By Michael Kallens, Markus Mild and Johan Toll
At Nasdaq, we explore and test the possible uses of blockchain technology since 2013. We firmly believe it has the potential to increase efficiency, reliability and transparency in the entire financial services industry and in other industries. . If it succeeds in achieving this potential, it will largely depend on how it can be implemented in a manner consistent with the new privacy and other rights granted to persons under the European Data Protection Regulation (GDPR).
While GDPR and blockchain share a fundamental commitment similar to protecting integrity and accountability in data processing, concerns have been expressed about whether specific requirements in the GDPR can be compared with the operation of the blockchain. For example, the basic GDPR requirements such as data minimization, restrictions on international transfers and individual rights to deletion (eg the "right to oblivion") must be reconciled with the blockchain dependence on immutable and distributed registries?
Given the consequences of GDPR violations (for example fines of up to four percent of annual revenue, potential litigation and damage to reputation), financial services and other industries are looking for the certainty that the requirements of the GDPR and the fundamental operational functions of the blockchain are not opposed in an irreconcilable way. The initial orientation and the reports of the French authority for data protection – the "Commission Nationale de l & # 39; Informatique et des Libertés" (CNIL) and the Observatory and Forum Blockchain dell & # 39 ; EU (Blockchain Forum) begin to examine how blockchain solutions can be implemented in a way compatible with the light of the GDPR.
Progress in recent publications
To date, neither the European Data Protection Board (EDPB) nor the national data protection authorities (other than the CNIL) have issued formal guidance on how to implement the blockchain compatible with GDPR. Recent publications by CNIL ("Solutions for the responsible use of Blockchain in the context of personal data") and the Blockchain Forum ("Blockchain and GDPR") represent the first steps towards the concrete answers that innovators and industry will need to be convenient using the blockchain processing of personal data for daily financial transactions. It is important to note that these publications reflect a continued commitment by regulators and thought leaders to commit to developing a workable framework for applying blockchain technology to the processing of personal data.
Reading together, these publications and others in this space are beginning to outline the key elements that GDPR-compliant blockchain implementations within the financial services space will need to incorporate. These include:
- Identification of a single entity as a "controller" of data with all other participants and solution providers such as data processors. Under GDPR, the controller of personal data is responsible for compliance on the front line. In the blockchain model, particularly where different entities jointly exploit a blockchain, it could be argued that several parties act as data processors, raising the potentially complex situation of joint control. To avoid this, entities should create a new special purpose entity or contractually identify a single controller. Other entities that use the blockchain and the miners who validate the entries would then be processors under contract with the controller.
- Where possible, avoid storing personal data on the blockchain; if storage is necessary, minimize personal data and take effective hashing or encryption measures. A fundamental use of the blockchain is to demonstrate that a transaction has taken place or that a record is valid. Where transactions or records involve individuals, they inevitably involve personal data. However, such personal data often does not need to be stored on the blockchain; rather, the voice can provide evidence of the record which is itself stored outside the blockchain. This approach allows to meet the data minimization and security requirements in GDPR.
- Use private and authorization-based blockchains that contractually address the GDPR international transfer requirements: The GDPR imposes restrictions on the transfer of data outside the EEA; personal data may only be transferred to jurisdictions that offer adequate protection to data or entities subject to binding corporate rules or standard contractual clauses to protect data. These requirements are inconsistent with public and unauthorized blockchain networks (where data location can not be limited). As a result, solutions should exploit private and authorization-based blockchains where each participant accepts certain international transfer terms for information exchange.
The main challenge: guaranteeing the rights of individuals of individual data
While there are many areas where the details on how to implement a blockchain solution in a GDPR-compliant way have yet to be resolved, the biggest challenge is how any solution can meet all the data rights conferred by GDPR.
Some individual rights provided by GDPR such as the rights to portability, access and accounting of personal data processing can be easily solved by blockchain technology and, in fact, play on its strengths. Other rights such as the right to restriction can be incorporated into how the solution is programmed and rights against automated decision-making can be addressed by business processes.
However, since blockchain technology is structured with long-term and decentralized registers, effectively ensuring that the rights of cancellation and rectification granted to individuals within the GDPR poses a substantial compliance challenge. As indicated in the CNIL report, when the data are recorded as a commitment, hash or encrypted, the controller can "approach" these rights making it inaccessible to obtain a functional cancellation; for rectification, the controller would then combine the inaccessible record with a correct and correct entry in a new block. If these mechanisms "in principle" legally equated with the full rights guaranteed by GDPR are uncertain, they require further analysis and, ultimately, a resolution by the EDPB.
An important first step, but we need something else
As the Blockchain Forum rightly states: "[T]here there is no blockchain technology compliant with GDPR. There are only cases of use and applications that conform to GDPR. "The same could be said of any technology that processes personal data – many of the same security issues, transparency and data rights that have been raised in the context of the blockchain are facing other types of existing technology: what makes the blockchain unique compared to legacy technologies is its novelty, while blockchain has a huge upside potential, will require considerable investment and willingness on the part of companies to be the first to notice.Where is uncertainty about how to develop blockchain solutions that meet the GDPR requirements, even innovative companies may be reluctant to take those steps.
The work of the CNIL and the Blockchain Forum are important first steps to remove this uncertainty. We agree with the Blockchain Forum that an important next step would be to increase understanding of potential use cases of blockchain and the impact that interpretations of certain GDPR requirements may have on such uses. This understanding could therefore help promote an effective dialogue between the EPDBs, national regulators, privacy advocates, industry, technology innovators and other stakeholders to develop the necessary consensus for a practical and comprehensive regulatory approach. for blockchain that protects the vital rights and interests contained in the GDPR by allowing the positive benefits it can offer.
Michael Kallens is a senior associate general counselor, Nasdaq, Markus Mild is Regulatory Strategist, Nasdaq Europe and Johan Toll heads Digital Assets, Market Technology, Nasdaq