Discussions on the compatibility between blockchain and the GDPR continue to progress with the recent publication of a thematic report from the EU's Blockchain Observatory and Forum ("Observatory"). This report on Blockchain and the GDPR published on 16 October 2018 follows on from recent guidance from the CNIL (discussed in our recent alert).
The report offers an encouraging message: "there is no contradiction in principle between the goals of the GDPR and those of blockchain technology."
The report acknowledges that the GDPR does not offer clear answers to all of the questions asked by blockchain entrepreneurs and technologists. However, despite these tensions, the Observatory believes that blockchain is here to stay, and governments and regulators (many of which have already embraced blockchain) are "by no means looking to end this technology." Indeed, the Observatory remarks that it is excited to see many blockchain projects exploring how the technology could be used to support the GDPR.
GDPR maybe not so 'technology-neutral' after all
Interestingly, the report could be seen as implicitly recognizing that the GDPR is not as technology neutral as it claims to be, as the report acknowledges that, while the GDPR intended to take into account the significant technological developments of the past decades, it was conceived before the rise of blockchain.
The report notes that blockchain is one of today's most disruptive technologies due to its decentralization of data. This creates a key tension with the GDPR which is built on the implicit assumption that data are always controlled by identifiable actors. With blockchain, this assumption is no longer valid.
Yet, despite this acknowledgement, the report insists that you have to look at how blockchain is being used. The Observatory clarifies that there is no such thing as a "GDPR-compliant blockchain technology", but only GDPR-compliant use cases and applications.
In addition, unsurprisingly, although the Observatory states that "most GDPR requirements can be applied to most blockchain applications," it recognizes that achieving GDPR compliance will be easier with private permissioned blockchain, than with a public permissioned network. Nonetheless, the report recognizes that "public networks are here to stay and represent a vital space for innovation in the same way that the web did over the last 20 years."
Key GDPR tensions
The report identifies some of the key tensions arising from practical compliance with the GDPR in a blockchain context. These include:
- Identification of controllers and processors: given the nature of blockchain technology, it is sometimes difficult, or even impossible, to identify the data controller. While for private blockchain, the report recommends (as did the CNIL) that the consortium designate one or more actors that will be responsible for the blockchain and will act as controller or joint controllers, the issue is less clear for public blockchain. In certain cases it will be possible to identify an entity that operates the product or services and act as an intermediary between users and the blockchain. But in other cases it will be a much more grey area. In particular:
- The Observatory believes that it would desirable in many instances that protocol developers who create and maintain open-source blockchain technology should not be considered data controllers. The report suggests "holding developers accountable … would be like holding…Tim Berners-Lee accountable for everything that happens on the world wide web…" In addition, the report states that it would be desirable that validating or participating nodes in public permissionless networks should not be considered data controllers either.
- On the other hand, while not definitively resolving the issue, the report suggests that a desirable outcome could be to consider network users that submit personal data to the blockchain as controllers (unless the household exemption applies).
- In terms of the publishers of smart contracts, the report acknowledges that there is a debate as to whether this software should be seen as being operated by its publisher, the network user or both. It expects that the issue will probably need to be resolved on a case-by-case basis.
- Call for clarification of the concept of anonymous data: starting from the premise that the ability to keep personal data off-chain is key to GDPR compliance, in particular for public blockchain, the report acknowledges that there are intense debates within the community as to what specific techniques may be used to turn personal data into anonymous data. The report analyzes a number of existing and promising future anonymization techniques, including obfuscation, encryption and aggregation, and the related reversal and liability risks. Ultimately, the report concludes that until various issues regarding anonymization techniques are clarified by the EDPB or in court, the nature of the data placed on the chain will need to be assessed on a case-by-case basis.
- Additional GDPR tensions: the report also lists a number of additional tensions between blockchain and the GDPR, including how to effect the data subject rights to data erasure and rectification given the permanent nature of inscriptions on the chain; how to cover international data transfers in a context where recipients and their location are often unknown; and the risks related to automated decision-making. With respect to erasure, the report notes that the GDPR does not specify what constitutes erasure, but refers to the CNIL's acknowledgement that some encryption techniques, coupled with key destruction, could potentially be considered erasure even if it's not erasure in the strictest sense.
Going forward: 4 rule-of-thumb principles
The report does not definitively settle any of the tensions between the GDPR and blockchain that it identifies, which is not surprising given the status of the Observatory. Indeed, the report expressly states that these tensions cannot be resolved by the report. Only the EDPB, the courts, or the national regulators themselves are in a position to do this. Going forward, the Observatory expects regulatory agencies to gradually bring forth proposals that will clarify the issues outlined in the report.
However, in the meantime, the report presents 4 rule-of-thumb principles designed to guide blockchain users (largely aligned with the CNIL's recent recommendations), which are:
- Principle 1: Start with the big picture: how is user value created, how is data used and do you really need blockchain?
- Principle 2: Avoid storing personal data on a blockchain: make full use of data obfuscation, encryption and aggregation techniques in order to anonymize data.
- Principle 3: Collect personal data off-chain or, if the blockchain can't be avoided, on private, permissioned blockchain networks. Consider personal data carefully when connecting private blockchains with public ones.
- Principle 4: Continue to innovate, and be as clear and transparent as possible with users. In other words, pending further clarification from regulators, the key message is to continue to innovate, but in a privacy responsible way, using common sense and by making full use of data minimization and anonymization techniques.
It is encouraging to see convergences between this EU report and the guidance issued by a national authority (the CNIL). However, as both the CNIL report and this new Observatory report emphasize, formal EU level guidance would be very beneficial. We will have to wait to see whether this report prompts the EDPB to release some guidance of its own.