Blockchain compliance with GDPR requirements was tested by the French privacy authority and the European Commission, with uncertain outcomes.<\/p>\n
Blockchain<\/a>\u00a0privacy compliance is a very hot topic that led to\u00a0major discussions. The compliance of the impossibility to remove information from the distributed ledger with the GDPR\u2019s right to be forgotten for instance has been challenged in several instances. But this is only one of the topics now covered by the French data protection authority, the\u00a0CNIL<\/a>, in its guidelines on the topic (which were covered\u00a0here<\/a>\u00a0on DLA Piper Privacy Matters blog by my colleagues\u00a0Denise Lebeau-Marianna<\/a>\u00a0and\u00a0Caroline Chanc\u00e9<\/a>) and by the EU Blockchain Observatory and Forum of the European Commission in a\u00a0workshop report<\/a>\u00a0recently issued.<\/p>\n Below are the most interesting insights arising from those documents and my personal view on them:<\/p>\n Transactional data recorded on a blockchain that can be linked to an individual are likely to fall under the category of personal data.<\/p>\n More debated is whether the same conclusion applies in relation to public keys. A\u00a0public key<\/a>\u00a0is cryptographically connected to a cryptocurrency address in the sense that the address is a representation of the public key.\u00a0The public key can be thought of as being an individual\u2019s bank account, whilst the private key is the secret PIN to that bank account. The private key is used to generate the public key, but the process is irreversable and therefore none can calculate the private key from the public key.<\/p>\n It can be argued that the public key is still an information linked to an individual. But the issue is whether \u2013 given the level of complexity of the public key \u2013 it is likely that such information can be connected to the relevant individual.<\/p>\n If we take an example the bank account number, this will be personal data for the bank where the account holder has his bank account, but, for any other individual, that information is unlikely to be personal data since they are not able to link that information to anyone. Indeed,\u00a0pseudonimized data (such as public keys) under the GDPR are personal data only if individuals are identifiable<\/strong>\u00a0taking into account<\/p>\n \u201call the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly<\/em>\u201c.<\/p><\/blockquote>\n The CNIL considers that participants to a blockchain (i.e. the persons who can write on the blockchain and create a transaction that is submitted for validation) act as data controllers where:<\/p>\n Where several persons decide to process personal data on a blockchain for a common purpose, the CNIL recommends that the participants make arrangements regarding the responsibility of the processing by:<\/p>\n Otherwise, all the participants will be considered as joint controllers.<\/p>\n This interpretation can be debated since it relegates the identification of the data controller to an arrangement between the parties involved, rather than a\u00a0de facto<\/em>\u00a0situation which is the rationale behind the GDPR. Also, in a\u00a0permissionless blockchain<\/a>, like the Bitcoin, it could be even argued that\u00a0there is no actual data controller since there is no full control of the transaction<\/strong>.<\/p>\n The CNIL considers that may be considered as data processors:<\/p>\n But, with respect to public blockchains, the CNIL is currently working on and recommends to develop solutions to frame the contractual relationships between participants (data controllers) and miners.<\/p>\n The matter is \u201ctricky<\/em>\u201d also on this issue. Indeed,\u00a0the GDPR requires that the data controller performs an actual control over its data processors which can be even fined, if they do not comply with the data controller\u2019s instructions, but can it happen in a public blockchain?<\/strong><\/p>\n Privacy by design is one of the backbone principles of the GDPR. The issue in a blockchain is always the lack of control on its operations. This is why the\u00a0CNIL recommends to assess whether blockchain is the appropriate technology for the intended use case. If not, the CNIL recommends to use other technologies, more compliant with GDPR.<\/p>\n Where the use of the Blockchain technology is absolutely necessary, then\u00a0the CNIL recommends to use a permissioned blockchain (instead of a public blockchain)<\/strong>, which provides more control over the governance of personal data, in particular with respect to transfers outside the EU as miners may be located outside the EU.<\/p>\n This is also to comply with GDPR requirements on data transfers outside the EU<\/strong>\u00a0since whereas transfer mechanisms such as standard contractual clauses, BCR, codes of conduct or certification mechanisms may be implemented in the context of a permissioned blockchain, their implementation is more tricky in the context of a public blockchain since the data controller does not have any control over the localization of the miners.