Several recently published EU and U.S. institutions' and authorities' research papers analyze the relationship between blockchain technology and the General Data Protection Regulation. Given the myriad possible uses for blockchain technology and the GDPR compliance challenges that that technology poses, it is not surprising that the studies grapples with — and reach different conclusions on — the issue of whether blockchain is or can be made to be GDPR compliant. The approach and conclusions appear to split along geographic lines. Below, we offer practical suggestions for using blockchain technology in a GDPR-compliant manner.
The studies
The studies discuss the technological aspects of blockchain systems, albeit in different level of detail. The U.S. National Institute of Standards and Technology's report concludes that the technology is hyped but not well understood. Although it is one of the most innovative technological systems of all time, blockchain is not suitable for use in all cases.
Blockchain and the GDPR: Are they incompatible?
The NIST study concludes that it is impossible to evaluate whether blockchain technology itself meets regulatory requirements, including those of the GDPR. Only its case-by-case implementation can be assessed for GDPR compliance.
But, perhaps not surprisingly, the French Data Protection Authority's report and the European Union Blockchain Observatory and Forum's report take a different approach, concluding that blockchain technology is subject to the GDPR. Further reading is available on these studies, summarizing and analyzing the CNIL position and the EUBOF report.
Is using blockchain technology even necessary?
The NIST and the EUBOF papers also raise an important threshold question: Does one need to use a blockchain system at all? The NIST report recommends evaluating a couple of factors before deciding to use blockchain technology, including to choose a blockchain type: permissioned or permissionless. Each has its strengths and weaknesses, but for private companies looking for increased GDPR compliance, NIST recommends a permissioned solution.
To address the key issues highlighted in the NIST and the EUBOF reports and satisfy privacy compliance requirements, one may want to carry out a data protection impact assessment alongside an initial information-security risk assessment. However, the European Data Protection Board disagrees, stating that the use of new or innovative technology in itself does not trigger the need to conduct a DPIA. The need to do so arises only when the new technology is combined with another processing factor that raises the data processing risk to a high level.
How to implement a GDPR-compliant blockchain?
From a GDPR-compliance perspective, blockchain technology itself seems irrelevant. Instead, its implementation must be assessed on a case-by-case basis for GDPR compliance.
Given the considerations raised by the recent CNIL, NIST and EUBOF studies, and based on our experience advising on data privacy and security issues, the following should be considered when designing a blockchain solution that strives to be GDPR compliant:
What business goal will the blockchain system help achieve?
Answering that question helps to identify the risks involved in processing personal data via blockchain technology and how the solution should work. A data-safe solution that doesn't help to achieve commercial business goals is not a good solution. Neither is a solution that only focuses on the achievement of business targets but disregards GDPR and other compliance risks.
What data flows are involved?
Define who will be able to input data into the blockchain, how nodes will interact with each other and who will have access to the output data. If input of personal data is involved, then the data controller is also required to implement measures to ensure the accuracy of that personal data. Also, if the solution will be based on a permissioned implementation, then the relevant permission levels and their granularity (e.g. administrators, super-users and users) must be defined.
Classify the data to be used on the blockchain
Does personal data really need to be involved? Consider the principle of data minimization and exclude personal data where it is unnecessary to process or store it. If this can’t be avoided, identify the relevant risk mitigation techniques, such as zero-knowledge proofs, homomorphic encryption or secure multi-party computation. The NIST report warns that quantum computing poses risks to current encryption methods and will render most public-key infrastructure based encryption solutions unsecure.
Define the legal basis of processing if personal data will be involved
Legal basis of processing personal data may differ depending on the blockchain type used. Permissionless blockchains may rely on the consent of the users while permissioned blockchains may rely on the performance of a contract. Each has different implications relative to enabling the exercise of data subject rights. If a legal basis cannot be identified and the lawfulness of the processing of personal data cannot be ensured upfront, then further mitigation measures (e.g. full anonymization) should be sought. In such a case, it may also be prudent to re-consider the appropriateness of using blockchain technology at all.
If personal data needs to be processed in the blockchain, define the roles upfront
Consider who the data controllers and processors will be and whether these roles will be singular or joint. Define the governance model of the planned solution. Relative to permissionless blockchains that are susceptible of the "51 percent attack" (where the attackers control more than the half of the resources), the CNIL report suggests that their operators and participants should agree in advance on the allocation of resources and the consensus model to follow. The definition of roles should be set out in written agreements.
If personal data needs to be processed, define procedures to allow the exercise of data subject rights
According to the CNIL paper, the right of access and data portability is compatible with the concept of blockchain. However, the right to restrict processing and the right to be forgotten is not supported by the technology's design. For this reason we recommend identifying and designing the procedures that will enable data controllers to satisfy the requirements of GDPR's Articles 12 to 23.
One should be aware of the nature of smart contracts, as those may fall under the provisions of automated decision making under the GDPR - and human intervention would hinder the advantages of the execution of smart contracts. This needs to be addressed at the design stage of the blockchain.
Plan functional and non-functional requirements
Consider the (half-) immutable nature of blockchain technology and the required resource usage, inadequate block publishing rewards and public key infrastructure and identity the relevant issues, as NIST recommends. If designing a public blockchain, remember that due to the decentralized nature of the technology, a blockchain never really shuts down.
Assess, evaluate and mitigate the related information, security and data protection risks
Those include: privacy-related risks (e.g. reversal risk or linkability risk of personal data even in encrypted or hashed format); cybersecurity risks (e.g. vulnerabilities of the underlying infrastructure, the blockchain software, malicious users, etc.); and the risks related to the “no trust” environment. Implement the measures necessary to address these risks (e.g. penetration and vulnerability testing of the applied solution; testing of the data subject rights management process, data breach test simulations, etc.)
Continuously assess, evaluate and improve
This requirement is often overlooked; however, GDPR's Articles 24 and 32 require data controllers and processors to maintain, evaluate and improve their organizational and technical controls to mitigate the risks posed by their data processing activities.
The GDPR is not a rigid list of steps to follow. It is a framework that allows data controllers and data processors to carry out their business in a manner that protects the rights and freedoms of data subjects. GDPR compliance can only be measured on a case by case basis by considering the actual implementation of technology through which personal data is channelled. Yet the GDPR's rules are not technologically friendly or technology neutral. The manner in which technology is implemented to suit a particular purpose is key to the analysis of whether that technology can be GDPR compliant.
Given the current lack of in depth understanding of blockchain technology and the ambiguity of interpretation of the GDPR's requirements, ultimately, the passage of time will reveal how the use of blockchain technology and the application of the GDPR relative to that technology will evolve. In the meanwhile, a pro active, considered assessment (and re-assessment as time passes) of blockchain technology and its privacy implications seems critical to enabling GDPR compliant blockchain technology use.
Image courtesy of 3Blue1Brown: https://www.youtube.com/watch?v=bBC-nXj3Ng4