French Data Protection Authority guidance on GDPR and Blockchains

The French Data Protection Authority - Commission Nationale de L’informatique et des Libertés (CNIL) - has analyzed the impact of Blockchains on the rights of individuals and their personal data. It has made initial recommendations to data controllers who wish to use Blockchain technology for personal data processing. It is one of the first authorities to have taken up this analysis, and is calling for co-operation at European level.

Blockchain technology is a new type of internet that allows digital information to be distributed instead of copied. Just now information built into the internet could be thought of as a sort of ‘master copy’ stored on one central server and controlled by its owner, requiring to be updated whenever there is any sort of change. With a Blockchain updates are being constantly broadcasted and every node in the network is coming to the same conclusion. With the most popular update becoming the official record there is no need for any sort of ‘master copy’ or third party updating it. It is an innovative way to share information which is growing.

The CNIL’s take on Blockchains

The CNIL has described the properties it finds unique to Blockchains. They are more transparent than older technologies since all its users can see the updates in live time as they happen. Information is decentralized, with several copies of the Blockchain existing simultaneously among users’ computers. The technology is irreversible so that once data is entered it cannot be modified or deleted. And information is disintermediated:  the middleman has been removed and instead decisions or changes are made by consensus between the participants. 

blockchain use1.jpg

It also identified three categories of Blockchains. Public Blockchains are accessible to anyone in the world to obtain a copy, make a transaction, or participate in its creation. Blockchains with Permissionshave rules about who can perform transactions or participate in their creation- sometimes they will be accessible to everyone but sometimes they will have limited access. And so-called “Private” Blockchains are under the control of an operator who alone will govern the participation in, and validation of, the Blockchain. This third category of private Blockchains has not been considered by the CNIL as being in the same group as the first two categories since it does not have the classic properties of a Blockchain, decentralization and disintermediation. It has not fallen in remit for this review- for GDPR purposes it is a “classic” database. 

Three different actors in the Blockchain have been distinguished. “Individuals” can simply read and obtain a copy of the Blockchain. “Participants” have the ability to write and create transactions that they can submit for authorization. And the “miners” can validate these transactions by applying the Blockchain rules to them, bringing them in to be a part of the Blockchain. 

What have Blockchains got to do with GDPR?

Whenever a Blockchain concerns any sort of personal data (at least regarding EU data subjects), the GDPR will apply. This innovative technology and the fundamental rights of individuals are not two opposing forces. While GDPR is not intended to regulate technology, it can nevertheless apply to technology when it involves personal data.

Blockchains can be used to transfer assets, as a traceable registry, or for the launch of “smart contracts” (computerized transactions that automatically execute the terms of a contract). In practice much of this requires the manipulation of personal data. Two categories of personal data have been set out:

Identities of participants and “miners”:

Each participant has a public code, and this recognizes the identity of the issuer and the recipient of each transaction. 

Additional data:

Information written in a transaction- for example a diploma, or a title deed. If this data relates to natural persons (this could be participants in the Blockchain or otherwise), it is personal data. 

On the basis of these distinctions, the usual data protection rules will apply; identification of the controller, implementation of rights, implementation of the appropriate safeguards, security requirements, and so on. 

Can Blockchains offer a way to be more compliant with GDPR?

Under the regulations, each actor dealing with personal data -whether they are the original owner of the data or a subcontractor- must be able to demonstrate that their treatment of the data complies with the GDPR. 

The CNIL has suggested that these new technologies could help data controllers fulfill some of their obligations. The permanence of the actions carried out in a Blockchain could be away to ensure that actions carried out on the data are open and traceable.

Problems with Blockchains

Blockchains will not always be the best solution for data processing. Certain circumstances, such as international transfers of personal data, require particular vigilance from users in a Blockchain- particularly when it comes to a public Blockchain. 

Users of data are encouraged to question from the onset the advisability of using Blockchain technology rather than an alternative technology. As well as this, the controller must always question the best type of Blockchain to be used. The choices made by a controller- between a permission Blockchain or a public Blockchain, between different formats for the registration of data in block- can significantly increase or decrease their risks of violating the rights and freedoms of individuals. 

The GDPR requires accountability for the processing of personal data, and if there are many who can control the data in a blockchain accountability becomes an issue. Additionally, suppose someone wished for their data held in a blockchain to be forgotten.

This is difficult since in a blockchain, all information is stored in one place. Some methods - such as encryption and off-chain storage - have been suggested, but of course there are still risks involved and for the GDPR it is important for definite compliance to be assured. 

 The CNIL’s advice

The CNIL warns that any person who decides to register data on a Blockchain could be considered as the responsible controller, given they decide on the purpose and the means of the data processing. Certain data rights, such as the right of access and the right to portability, may be exercised against them. 

With regards to the rights of erasure, rectification and objection, the CNIL has taken note of the technological solutions currently being deliberated, but which still need to be evaluated. The suggested solutions could make it possible to approach the conformity requirements of the GDPR, in particular by cutting the accessibility of the data according to the chosen format. 

Above all, generally, it is important to fully understand the GDPR and is applications if you are going to consider processing any sort of personal data on a Blockchain. And whether or not you are clear on the regulations, it is advisable not to resort to any clear storage of personal data on the Blockchain. The safety principles will remain fully applicable in the Blockchain. 

Authors: Lily Morrison, Legal Consultant at Gerrish Legal / Charlotte Gerrish, Founding Lawyer at Gerrish Legal

October 2018.