Blockchain compliance with GDPR requirements was tested by the French privacy authority and the European Commission, with uncertain outcomes.
Blockchain privacy compliance is a very hot topic that led to major discussions. The compliance of the impossibility to remove information from the distributed ledger with the GDPR’s right to be forgotten for instance has been challenged in several instances. But this is only one of the topics now covered by the French data protection authority, the CNIL, in its guidelines on the topic (which were covered here on DLA Piper Privacy Matters blog by my colleagues Denise Lebeau-Marianna and Caroline Chancé) and by the EU Blockchain Observatory and Forum of the European Commission in a workshop report recently issued.
Below are the most interesting insights arising from those documents and my personal view on them:
Does the GDPR apply to blockchain?
Transactional data recorded on a blockchain that can be linked to an individual are likely to fall under the category of personal data.
More debated is whether the same conclusion applies in relation to public keys. A public key is cryptographically connected to a cryptocurrency address in the sense that the address is a representation of the public key. The public key can be thought of as being an individual’s bank account, whilst the private key is the secret PIN to that bank account. The private key is used to generate the public key, but the process is irreversable and therefore none can calculate the private key from the public key.
It can be argued that the public key is still an information linked to an individual. But the issue is whether – given the level of complexity of the public key – it is likely that such information can be connected to the relevant individual.
If we take an example the bank account number, this will be personal data for the bank where the account holder has his bank account, but, for any other individual, that information is unlikely to be personal data since they are not able to link that information to anyone. Indeed, pseudonimized data (such as public keys) under the GDPR are personal data only if individuals are identifiable taking into account
“all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly“.
Who is the data controller on a blockchain?
The CNIL considers that participants to a blockchain (i.e. the persons who can write on the blockchain and create a transaction that is submitted for validation) act as data controllers where:
- either the participant is an individual and the processing is related to a professional or commercial activity;
- or the participant is a legal entity and writes personal data on the blockchain.
Where several persons decide to process personal data on a blockchain for a common purpose, the CNIL recommends that the participants make arrangements regarding the responsibility of the processing by:
- either creating a legal entity to act as data controller; or
- or designating one participant to make decisions for the group and act as data controller.
Otherwise, all the participants will be considered as joint controllers.
This interpretation can be debated since it relegates the identification of the data controller to an arrangement between the parties involved, rather than a de facto situation which is the rationale behind the GDPR. Also, in a permissionless blockchain, like the Bitcoin, it could be even argued that there is no actual data controller since there is no full control of the transaction.
Who is the data processor?
The CNIL considers that may be considered as data processors:
- smart contract developers, which process personal data on behalf of the relevant participant that acts as data controller; and
- miners, which validate transactions on behalf of participants.
But, with respect to public blockchains, the CNIL is currently working on and recommends to develop solutions to frame the contractual relationships between participants (data controllers) and miners.
The matter is “tricky” also on this issue. Indeed, the GDPR requires that the data controller performs an actual control over its data processors which can be even fined, if they do not comply with the data controller’s instructions, but can it happen in a public blockchain?
What are the principles to blockchain privacy compliance according to the CNIL?
Privacy by design is one of the backbone principles of the GDPR. The issue in a blockchain is always the lack of control on its operations. This is why the CNIL recommends to assess whether blockchain is the appropriate technology for the intended use case. If not, the CNIL recommends to use other technologies, more compliant with GDPR.
Where the use of the Blockchain technology is absolutely necessary, then the CNIL recommends to use a permissioned blockchain (instead of a public blockchain), which provides more control over the governance of personal data, in particular with respect to transfers outside the EU as miners may be located outside the EU.
This is also to comply with GDPR requirements on data transfers outside the EU since whereas transfer mechanisms such as standard contractual clauses, BCR, codes of conduct or certification mechanisms may be implemented in the context of a permissioned blockchain, their implementation is more tricky in the context of a public blockchain since the data controller does not have any control over the localization of the miners.
Because the participants’ identifiers (or public keys) are necessary for the functioning of the blockchain, the CNIL notes that it is not possible to further minimize such data, and that their retention period must be aligned with the duration of the blockchain.
As regards the other personal data, in order to comply with the principles of privacy by design and by default, and of data minimization, the CNIL recommends to use solutions where personal data is processed outside the blockchain and to store on the blockchain only:
- A cryptographic undertaking,
- A data footprint obtained through a keyed hash function, or
- Encrypted data.
If it is not possible to implement any of these solutions, and where it is justified by the purpose of the processing and a privacy impact assessment has demonstrated that the residual risks were acceptable, the CNIL considers that it is possible to store the data on a blockchain with a hash function without a key, or if there is no other option, in clear.
The CNIL seems to imply that the assessment has to be performed on a case by case basis, suggesting tools like encryption that enable to control the level of disclosure of personal data on a blockchain.
Can right to be forgotten exercised on a blockchain?
Blockchain privacy compliance presumably does not raise any particular issue with respect to transparency, the right of access and the right to data portability.
With respect to the right to to be forgotten (or erasure), the CNIL acknowledges that it may be technically impossible to comply with this right when the data is stored on the blockchain. This is why the CNIL strongly recommends the use of encryption in order to come as close as possible to ensuring an effective exercise of the data subjects’ rights. In particular, the deletion of the data stored off-chain and of the verification data allow to cut the accessibility to the evidence recorded in the blockchain and makes it very difficult to retrieve it.
The solution seems to be always the same. It is necessary to introduce an additional level of complexity to blockchain technology to enable a control of information as otherwise it might not be privacy compliant.
What security measures shall be put in place?
In the context of a permissioned blockchain, the CNIL recommends to:
- determine a minimum number of miners to avoid collusion attacks;
- implement organizational and technical measures to mitigate the impact of an algorithm failure on the security of the transactions. This should include a contingency plan to modify algorithms where a vulnerability is detected;
- document the governance of the evolution of the software used to create transaction and mine, and implement technical and organizational procedures to ensure the adequacy of the permissions granted with their implementation; and
- ensure the confidentiality of the blockchain by implementing appropriate measures.
These are general principles that shall be decoded in the peculiarities of the case to ensure blockchain privacy compliance.
It will be interesting to see the position of other data protection authorities on the matter since there is no doubt that blockchain has major potentials. How can the lack of control on data which is a major feature of blockchain live with data protection law regulations which impose a control over personal data?