The French Data Protection Authority, CNIL, has published an initial assessment regarding the blockchain and the GDPR, becoming the first data protection authority to provide solutions to the challenges that arise from the potential conflict between blockchain technology and data subject rights under the GDPR.
The CNIL states that the GDPR applies to the use of blockchain in any instance where personal data is handled. However, the GDPR has excluded distributed ledger technology (DLT) solutions from the scope of the assessment, considered too "rare" to allow CNIL to carry out a generic analysis; and private blockchains, given that they do not raise particular GDPR issues that are relevant to the public blockchains and consortium blockchains.
The CNIL's assessment include several key issues as follows:
- Controllers and Processors within the meaning of the GDPR: CNIL distinguishes between: (i) those who have permission to write on the chain ("Participants") and (ii) those who validate transactions and create blocks according to the blockchain rules ("Miners"). A Participant who decides to submit data for validation by Miners, is considered a data controller when the Participant is an individual; the processing is linked to a commercial activity; or the Participant is a legal entity and writes personal data on the blockchain. Data processors may be "smart contract" developers, which process personal data on behalf of the Participant; or Miners, which validate transactions on behalf of participants.
- Minimisation of risks to data subjects: As part of the principle of 'Privacy by Design' under the GDPR, data controllers must consider in advance whether blockchain technology is appropriate for the implementation of their data processing activities. In this regard, the CNIL recommends the controller adopt a different technological solution where possible.
In addition, since the blockchain contains the credentials of Participants and Miners, as well as additional data entered to the transaction, and which may relate to another individual, and where such data cannot be minimised, the retention period of such data must necessarily correspond with the lifetime of the blockchain. With respect to the additional data, CNIL recommends the use of solutions where personal data is processed outside the blockchain or on the blockchain, if it is cryptographically protected.
- Data subject's rights: In its assessment paper, the CNIL raises a concern regarding the ability to ensure the right of "erasure", as it is technically impossible to delete data stored on the blockchain. Accordingly, the CNIL recommends the use of encryption in order to delete the data as far as possible.
- Security requirements: The CNIL recommends determining a minimum number of Miners to avoid collusion attacks, implementing organisational and technical measures in order to limit the impact of a possible failure in transactional security due to an algorithm (as well as to ensure confidentiality), and in addition, documenting the governance of the evolution of the software used to create a transaction and to mine.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.