<\/p>\n Because the participants\u2019 identifiers (or public keys) are necessary for the functioning of the blockchain, the CNIL notes that it is not possible to further minimize such data, and that their retention period must be aligned with the duration of the blockchain.<\/p>\n As regards the other personal data, in order to comply with the principles of privacy by design and by default, and of data minimization,\u00a0the CNIL recommends to use solutions where personal data is processed outside the blockchain and to store on the blockchain only<\/strong>:<\/p>\n If it is not possible to implement any of these solutions, and where it is justified by the purpose of the processing and a privacy impact assessment\u00a0has demonstrated that the residual risks were acceptable, the CNIL considers that it is possible to store the data on a blockchain with a hash function without a key, or if there is no other option, in clear.<\/p>\n The CNIL seems to imply that the assessment has to be performed on a case by case basis, suggesting tools like encryption that enable to control the level of disclosure of personal data on a blockchain.<\/p>\n Blockchain privacy compliance presumably does not raise any particular issue with respect to transparency, the right of access and the right to data portability.<\/p>\n With respect to the right to to be forgotten (or erasure), the CNIL acknowledges that it may be technically impossible to comply with this right when the data is stored on the blockchain. This is why the CNIL strongly recommends the use of encryption in order to come as close as possible to ensuring an effective exercise of the data subjects\u2019 rights. In particular, the deletion of the data stored off-chain and of the verification data allow to cut the accessibility to the evidence recorded in the blockchain and makes it very difficult to retrieve it.<\/p>\n The solution seems to be always the same.\u00a0It is necessary to introduce an additional level of complexity to blockchain technology to enable a control of information<\/strong>\u00a0as otherwise it might not be privacy compliant.<\/p>\n In the context of a permissioned blockchain, the CNIL recommends to:<\/p>\n These are general principles that shall be decoded in the peculiarities of the case to ensure blockchain privacy compliance.<\/p>\n It will be interesting to see the position of other data protection authorities on the matter since there is no doubt that blockchain has major potentials. How can the lack of control on data which is a major feature of blockchain live with data protection law regulations which impose a control over personal data?<\/p>\n","protected":false},"excerpt":{"rendered":" Blockchain compliance with GDPR requirements was tested by the French privacy authority and the European Commission, with uncertain outcomes.<\/p>\n Blockchain<\/a>\u00a0privacy compliance is a very hot topic that led to\u00a0major discussions. The compliance of the impossibility to remove information from the distributed ledger with the GDPR\u2019s right to be forgotten for instance has been challenged in several instances. But this is only one of the topics now covered by the French data protection authority, the\u00a0CNIL<\/a>, in its guidelines on the topic (which were covered\u00a0here<\/a>\u00a0on DLA Piper Privacy Matters blog by my colleagues\u00a0Denise Lebeau-Marianna<\/a>\u00a0and\u00a0Caroline Chanc\u00e9<\/a>) and by the EU Blockchain Observatory and Forum of the European Commission in a\u00a0workshop report<\/a>\u00a0recently issued.<\/p>\n","protected":false},"author":41,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_s2mail":"yes","site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[777,769,6],"class_list":["post-58289","post","type-post","status-publish","format-standard","hentry","category-general","tag-blockchain","tag-gdpr","tag-privacy"],"_links":{"self":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/posts\/58289","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/comments?post=58289"}],"version-history":[{"count":0,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/posts\/58289\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/media?parent=58289"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/categories?post=58289"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.dlapiper.com\/iptitaly\/wp-json\/wp\/v2\/tags?post=58289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Does the GDPR apply to blockchain?<\/h2>\n
Who is the data controller on a blockchain?<\/h2>\n
\n
\n
Who is the data processor?<\/h2>\n
\n
What are the principles to blockchain privacy compliance according to the CNIL?<\/h2>\n
\n
Can right to be forgotten exercised on a blockchain?<\/h2>\n
What security measures shall be put in place?<\/h2>\n
\n