FRANCE: CNIL publishes initial analysis on Blockchain and GDPR

Many questions surround the Blockchain’s compatibility with EU General Data Protection Regulation (GDPR). The French Data Protection Supervisory Authority (the CNIL) has recently published its initial thoughts on this topic, providing some responses and practical recommendations on how the usage of a blockchain may be compatible with GDPR and more generally Data Protection Law, taking into account the “constraints” imposed by such technology. 

The CNIL is one of the first EU data protection supervisory authorities to provide guidance on the compliance of Blockchain with GDPR. The guidance covers the four following topics:


1. What solutions for a responsible use of Blockchain involving personal data?

a) Data controllers

The CNIL considers that the participants to a blockchain (i.e., the persons who have a right to write on the blockchain and create a transaction that is submitted for validation) act as a data controller where:

  • The participant is an individual and the processing is related to a professional or commercial activity; or
  • The participant is a legal entity and writes personal data on the blockchain.

Where several persons decide to process personal data in a blockchain for a common purpose, the CNIL recommends that the participants make arrangements regarding the responsibility of the processing by either:

  • Creating a legal entity to act as data controller; or
  • Designating one participant to make decisions for the group and act as data controller.

Otherwise, all the participants will be considered as joint controllers.

b) Data processors

The CNIL considers that may be considered as data processors:

  • “Smart contract” developers, which process personal data on behalf of the participant (data controller);
  • Miners, which validate transactions on behalf of participants.

With respect to public blockchains, the CNIL is currently working on and recommends to develop solutions to frame the contractual relationships between participants (data controllers) and miners.


2. How to minimize risks for data subjects when the processing of their personal data relies on a blockchain?

a) Privacy by design

The CNIL recommends to assess whether Blockchain is the appropriate technology for the intended use case. If not, the CNIL recommends to use other technologies, more compliant with GDPR.

Where the use of the Blockchain technology is absolutely necessary, then the CNIL recommends to use a permissioned blockchain (instead of a public blockchain), which provides more control over the governance of personal data, in particular with respect to transfers outside the EU as miners may be located outside the EU. Whereas transfer mechanisms such as standard contractual clauses, BCR, codes of conduct or certification mechanisms may be implemented in the context of a permissioned blockchain, their implementation is more tricky in the context of a public blockchain since the data controller does not have any control over the localization of the miners.

b) Data minimization

Because the participants’ identifiers (or public keys) are necessary for the functioning of the blockchain, the CNIL notes that it is not possible to further minimize such data, and that their retention period must be aligned with the duration of the blockchain.

As regards the other personal data, in order to comply with the principles of privacy by design and by default, and of data minimization, the CNIL recommends to use solutions where personal data is processed outside the blockchain, or that only (by order of preference) be stored on the blockchain:

  • A cryptographic undertaking,
  • A data footprint obtained through a keyed hash function, or
  • Encrypted data.

If it is not possible to implement any of these solutions, and where it is justified by the purpose of the processing and a privacy impact assessment has demonstrated that the residual risks were acceptable, the CNIL considers that it is possible to store the data on the blockchain with a hash function without a key, or if there is no other option, in clear.


3. How to ensure the effective exercise of the data subjects’ rights?

The Blockchain technology presumably does not raise any particular issues with respect to transparency, the right of access and the right to data portability.

With respect to the right to erasure, the CNIL acknowledges that it may be technically impossible to comply with this right when the data is stored on the blockchain. This is why the CNIL strongly recommends the use of encryption in order to come as close as possible to ensuring an effective exercise of the data subjects’ rights. In particular, the deletion of the data stored off-chain and of the  verification data allow to cut the accessibility to the evidence recorded in the blockchain and makes it very difficult to retrieve it.


4. What are the security requirements?

In the context of a permissioned blockchain, the CNIL recommends to:

  • Determine a minimum number of miners to avoid collusion attacks;
  • Implement organizational and technical measures to mitigate the impact of an algorithm failure on the security of the transactions. This should include a contingency plan to modify algorithms where a vulnerability is detected;
  • Document the governance of the evolution of the software used to create transaction and mine, and implement technical and organizational procedures to ensure the adequacy of the permissions granted with their implementation;
  • Ensure the confidentiality of the blockchain by implementing appropriate measures.

Although this is a preliminary analysis of the CNIL, it is certainly interesting to know its position on this topic, and to see that its approach is rather pragmatic and takes into account the constraints imposed by the Blockchain technology. The CNIL will continue its reflection on Blockchain and is likely to publish additional guidelines in the future. The CNIL has already announced that it will work on this topic with the other authorities in order to adopt a solid and common approach. It will also liaise with other national regulators such as the AMF in order to lay the foundation of an inter-regulation, which will allow the different stakeholders to have a better understanding of the various requirements applicable to Blockchain.

For more information, please contact Denise Lebeau-Marianna or Caroline Chancé.