Blockchain compliance with GDPR requirements was tested by the French privacy authority and the European Commission, with uncertain outcomes.
Blockchain privacy compliance is a hot topic that led to substantial discussions. The compliance of the impossibility to remove information from the distributed ledger with the GDPR’s right to be forgotten for instance has been challenged in many cases. But this is only one of the topics now covered by the French data protection authority, the CNIL, in its guidelines on the subject (which were covered here on DLA Piper Privacy Matters blog by my colleagues Denise Lebeau-Marianna and Caroline Chancé) and by the EU Blockchain Observatory and Forum of the European Commission in a workshop report recently issued.
Below are the most relevant insights arising from those documents and my personal view on them:
Does the GDPR apply to blockchain?
Transactional data recorded on a blockchain can link to an individual are likely to fall under the category of personal data.
More debated is whether the same conclusion applies to public keys. A public key is cryptographically connected to a cryptocurrency address in the sense that the address is a representation of the public key. The public key is a sort of individual’s bank account, while the private key is the secret PIN to that bank account. The private key is used to generate the public key, but the process is irreversible, and therefore none can calculate the private key from the public key.
The public key may still be information linked to an individual. But the issue is whether – given the level of complexity of the public key – it is likely that such information is connected to the relevant individual.
If we take an example the bank account number, this will be personal data for the bank where the account holder has his bank account, but, for any other individual, that information is unlikely to be personal data since they are not able to link that information to anyone. Indeed, pseudonymized data (such as public keys) under the GDPR are personal data only if individuals are identifiable taking into account
“all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly“.
Who is the data controller on a blockchain?
The CNIL considers that participants to a blockchain (i.e. the persons who can write on the blockchain and create a transaction that i submitted for validation) act as data controllers where:
- either the participant is an individual, and the processing is related to a professional or commercial activity;
- or the participant is a legal entity and writes personal data on the blockchain.
Where several persons decide to process personal data on a blockchain for a common purpose, the CNIL recommends that the participants make arrangements regarding the responsibility of the processing by:
- either creating a legal entity to act as a data controller; or
- or designating one participant to make decisions for the group and act as a data controller.
Otherwise, all the participants are as joint controllers.
This interpretation is arguable since it relegates the identification of the data controller to an arrangement between the parties involved, rather than a de facto situation which is the rationale behind the GDPR. Also, in a permissionless blockchain, like the Bitcoin, it could be even argued that there is no actual data controller since there is no full control of the transaction.
Who is the data processor?
The CNIL deems data processors:
- smart contract developers, which process personal data on behalf of the relevant participant that acts as a data controller; and
- miners, which validate transactions on behalf of participants.
But, for public blockchains, the CNIL is currently working on and recommends to develop solutions to frame the contractual relationships between participants (data controllers) and miners.
The matter is “tricky” also on this issue. Indeed, the GDPR requires that the data controller performs an actual control over its data processors which can be even fined, if they do not comply with the data controller’s instructions, but can it happen in a public blockchain?
What are the principles to blockchain privacy compliance according to the CNIL?
Privacy by design is one of the backbone principles of the GDPR. I discussed it in this blog post “Privacy by design, how to do it at the time of the GDPR?“. But the issue in a blockchain is always the lack of control on its operations. The CNIL recommends assessing whether blockchain is the appropriate technology for the intended use case. If not, the CNIL recommends using other technologies, more compliant with GDPR.
Where the use of the Blockchain technology is necessary, then the CNIL recommends using a permissioned blockchain (instead of a public blockchain), which provides more control over the governance of personal data, in particular for transfers outside the EU for non-EU based miners.
This is also to comply with GDPR requirements on data transfers outside the EU. Transfer mechanisms such as standard contractual clauses, BCR, codes of conduct or certification mechanisms can apply to a permissioned blockchain. On the contrary, their implementation is more tricky in the context of a public blockchain since the data controller does not have any control over the localization of the miners.
Because the participants’ identifiers (or public keys) are necessary for the functioning of the blockchain, the CNIL notes that it is not possible to further minimize such data and that their retention period must be in line with the duration of the blockchain.
As regards the other personal data, to comply with the principles of privacy by design and by default, and of data minimization, the CNIL recommends to use solutions where personal data is processed outside the blockchain and to store on the blockchain only:
- A cryptographic undertaking,
- A data footprint obtained through a keyed hash function, or
- Encrypted data.
If it is not possible to implement any of these solutions, and where it is justified by the purpose of the processing and a privacy impact assessment has demonstrated that the residual risks were acceptable (Read “When and how shall a privacy impact assessment be run?“), the CNIL considers that it is possible to store the data on a blockchain with a hash function without a key, or if there is no other option, in clear.
The CNIL seems to imply that the assessment has to be performed on a case by case basis, suggesting tools like encryption that enable to control the level of disclosure of personal data on a blockchain.
Can the right to be forgotten exercised on a blockchain?
Blockchain privacy compliance presumably does not raise any particular issue for transparency, the right of access and the right to data portability.
For the right to to be forgotten (or erasure), the CNIL acknowledges that it may be technically impossible to comply with this right for data stored on the blockchain. The CNIL strongly recommends the use of encryption to come as close as possible to ensure an adequate exercise of the data subjects’ rights. In particular, the deletion of the data stored off-chain and of the verification data allow for cutting the accessibility to the evidence recorded in the blockchain and makes it very difficult to retrieve it.
The solution seems to be always the same. It is necessary to introduce an additional level of complexity to blockchain technology to enable control of information as otherwise, it might not be privacy compliant.
What are the required security measures?
In the context of a permissioned blockchain, the CNIL recommends to:
- Determine a minimum number of miners to avoid collusion attacks;
- Implement organizational and technical measures to mitigate the impact of an algorithm failure on the security of the transactions. Such measures should include a contingency plan to modify algorithms where vulnerability is detected;
- document the governance of the evolution of the software used to create the transaction and mine, and implement technical and organizational procedures to ensure the adequacy of the permissions granted with their implementation; and
- ensure the confidentiality of the blockchain by implementing appropriate measures.
These are general principles that shall be decoded in the peculiarities of the case to ensure blockchain privacy compliance.
It will be interesting to see the position of other data protection authorities on the matter since there is no doubt that blockchain has significant potentials. How can the lack of control on data which is a substantial feature of blockchain live with data protection law regulations which impose control over personal data?
You may find interesting on a similar topic the article “Who is liable for the blockchain?“.