DAOs, as well as an in-depth knowledge of the precise nature and flows of personal data within the DAO. Challenging tasks remain, such as the implementation of the right to be forgotten, and of course, accountability. Accountability is one of the key legal issues regarding decentralized technology. In this case: is it wise to hold everyone accountable for privacy compliance in decentralized organizations?
Exploring the privacy potential for DAOs
DAOs are in a legal grey zone, since the existing laws are not made for decentralized systems. This does not have to be an insuperable problem, but it does require modification of existing laws and frameworks. There is no simple solution to reconcile the GDPR and DAOs. However, in order to create new legal frameworks or suggestions for change to existing ones, it is important to understand the original purpose of these current laws. The goal of the GDPR is to strengthen and expand individuals’ personal data rights, while ensuring high security standards.
The GDPR lists a set of rights for individuals with respect to their personal data. One of these rights gives individuals the right to request specific details about how and why their data is processed and receive copies of their personal data held by the organization. Blockchain technology enables individuals to be in control of their own data. Blockchain applications could therefore keep the promise of both the decentralization and the GDPR - giving users this control over their data.
Also, smart contracts bring the opportunity to encode law directly. When an organization handles data on behalf of another, the implementation of data protection in legal contracts is required by the GDPR. These legal smart contracts open a new paradigm, where technology directly can legally regulate. Additionally, various anonymization techniques permitted by blockchain technology will be able to enhance people’s privacy.
A new paradigm for regulation
When a DAO holds personal data of a European citizen, it is subject to the GDPR. Although this is clear, it will be quite difficult for DAOs to be GDPR compliant, as the law is not for decentralized structures. As we suggested, it would be more beneficial to look at the purpose of the GDPR and make sure DAOs are in line with the goals. Next to that, digital structures like DAOs enable a new paradigm for regulation, where the rule of law can be encoded into the system. In following blog posts we will dive deeper into this matter, focusing upon the right to be forgotten.
This article has been funded through the GenesisDAO, but is not biased towards it. This article presents our own views for general information purposes only and does not constitute legal advice.