The French Data Protection Authority (the “CNIL”) has published a report and related statement on the interplay between the General Data Protection Regulation (“GDPR”) and blockchain technology. Guidance of this nature has been eagerly anticipated as concerns have been raised for some time about the compatibility of the GDPR with this fledgling technology. Indeed the recent thematic report by the EU Blockchain Observatory and Forum identified that resolving the tensions between GDPR and blockchain were a top priority for the EU because the current uncertainty could lead to a brake on innovation.
A previous statement from one of the MEPs who helped introduce the GDPR, Jan Philip Albrecht, was far from encouraging. “Certain technologies will not be compatible with the GDPR if they don’t provide for [the exercising of data subjects’ rights] based on their architectural design. This is where blockchain applications will run into problems and will probably not be GDPR compliant”. The CNIL’s report very much echoes this sentiment which may be seen as an acknowledgement that the GDPR is not as technologically neutral as its authors intended.
Blockchain and GDPR
There are, understandably, many questions on how you achieve compliance with GDPR when deploying blockchain technology. Although the GDPR is intended to be technology neutral, it assumes a centralised data management system with a data controller and data processor. How can you ensure compliance when the technology doesn't fit this centralised model and challenges the very key concepts on which the GDPR is built, such as Data controller and Data processor? Who is responsible for compliance in a decentralized world?
In addition, there have been a range of other questions posed:
- What law and jurisdiction applies?
- What data will be considered personal data?
- Is a public key personal data?
- Can you store transaction data on chain?
- How do restrictions on overseas transfers to countries with adequate levels of protection apply to blockchain?
- How do automated processing restrictions apply to smart contracts?
- Fundamentally, how can the immutable nature of the technology be reconciled with the rights of erasure and the data minimisation and storage limitation principles?
Up until now, those working on blockchain projects have tried to approach the topic practically. Generally speaking, enterprise blockchain projects involve a permissioned network. In such circumstances it has been considered easier to ensure compatibility with the GDPR. Parties have tended to avoid storing personal data on the blockchain. Instead best practice has been to store personal data offchain and register a hash identifier on the chain which links to the data stored offchain. With respect to the participant's public key, which is likely to be considered pseudonymous personal data and which must be stored publically for the system to function, parties have been exploring obfuscation methods such as zero knowledge proofs, one time keys or other technical measures.
In terms of the right to erasure, different methods have been mooted to try to meet this requirement, including the possibility of editable blockchains and the deletion of private keys. But uncertainty has remained as to whether any of these methods would be sufficient for GDPR compliance and there has been a thirst for the regulators to provide some clarity.
Accordingly, this guidance from the CNIL, which is the first guidance issued by a European data protection authority on the topic of blockchain is very welcome. However, while it provides useful clarifications on some of the questions faced by the blockchain sector, it also leaves unanswered a number of key issues. Indeed, the CNIL acknowledges in its statement that blockchain's challenges call for a response at a EU level and that it intends to engage with its EU counterparts to ensure a harmonised approach.
The CNIL analysis concerns blockchain technology. The CNIL specifically states that it has not analysed other forms of distributed ledger technology. In addition, the report focuses on public blockchain (public blockchains that anyone can join, e.g., the bitcoin blockchain) and permissioned blockchains (e.g., blockchains that control access to certain invited participants, such as a consortium blockchain). With respect to private blockchain systems (i.e., controlled by an organisation), the regulator considers that these are, in effect, classic decentralised databases and do not pose particular key GDPR concerns.
In the guidance, the CNIL confirms that any use of blockchain technology in the context of a data processing activity is subject to the GPDR and must comply with all applicable requirements. However, the regulator acknowledges that the architecture and specific characteristics of blockchain will have consequences on the way in which personal data are stored and processed and how rights of individuals are exercised. Accordingly, the regulator believes that the technology merits specific analysis (although the CNIL expresses some reluctance in the technology and recommends that parties use “other solutions providing full compliance with the GDPR”, where possible.)
The CNIL believes that when evaluating data protection compliance in the context of blockchain, two types of processing activities need to be considered: (i) the processing of participants' and miners' identification data, on the one hand, and (ii) the processing of personal data recorded in a transaction, on the other. Practically speaking, it is the second type of personal data processing activity that raises most concerns from a GDPR compliance perspective and which most of the guidance focuses on.
The key takeaways of the guidance can be summarized as follows:
- Controllers: according to the CNIL, participants that have a right to write on the blockchain and that have the power to decide which data should be added on the blockchain are to be considered controllers, except if they use blockchain for domestic and personal purposes - e.g., an individual buying/selling Bitcoin for they own account - as they would then benefit from the household exemption under the GDPR. As miners do not decide on the content of a transaction, the CNIL is of the view that they are not controllers and may be, “in some instances”, processors (see below).
- Joint controllers: if several participants jointly decide to use blockchain for a specific data processing activity, the CNIL is of the view that they will be joint controllers and will need to define in a transparent manner their respective roles and responsibilities as required under article 26 GDPR. Given the difficulties associated with such plurality of controllers, the CNIL however suggests a practical approach and recommends that the participants designate a particular party - perhaps a newly formed, separate entity - as the controller to act as a decision maker for the group.
