On the one hand, we have the General Data Protection Regulation (GDPR), newly effective in the European Union since May 2018. The purpose of the GDPR is to give people the power to know how personal data is processed. To do so, businesses need to have a single access point. This implies to have their data centralized and managed in a secure place. On the other hand, we have the blockchain technology, a decentralized data exchange and validation protocol. Blockchain technology relies on a distributed ledger managed by a peer-to-peer network. Therefore, it is difficult to imagine a world where the GDPR privacy laws and the blockchain technology would be compatible. For all that, does this mean European businesses have to put an end to their blockchain-related projects to ensure GDPR compliance?
In September 2018, the French data protection authority, the Commission Nationale de l’Information et des Libertés (CNIL) published a report on the GDPR and the use of blockchain technologies. In this paper, the CNIL provides study results and solutions to businesses that have the ambition to use blockchain technologies. As the saying goes, opposites attract…
Is there a data controller on your blockchain?
According to the CNIL, businesses should first make sure there is no better solution to process their data. In fact, blockchain technology is not always the most suitable option. Keeping in mind that they should embrace the “Privacy by design” framework as a result when they design their technical solution to collect data, businesses will remain GDPR-compliant, even if they decide to opt for a blockchain. In this case, they will also have to identify and designate a data controller in their organisation.
The CNIL identifies two distinct scenarios: either the data controller is a physical person whom needs to process data for business purposes, or a legal entity that collects personal data on a blockchain (e.g. a bank with customer data). Any participant with a right to write on the blockchain might be considered as a data controller. That is why the CNIL recommends assigning a role to each category of participants in the chain. People will know who their main contact point is to exercise their rights.
When blockchain meets the right to be forgotten
The General Data Protection Regulation gives European Union citizens the right to request the erasure of their personal data. This gives individuals more control over the ways organisations collect, store and process their data. Article 17 of the GDPR states that “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay”. Because of the properties of hash functions in a blockchain, the slightest change in data will change the hash of a block. Furthermore, since each block contains a hash of the previous block in the chain, this makes removing personal data from the blockchain impossible.
The CNIL, however, acknowledges that under some circumstances blockchain could be compliant with the GDPR regarding the data subject’s rights. In fact, some of these rights seem to demand technical solutions to enable individuals to exercise them properly. For example, the right to erasure is, at first glance, impossible to apply technically here. But if the data controller implements cryptographic algorithms to make personal data inaccessible, the CNIL recognizes that this anonymisation process is close enough to the right to erasure. Even though the information is not, strictly speaking, erased.
The subcontractors, the weak link of the blockchain?
Despite these promising first results, European authorities still need to examine the responsibility of subcontractors in the blockchain’s network. According to the CNIL, there are two types of subcontractors in a blockchain: the “smart contract” developers and the miners who validate new transactions and record them on the global distributed ledger. Their role is still unclear, legally speaking, and needs to be addressed. Article 28 of the General Data Protection Regulation states: “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures”. If subcontractors fail to be GDPR-compliant, the blockchain will be held responsible too.
The possibilities seem endless for GDPR/blockchain partnerships. The European Union incites businesses to create innovative solutions that combine data privacy with the erasure required by the GDPR. If law has certainly challenged technology this year, this might also be thanks to the General Data Protection Regulation that we will soon witness major innovation in blockchain technologies. All’s well that ends well.
Sources – General Data Protection Regulation vs. Blockchain: an impossible love?
Commission Nationale de l’Information et des Libertés Website, https://www.cnil.fr/.
Information Commissioner’s Office website, https://ico.org.uk/.
PrivazyPlan Website, http://www.privacy-regulation.eu.
EU Blockchain Observatory and Forum, https://www.eublockchainforum.eu/.
Coinext, https://coinext.io/2018/06/blockchain-technology-incompatible-europes-gdpr/, 19 June, 2018.