Earlier this year, The Privacy Advisor reported on the potential clash between the EU General Data Protection Regulation and industry adoption of blockchain technology. More than six months later, the GDPR is in effect and blockchain prevalence continues to grow. (For more on some of blockchain's basics, check out this Privacy Tech primer on blockchain.)
That's why it makes sense that the French data protection authority, the CNIL, has published first-of-its-kind guidance on the burgeoning technology. Following the release last month of its French-only blog post and report, the CNIL published English versions of the blog and report this week.
In a phone conversation with Privacy Tech, the CNIL's Guilda Rostama and Amandine Jambert said the agency started receiving questions about whether and how organizations could use blockchain in a GDPR-compliant way. Rostama, who serves as legal counsel at the CNIL, said the agency talked with stakeholders from the public and private sectors, organizations in the banking and health sectors, startups and other large companies.
The guidance offers a range of advice, from simple definitions and basic properties of blockchain to more specific advice on considering who the controller is, data protection by design, risk management and other potential security solutions.
Some big takeaways up front: Organizations should carefully determine whether they need blockchain in the first place, particularly a public one; if you choose to go forward, practice data minimization when registering data on a blockchain; and the CNIL considers participants in the blockchain as data controllers (more on that below).
Rostama and Jambert are part of a team of engineers and policy wonks who have worked with stakeholders to offer up this early advice. "We are lucky to have engineers to explain blockchain to us so we could tackle the issues," said Rostama.
"Blockchain is such a buzzword, " said Jambert, who has an engineering and computer science background and serves as an IT specialist at the CNIL. "Though it's a nice word, people aren't always clear about what blockchain can bring them and how it would be implemented." Notably, she said, companies think they may need the tech when they really don't, meaning that a careful assessment of whether it's necessary must be considered up front. Really, it's good data protection by design.
"Though it's a nice word, people aren't always clear about what blockchain can bring them and how it would be implemented."
Rostama also explained that they took a technology-neutral approach to blockchain. Like cloud computing, it is a technology on which data can be processed, not an end in itself, or, as the report characterizes it, blockchain "is not a data processing operation with its own purpose."
In other words, she said: "The GDPR is tech neutral ... we took its principles and applied them to use-case scenarios."
The CNIL classified blockchain into three categories: public, permissioned, and "private." The former classification is perhaps the most well-known. Bitcoin and other popular cryptocurrencies tend to operate on public blockchains, where transactions are transparent to the public. This is the riskiest type of blockchain, according to the CNIL. Permissioned blockchains are emerging in industry sectors, and contain more restrictive rules about who can participate, observe and validate transactions. Finally, the CNIL considers private blockchains as traditional distributed databases that have less applicability to GDPR compliance.
The agency also recognizes that not all blockchain projects involve personal data processing, but they do classify two categories of personal data: participants' and miners' identifiers, as well as additional data contained within a given transaction - for example, a diploma or property deed, the CNIL notes.
"Using this distinction," the CNIL noted in its report, "the usual GDPR analysis applies: identification of the data controller, enforcement of rights, implementation of appropriate safeguards, security obligations, etc."
In identifying the data controller, the CNIL "observes that participants, who have the right to write on the chain and who decide to send data for validation by the miners, can be considered data controllers." More specifically, a participant is a data controller when the person is relaying the data on behalf of a professional or commercial activity and when the participant is a legal person registering data on a blockchain.
Rostoma offered an example: "Say a notary records a client's property deed on a blockchain, that means the notary is the data controller."
Rostoma offered an example: "Say a notary records a client's property deed on a blockchain, that means the notary is the data controller." The report offers other examples of when someone becomes a data controller. In the financial services sector, the CNIL said, "if a bank enters its clients' data onto a blockchain as part of its client management processing, it is a data controller." But, a person buying and selling Bitcoin on their own behalf, would not be considered a controller.
That is not to say that all blockchain actors are considered data controllers. Miners, those who validate transactions on the chain, are not included, though they may be considered data processors. Also, people not related to a commercial or professional activity but who enter personal data on a blockchain would be exempt pursuant to the "purely personal or household activity" exclusion in Article 2 of the GDPR. The CNIL report also offers guidance on determining joint controllers and identifying data processors.
Blockchain does offer potential solutions for data portability and tracking consent, but, because of its immutable nature, can be problematic for data erasure. Jambert said, however, there are some technical solutions that could be applied here, which is further detailed in the CNIL report.
Really, determining whether to implement a blockchain technology is about risk management and conducting a data protection impact assessment. Though it is a buzzword, blockchain may not always be the best solution for data processing. The CNIL warns that using it for cross-border data transfers "can be particularly problematic, especially in the case of public blockchains." If an organization does decide to go with a blockchain solution, the CNIL recommends data minimization.
Rostama described this guidance as a "preliminary thought," that it "won't be a solution to everything," but that, ultimately, its about reducing risk. "We want to push stakeholders to think about asking the right questions before using blockchain."
"Publishing something as early as possible was important so people can come to us," Jambert said.
If you want to comment on this post, you need to login.