Blockchain and the GDPR: Solutions for a responsible use of the blockchain in the context of personal data
Blockchain is a technology with a high potential for development that raises many questions, including questions on its compatibility with the GDPR. For this reason, the CNIL has addressed this matter and presents concrete solutions to stakeholders who wish to use it as part of their personal data processing operations.
What is a blockchain?
A blockchain is a database in which data is stored and distributed to a large number of computers and in which all entries, called “transactions”, are visible to all users. A blockchain is not, in itself, a data processing operation with its own purpose: it is a technology which can serve in a diverse range of processing operations.
Please note: The term “blockchain” is often associated with another term that refers to a larger family of technologies: DLTs, or “Distributed Ledger Technology”. While the CNIL is interested in the development of such ledgers - which include but are not limited to blockchains - it has decided to focus its analysis on blockchain technology alone given that DLT solutions that are not blockchains are still too recent and too rare for a proper generic analysis.
What are the characteristics and different types of blockchains?
Blockchains are defined by the following properties:
- transparency: all participants can view all data recorded;
- sharing and decentralisation: several copies of the blockchain coexist on different computers;
- irreversibility: once data is recorded, it cannot be altered or removed; and
- disintermediation: all decisions are made by consensus between the participants, without a central arbitrator.
In practice, there are several types of blockchains, which use different permission levels for different categories of participants. The CNIL uses the following classification:
- Public blockchains are accessible to all, anywhere in the world. Anyone can record a transaction, take part in the validation of the blocks or access a copy of them;
- Permissioned blockchains have rules that set out who can take part in the validation process or even register transactions. They can, depending on the case, be accessible to all or be restricted;
- “Private” blockchains are controlled by a unique actor who alone oversees participation and validation. According to some experts, these parameters do not respect the traditional properties of blockchains, such as decentralisation and shared validation. In any case, private blockchains do not raise specific issues regarding their compliance with the GDPR. They are merely “traditional” distributed databases.
Who are the various actors that interact with blockchains?
The CNIL distinguishes between three types of blockchain actors:
- “accessors”, who have the right to read and hold a copy of the chain;
- “participants” who have the right to make entries (i.e., make a transaction for which they request validation);
- “miners” who validate a transaction and create blocks by applying blockchain rules for “acceptance” by the community.
How do the GDPR and blockchains interact?
When a blockchain contains personal data, the GDPR is applicable. The architecture and characteristics specific to blockchains will, however, have consequences on how personal data is stored and processed. The impact of blockchains on individual rights (namely, the right to privacy and the right to personal data protection) therefore calls for a specific analysis.
However, innovation and the protection of individuals’ fundamental rights are not two conflicting goals. In fact, the GDPR does not aim at regulating technologies per se, but regulates how actors use these technologies in a context involving personal data.
For this reason, the CNIL has addressed this matter and, with an objective of contributing to on-going discussions on these technologies and their development, suggests an initial analysis and recommendations to stakeholders who wish to use blockchains when carrying out personal data processing.
Which use-case scenarios involve personal data, whether directly or indirectly?
The CNIL has received requests for advice from public and private stakeholders, in particular from the health sector and from financial institutions, including public institutions, large companies and start-ups. Over the course of these exchanges, it has observed that blockchains cover a very broad range of situations.
They can serve to transfer assets (e.g.: Bitcoin or property deeds), be used as a ledger ensuring traceability (e.g.: diploma certification) or even to launch a smart contract. The latter concept refers to an independent programme that “freezes” an agreement reached by two people in a blockchain in the form of an algorithm.
Although all blockchain projects do not involve personal data processing, in practice, many uses of this technology require the manipulation of such data, both in terms of content and of information related to participants.
A blockchain can contain two categories of personal data:
- participants’ and miners’ identifiers: each participant/miner has a public key, ensuring identification of the issuer and receiver of a transaction;
- additional data contained “within” a transaction (e.g.: diploma, property deed). If such data concerns natural persons, possibly other than the participants, who may be directly or indirectly identified, such data is considered personal data.
Using this distinction, the usual GDPR analysis applies: identification of the data controller, enforcement of rights, implementation of appropriate safeguards, security obligations, etc.
A technological solution in support of the principle of accountability?
The GDPR represents a paradigm shift. Each actor, whether data controller or data processor, must now be able to demonstrate that its processing operations comply with the requirements set out by the GDPR.
In some cases, these technologies can provide effective solutions to some data protection issues. The CNIL has indeed had the opportunity of meeting solution providers who suggest relying on blockchain characteristics to efficiently meet the requirements imposed by the GDPR on data controllers.
The immutability of actions carried out on blockchains have, in particular, allowed for the development of solutions that meet the requirement for traceability of consent and operations carried out on data.
Which points require particular attention?
In some cases, these technologies are likely to raise issues regarding the GDPR. Therefore, they will not always be the most suitable solution for all processing operations. Thus, some aspects, such as the implementation of obligations concerning sub-contracting or the rules governing international transfers of personal data, require particular attention from actors using blockchains, in particular for public blockchains.
It is thus necessary to concretely assess the real necessity to use blockchain technology in light of the objectives and characteristics of each processing operation. In application of the privacy by design principle, the CNIL therefore calls for stakeholders to question, from a very early stage, the necessity of using blockchain technology, rather than an alternative technology, to carry out their processing operations.
In addition to questioning the use of a blockchain, the data controller must also question which type of blockchain should be used.
The CNIL notes that blockchains can take different shapes and that the choices made by data controllers (between a permissioned blockchain and a public blockchain, between different formats for recording data on blocks, etc.) can have a significant impact, both positively and negatively, on risks to individuals’ rights and freedoms.
What are the solutions?
Regarding the role of various actors, the work carried out by the CNIL has revealed that, in many cases, the participant (i.e. the person deciding to register data on a blockchain) can be considered as a data controller given that the participant determines the purpose and means of data processing.
Concerning the exercise of rights, some rights can be exercised effectively such as the right of access and the right to portability. As regards the right to erasure, the right to rectification and the right to object to processing, the CNIL acknowledges the existence of technological solutions that should be evaluated. Without resulting in strictly identical effects, these solutions enable stakeholders to come closer to the GDPR’s compliance requirements, in particular by blocking access to data depending on the format chosen (e.g., commitment, fingerprint generated by a hash function with a key, encryption, etc.). Their compliance with the GDPR should therefore be examined. Moreover, in a more general manner, it is important not to store personal data in cleartext on a blockchain.
Furthermore, principles relating to security of data remain entirely applicable to blockchains.
In any case, carrying out a data protection impact assessment could allow an analysis of the necessity and proportionality of the mechanism and, where necessary, enable the identification of cases in which other solutions may be more suitable.
To find out more, please see the CNIL’s analysis and recommendations.
What is the CNIL’s action plan?
The challenges raised by blockchains in terms of compliance with human rights and fundamental freedoms necessarily call for a response at the European level. The CNIL is one of the first authorities to officially address the matter and will work cooperatively with its European counterparts to suggest a strong and harmonised approach.
It also intends to contact other national regulators (L’autorité des marches financiers (Financial Markets Regulator), l’Autorité de Contrôle Prudentiel et de Résolution (ACPR, Prudential Supervision and Resolution Authority) to establish a foundation for inter-regulation that will allow the stakeholders involved to better understand the various regulations applicable to blockchains.