Do laws regarding data protection and privacy apply to DAOs?
This is the case when the DAO falls within the personal, material and territorial scope of the respective regulation. This, again, depends on the single case, in particular on the activities of the given DAO. Regarding the German market, currently the GDPR is most likely to be relevant for DAOs. The applicability of the GDPR requires basically that the DAO is established in the territory of the EU and processes personal data in a wholly or partly
automated manner. As these criteria are basically tailored to traditional organizations and
companies, in legal practice it may be difficult to apply them to DAOs. In general, the more
the DAO is structurally similar to traditional organizations, the more likely that it fulfills the
requirements mentioned above. Apart from the GDPR, in Germany there is another main
data protection law (Bundesdatenschutzgesetz – BDSG) in force. However, in current practice it is rather unlikely to be relevant for DAOs.
As the applicability of a data protection law depends on the given circumstances, a
particular assessment in each case is required. A wrong assessment may lead to
noncompliance and hence may have significant legal and other implications for the DAO.
Under the United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 regime (UK GDPR) ;and Data Protection Act 2018 (DPA 2018); data protection and privacy laws apply to any controller or processor, since there are individuals or entities that can host and run centralized websites, databases, and platforms, there are clearly stakeholders in a DAO ecosystem that can be help accountable for data protection regulations. In the case where the DAO is fully decentralized and the data and websites are hosted on decentralized networks identifying the controllers and processors can be a difficult exercise, however.