- Processors: the CNIL recognizes that some actors in a blockchain context will be processors. This is, for instance, the case of providers of smart contract solutions. According to the CNIL, miners too could be, in some instances, considered processors acting on behalf of participants when they verify and validate transactions based on set technical criteria. As a result, participants and miners should enter into a data processing agreement as required under article 28 GDPR. The CNIL recognizes that this requirement obviously creates serious challenges for public blockchain where it is extremely difficult in practice to set up the required contractual structure between the parties. The CNIL indicates that it is going to continue to reflect on this matter. In the meantime, the regulator encourages blockchain actors to develop innovative solutions to achieve compliance on their own.
- Privacy by design & DPIAs: having clarified the roles of blockchain actors under the GDPR, the CNIL insists that blockchain may not be the most appropriate means for processing personal data and urges controllers to carefully assess, from the start (as per the privacy by design principle), whether or not blockchain technology should be used at all. If so, the parties should consider which type of blockchain technology is the most appropriate given the context at stake. The CNIL also insists that a DPIA should always be carried out before deciding to use blockchain technology. Note that the CNIL indicates a strong preference for permissioned blockchain rather than public blockchain, which is a source of greater risks for individuals.
- International data transfers: the guidance acknowledges the challenges that international data transfer requirements pose in respect of public blockchain, where participants do not have control over the location of other participants and miners, and recognizes that existing safeguards (Model Clauses, BCRs, codes of conduct, and certifications) may not offer an adequate solution in this context. The CNIL therefore suggests that permissioned blockchains may be better suited for compliant transfers of personal data outside of the EU as existing safeguards may be implemented easily in that context.
- Data minimisation & confidentiality: choosing the format in which the data will be recorded is also key to assessing compliance with the GDPR. For the CNIL, preference should always be given to a format where the personal data is not stored on the blockchain. More particularly, preference should be given to storage in the blockchain of a cryptographic commitment, an imprint of the data obtained with a hash function, or, at the very least, a cipher. Storing personal data in the blockchain will only be justified in exceptional circumstances - e.g., when there is a legal obligation for the data to be publicly accessible - and always requires a DPIA and a confirmation that the residual risks have been deemed acceptable.
- Storage limitation & DSRs: the CNIL recognizes that the immutable nature of the data recording means that it may be technically impossible to comply with the GDPR storage limitation principle and the data subjects' rights to erasure and rectification. The CNIL however acknowledges that alternative technological solutions could potentially be used to achieve a similar result and give effect to those rights and principle in practice (e.g., deletion of the private key from the hash function to make the data almost inaccessible, and draw near the effects of a data erasure). To the best of our knowledge, this is the first time that the CNIL has contemplated a solution that may closely match the storage limitation principle without fully complying with it. However, the CNIL has ultimately declined at this stage to make any definitive judgment on whether or not these solutions could be appropriate equivalents and be compliant with the GDPR. This is one of the areas that it wants to explore further with EU counterparts.
- Security: although the CNIL expects the security requirements to apply to blockchain, the CNIL provides some specific recommendations on the type of security measures expected in a blockchain context, focusing on the minimum number of miners required in permissioned blockchain and cryptographic functionalities.
While this guidance is welcome (and, some might say, overdue), it still leaves some uncertainties. In particular, as has been long identified, the CNIL acknowledges that public blockchains are the most likely to create difficulties for GDPR compliance, especially with respect to article 28 of the GDPR and international data transfers, and does not offer any concrete solutions to these critical issues.
However, even with permissioned blockchain, the guidance recognises the inherent tension between the permanent nature of the data recording and certain fundamental principles of the GDPR (i.e., storage limitation principle and data subjects' rights to erasure and rectification). In addition, in a move which is hardly surprising, the CNIL has declined to take a definite position on whether or not alternative technological solutions can be deemed an appropriate equivalent in terms of GDPR compliance.
Nonetheless, this guidance is a useful first step and a positive sign that regulators are open to engage in a constructive discussion and willing to find practical and concrete solutions to achieve compliance with the GDPR. Moreover, the CNIL recognizes the potential benefits of the blockchain in fostering accountability and facilitating exercise of some data subject rights, two key elements under the GDPR.
French companies (and other companies making use of blockchain which involves the personal data of French citizens) should take note of the CNIL guidance in terms of data format, security, and overall compliance, and implement innovative technological solutions that give practical effect to the GDPR requirements. In addition, companies should document all decisions made in relation to their use of blockchain technology for personal data processing (including the decision to use blockchain) and their reasoning as to why they have achieved an acceptable level of GDPR compliance.
For companies outside France, the CNIL's perspective on blockchain is a useful first indication of the approach that national data privacy regulators are likely to take to GDPR compliance. It's clear that a permissioned system is going to be the safest approach. But, nonetheless, privacy by design practices and a DPIA are going to be essential and privacy counsel should be engaged early on. Given this is a fast moving area, organisations should also keep a close eye out for further developments from their own national data privacy regulators and the EU authorities.
For the blockchain sector, it's clear that they need to continue to engage with policy makers and regulators to educate them in the technology and ensure that any resulting blockchain guidance is appropriate and proportionate to the risks posed by this fledgling technology.