The CNIL – the French authority responsible for GDPR enforcement – has recently issued guidelines concerning Public Blockchains and GDPR compliance.
GDPR and Blockchain: not necessarily incompatible
First, the CNIL says it should remain practical, meaning that it takes into account the general commitment to cryptography, and it has to be deemed acceptable in terms of data protection.
GDPR provides a right of minimization which is the right of an individual to minimize the data necessary for a given usage.
According to CNIL, encryption is a practical way to minimize the data. It is encrypted and difficult to retrieve. It cannot be minimized more than it is. It’s related to the functionality of the blockchain and this functionality must be accepted. For companies, it means that recording “GDPR data” on the blockchain is possible if sufficiently encrypted. What is certain is that data cannot remain “clear” or readable on a public Blockchain.
Who is the controller in a public blockchain?
The CNIL reminds that they would not be looking for a liability of “the creator of the blockchain” who is merely a technical service provider, just like an internet or electricty provider. The liability is on the entities that use, collect, or manipulate data, on the blockchain. According to CNIL, it is always possible to identify the person who is the initiator of a data entry : for example, when a university delivers a diploma. The criteria is who can be linked to the data processing.
There are different situations concerning legal liability in GDPR:
- one participant who is responsible for the processing.
- several actors who decide to implement a data processing together
- It can be a legal entity, which will bear the responsibility for the processing or they will decide to appoint a participant among them, who will take responsibility for the group.
- Without a specific agreement between the parties, they could be jointly responsible for the processing.
The controller has his own obligations under GDPR, and the fact that he stores a copy of the data on the blockchain is almost indifferent to the obligations he has towards the individuals, provided some steps are taken to protect the data recorded on the Blockchain.
How to Erase Individual Data from the blockchain ?
The corollary of the right to erasure is conservation of the data for a limited period.
Moreover, Data privacy only cares about individual data, and the possibility to profile individuals in an illegitimate manner, that is to say, without their consent or control on their own data.
The CNIL recommends not to store data exclusively on the blockchain, but to have a copy on the information system of the controller: if it is necessary to suppress the data, to cut the accessibility to the data, if the controller is able to do so.
It is probably also necessary to delete all the available keys, in order to forbid access to intelligible data. For example, if I have a controller and a subcontractor, both must delete the keys and be able to prove they did so.
This is not a complete deletion of the data remaining of the Blockchain, but has a similar effect because the data is not intelligible and cannot be translated anymore thanks to the destruction of keys, unreferencing, and other technics that operators can put in place to make the data unuseable for the future.
Or better said, it is all that seem to be possible right now, and the CNIL confess that it is not the best technical expert on this question, and that the Blockchain technology is evolving fast.
It belongs to developpers and engineers to create adequate protection that is protective enough, given the nature of the blockchain Technology.
Automated decision making based on user data, including profiling
According to the CNIL, “In the case of smart contracts, the right to oppose to profiling must be implemented in the drafting of the code so that the data-subject can opt-out the process, and may be stop the execution of a smart-contract”.
It means that, if a smart-contract is triggered by a decision made upon data, then the smart-contract must provide the possibility for the user to challenge the decision. In practice, it means that the user is the final authority upon the execution of the smart-contract. The execution is suspended until he consents, or cancelled if he refuses.
These suggestions are only a first approach, and do not have value of law. it shows however that the authorities are willing to let the sector develop, provided some criteria are met once projects are operational