GDPR compliant use of blockchain: French DPA CNIL issues guidelines

The French privacy authority CNIL has recently issued guidelines for the privacy-friendly use of blockchain technology. With this, the CNIL wants to take a first step towards legal certainty for all organizations and networks that want to use blockchain when processing personal data.

Data protection is a major challenge for the development and use of blockchain technology. Especially when it comes to a “public ledger”.  It didn’t take long for data protection specialists to figure out that blockchain and GDPR aren’t necessarily compatible concepts.   The use of public registers in particular raises legal questions from the point of view of privacy: designation of the “controller (s)”, execution of request for removal, application of data minimization and the like.

The data protection authorities are authorized to assess processing and associated technology on their GDPR compliance. It was therefore a matter of waiting for the first guidelines from these DPA’s – in the absence of more detailed regulations – for a privacy-friendly application of blockchain technology. The French CNIL is now coming out with the first guidelines, in which various uncertainties are eliminated. We will briefly discuss the most important points below.

Data controller

Essential to blockchain is the decentralization of data processing. Processing does not take place at one entity, but is distributed over all active participants in the blockchain network. A first crucial question – for each processing incidentally – is who should be regarded as “data controller”, responsible for the processing.

In the case of a blockchain, all participants with writing permissions should be regarded as (co-) controller, responsible for the processing of personal data. According to the CNIL, a natural person who participates in the blockchain for personal use should not be regarded as controller. This view probably creates an imbalanced division of responsibilities. Because participants with commercial intent will be “jointly and severally” liable, also for the actions and decisions of participants in the same blockchain, but with personal intent.

Again according to the CNIL, the group may designate one person as “controller” to avoid the group being covered by the special liability classification for “joint controller”. This is remarkable, because in essence the Regulation determines who can be held liable for violations of the privacy rights of those involved, and not the participants in a blockchain system itself.

Participants who only make verification calculations, the so-called “miners”, should not be considered “controller”. It is not clear what status “miners” receive from the CNIL, although it does not exclude the possibility that a “miner” can act as a processor and thus make the drafting of a processor agreement mandatory. In principle, “miners” do not see any personal data – if they were already included in the blockchain – but only a “hash”, which must then be verified. The question then is whether the data were not sufficiently anonymised in the light of the AVG?

Users of the blockchain, who only benefit from the blockchain system, are not assigned a specific GDPR role. At least insofar as they only participate for personal use.

Before you begin

After the first hype wave of blockchain technology, space was soon cleared for realism: blockchain is not an ideal medium for all processing operations. The CNIL fully supports this vision. According to the “privacy by design” principle, every organization must carefully consider whether setting up a blockchain is the most appropriate technique. “Privacy by default” asks all responsible people to make the most privacy-friendly choices. In all this, the CNIL rightly refers to the problem of cross-border transfers outside the EU / EEA, which takes place regularly at blockchain.

The CNIL also indicates how personal data should be written down in a blockchain and prefers “commits”, a “hash” of the original content or at least an encrypted form of that same content. It is therefore strongly recommended not to write away the original, human-readable and intelligible data in a blockchain, but only one-way code that only makes it possible for the members of the blockchain to verify the integrity of the original data.

Rights of data subjects

Blockchain poses few problems for a number of rights of the person concerned, according to the CNIL. Responsible parties can easily provide insight into the manner of processing. And the CNIL sees few problems in the implementation of the right of access and the right to transfer data

The situation is different when it comes to the right to erase or change data. This was one of the big concerns on the conformity of blockchain with data protection laws. After all, it is proper to blockchain technology that data is written in the chain, so that it can never be removed. Nevertheless, there is little danger for the CNIL for the privacy rights of the individual when the personal data has been appropriately pseudonymised or hashed. This is also one of the reasons why the CNIL strongly recommends not to write clean, intelligible personal data in a blockchain, but only sufficient anonymised or pseudonymised data. The CNIL remains rather vague, but states that upstream measures can be taken, for example in the case of smart contracts, to also respect these rights. DecisionBlockchain must pass a serious privacy threshold. With its guidelines on the responsible use of blockchain for the processing of personal data, the CNIL has taken a timid step in clearing the many questions that arise when using the technology. Yet the CNIL leaves several issues in the middle or admits that blockchain and AVG are a difficult marriage. Whether they stay that way, the future – and possibly the opinions of sister authorities of the CNIL – will have to prove.

Questions concerning blockchain or GDPR?

Our team is happy to assist.  Please feel free to contact us at info@siriuslegal.be or at +32 2 721 13 00