At the end of September the French personal data state processing regulator, the Commission Nationale Informatique & Liberté (CNIL), published a preliminary analysis of the issue of what kind of systems suitable for blockchain might apply to personal data processing. The CNIL has also been looking at the issues that are fundamental from the point of view of the GDPR, for example who the controllers and processors are on a blockchain. The CNIL has proposed a number of specific solutions but realises that it does not have extensive knowledge of this technology. It has said that it is open to proposals from experts and says they are welcome to propose their own solutions.
In the context of a blockchain, who is the controller and who is the processor?
In the CNIL’s view, the controller could potentially be any user that places data in a database that uses blockchain technology. The CNIL states specifically that the following are controllers:
- Natural persons in cases in which personal data are processed in connection with their professional or business activity, for example a notary who registers a client’s ownership title to property on a blockchain,
- Legal persons, if they record personal data on a blockchain, for example a bank keeping records of personal data of its customers.
The CNIL has found at the same time that in principle miners (entities that maintain the infrastructure of blockchain networks) do not decide the purposes and means of personal data processing and thus cannot be considered controllers. The same is true of natural persons who record personal data on a blockchain in a manner that is unrelated to their business activity (for example a person purchasing Bitcoin; if on the other hand the same person’s professional activity entails trading in cryptocurrencies for other persons, then that person can be deemed to be a controller of those persons’ personal data).
The CNIL also stated that a creator of a smart contract, for example, can be deemed to be a processor processing personal data on behalf of the controller, for example where a creator of a smart contract processes banking customer personal data for the purpose and using the methods specified by the bank. Miners can also be deemed to be processors, provided that they comply with instructions given by controllers when processing personal data. Probably due to the realisation that classing miners as processors gives rise to practical problems, the CNIL is conducting a broader discussion on this subject.
Importantly, if the controller engages a processor, an agreement must be signed between the controller and the processor in line with the requirements laid down in the GDPR, in particular Art. 28 of the GDPR.
How the risk related to processing personal data on a blockchain can be minimised
The CNIL pointed out a number of basic risks connected with using a blockchain (above all a public blockchain) to process personal data, and made the following proposals:
- Before a blockchain is used for personal data processing, an analysis is needed of whether a blockchain does in fact have to be used, especially in a public network;
- The CNIL recommends using other tools for personal data processing whenever possible,
- A private blockchain gives greater control over personal data processing. This is especially important when personal data is transmitted to a third country.
- Where blockchain and the GDPR are not aligned:
- In the view of the CNIL, there are major discrepancies between the GDPR principle of data minimisation and the function of public keys of users of blockchain, as there is a correlation between the retention period and how long the blockchain exists,
- As the principles under the GDPR and rights of data subjects are irreconcilable, the CNIL recommends in general using means other than blockchain for personal data processing,
- An analysis of associated risk is needed prior to processing data on a blockchain; if the risk is found to be acceptable, the preferred method of storage is data hashing.
- Data subject rights:
- The right to data portability and data access are not difficult to execute, even if the data are processed on a blockchain,
- Due to its specific nature, blockchain data processing may cause data access problems (for example if a key is lost),
- A more detailed analysis of the compatibility of blockchain with the right to have processing restricted and data erased is required.
Assessment of the CNIL’s standpoint
It is good that the CNIL is aware that there are issues arising in the sphere in which the GDPR and blockchain overlap, and that thorough analysis of these issues is required to find the solutions that firms dealing with blockchain can apply. In many cases, the CNIL encourages the parties concerned to present their standpoints. The CNIL is therefore a long way from imposing its viewpoint with respect to many of the key issues. Even so, it is clear that it supports conducting a true analysis of whether blockchain is really the technology that best achieves the goal for which the data are processed. This is the right approach, but more precise examination is required, with the help of blockchain experts, of the technological solutions that could ensure that a blockchain is GDPR compliant.