The French Data Protection Authority (CNIL) published a report on key personal data protection issues relating to the use of distributed ledger technology (“blockchain”) on November 6, 2018. This report is important, as it is the first public opinion published by a European data protection authority on this issue.
The main divergence between actual data protection norms and blockchain relies on their assumptions. Both aim to give individuals greater control of their personal data; however, the methods used to do so seem incompatible.
Current data protection norms assume that all data controllers have full control of the personal data they process. Hence, for example, data controllers will always be able to access, modify or erase the personal data they process. Blockchain assumes that all data management must be decentralized and no individual can make unilateral decisions on data registered in a blockchain.
The CNIL analyzed this crossroads in its report, and makes the following statements:
A participant that registers personal data in a blockchain will be considered a data controller when:
- the participant is a natural person and the processing relates to a professional or commercial activity; or
- the participant is a legal person.
When a group of entities carries out processing operations on a blockchain for a common purpose, they are all considered joint controllers, unless they:
- create a legal person to be data controller; or
- designate one of the participants that makes decisions for the group as the data controller.
Smart contract developers processing personal data on behalf of a participant that is the data controller and miners validating the transaction containing personal data are likely to be considered data processors by the CNIL, so they will need to comply with the requirements of article 28 GDPR.
However, the CNIL acknowledges that these obligations may be considered impossible in public blockchains, due to their nature.
The CNIL also suggests how to mitigate data protection risks when using blockchain:
- Under article 25 GDPR, other solutions that allow full compliance with GDPR should be favored over Blockchain when possible. Permissioned blockchains should also be favored over public blockchains, as it is possible to apply safeguards for transfers of personal data outside the EU, such as standard contractual clauses, binding corporate rules or codes of conduct.
- It recommends minimizing the registration of personal data on a blockchain as much as possible, suggesting that the participant’s public key is the only personal data that should be on a blockchain. The CNIL accepts that the conservation period for this public key cannot be other than the duration of the blockchain.
- Regarding additional personal data, to ensure compliance with data protection by design and by default and data minimization obligations, the CNIL recommends solutions in which data is processed outside the blockchain or otherwise take measures that guarantee the confidentiality of that data.
The CNIL acknowledges that although these recommendations show the authority’s effort to approach data protection compliance, they may not fully comply with GDPR requirements. Therefore, it calls for action at European level regarding personal data protection and blockchain.
Exercise of rights
Regarding data subjects being able to exercise their rights, the CNIL sees major difficulties with data subjects being fully able to exercise their rights to erase, object to, and limit the processing of their personal data. It suggests technical measures for exercising these rights in the broadest way possible. However, the CNIL also acknowledges that the issue of data subjects being able to exercise some rights regarding their personal data registered on a blockchain is still an issue to be solved.
The CNIL advises taking the following additional measures when processing personal data on a blockchain:
- Carrying out impact assessments to clarify the risks that the processing activity will entail.
- Evaluating the minimum number of validators that would ensure the absence of a coalition that could control over 50% of powers over the chain.
- Establishing technical and organizational procedures to limit the impact of a potential algorithm failure (particularly the publication of a vulnerability on a cryptographic mechanism) on the security of transactions, including an emergency plan to be implemented enabling algorithms to be changed when a vulnerability is identified.
Despite the CNIL’s thorough analysis, there are still some crucial topics to tackle, especially regarding public blockchains.
Pedro Méndez de Vigo