When developing an application which requires some personal data to function, a good thing to do, from a security and integrity perspective, is to minimise the amount of user data one gets access to. Some data will be necessary for the application to function properly (for example authentication data) and some data might be required to be recorded for legal reasons. Most other data has the possibility of being end-to-end (e2e) encrypted and completely inaccessible to the application developers. If we assume this is the case, that all other user data is e2e encrypted and the encrypted data cannot be linked to the user except by the user themselves, maybe that would affect how GDPR applies to the situation.
The user data is personal data for the user but when it reaches the servers it's encrypted and, from what I understand, should therefore not be regarded as personal data for the server owners. How e2e encryption often works is that user data is processed by a program (distributed by the same company) running on the user's device and encrypts the data with a key known only by the user before sending the data back to the servers. It's unclear to me whether that counts as the server owners processing the data or as the user processing their own data.
So my questions are:
Does a company still qualify as data controllers even though the data stored is encrypted?
Does a company still qualify as data processors even though all processing is done on the device of the user?