The popular French privacy watchdog, the CNIL, it's on fire these days. After being the first authority of the EU a issue notices for the violations of the GDPR at Teemo and Fidzup, it discovers new playgrounds – this time it is a matter of combining blockchain technology and GDPR. With the official English translation of the recent publication of the recommendationlet's dive inside
Data Actors or Who & # 39; s Who in Blockchain
In general, the GDPR talks about the following data actors:
- those concerned – those whose data are processed,
- data controllers, which determine how and why these data are processed,
- data processors, which can act on behalf of a controller in further processing.
In the simplest example, when a user registers in an app, he sends his data and is therefore data subjects. A company that owns this app processes the data, so it is responsible for processing the data. And if this data controller at any time outsources software development to another company by giving it access to personal data, this latter becomes the data processor.
It does not seem something complicated, right? However, there are more questions to answer than it might seem.
First of all, the CNIL, the independent French regulator that guarantees data privacy compliance, search for to understand the status of data controllers in the context of the blockchain. Opposing the classical definitive model of governance, blockchain, as a technology, is decentralized in its core. This eventually creates complications. Who decides the purposes and the means of elaboration in context of the GDPR, art. 4 (7), and then becomes a data controller? Can there be data controllers since most blockchains have no command authority in charge? Well, the CNIL is quite sure that the answers are not as problematic as they seem at first.
In the regulator opinion,"Participants, who have the right to write on the chain and who decide to send data for validation by miners, can be considered data controllers." More specifically, it outlines 2 categories of data controllers:
- a natural a person who processes data in a professional or commercial activity, and
- a legal person who records personal data in a blockchain.
Of course, it's not just a theory. For example, Blocknotary allows a notary to register an act in a blockchain, which is a perfect example of "professional activity" performed by a natural person. KYC (know your client) platform developed by the Crédit Mutuel Arkéa bank and IBM where the bank proceedings as a data controller for customer personal data, it would represent the second category, respectively.
So, this categorization for real-life scenarios is relatively easy, or so it seems. An entity that created a private blockchain, just like in the examples above, can he be easily defined as a data controller. But on the other side, what about public blockchains? Since there is no defined authority or entity, it can be supported that "the user who enters personal data [in a block] it is the data controller. "However, it also involves various difficulties, as it is not always possible to clearly define a user of this type and then apply the regulations accordingly.
The CNIL is also confident about the position of blockchain data processors. For example, the AXA insurance company was launched Sparkling, an intelligent Ethereum contract that provides for automatic compensation for a delayed flight. According to the CNIL, the software developer in this case will be considered the data processor, while AXA is the data controller.
The CNIL also addresses the possibility of miners acting as data processors. In general, miners can not be recognized as such because they have no direct access to personal data. Usually, it is the code that performs the evaluation functions without any active intervention by the miners. To illustrate this situation, CNIL uses the following example. A couple of insurance companies join a blockchain project allowing them to perform KYC compliance by accessing customer data from other insurance companies. In this case, the CNIL argues that one of the companies may be designated as data controller, while others will act as data controllers where a necessary contract should be established. under to the GDPR, art. 28 (3). These other companies will be considered miners because of their validation functions.
At the same time, it is not completely true. In fact, any of these insurance companies can be considered a data controller, a processor and a miner at the same time. An insurance company would become a controller of the personal data processing of its customers, while it was responsible for processing the personal data of other insurance companies. And since each of them would have validated the transactions, they would also be essentially miners at the same time.
In providing this example, the CNIL did not take into account the fact that these roles will be mixed in this relationship. To fully understand the position of the data processor, another more isolated example should be drawn.
Let's take an example of AXA insurance and make it a little more diverse. Let's say, there is a software development company that creates blockchain solutions for others based on their own private blockchain. Then, there is AXA that wants to develop an intelligent contract for its customers based on this private blockchain. As in the previous situation, AXA would be the data controller and the development company would become the data processor, as it provides a particular solution. So, who can be considered as a miner in this light? These miners will be other companies and their customers who use the same private blockchain solution, which would merely validate the transactions of this smart contract without any effective access to personal data.
And the others?
Furthermore, CNIL believes that miners are neither data controllers nor data processors. As for users of cryptocurrency media, such as those who buy Bitcoin, fall under the exemption of a natural person in the course of a purely personal or domestic activity, "GDPR, Article 2 (2) (c).
In the event that there is a certain group of participants, the CNIL recommended or to create a legal entity or to name one as data controller. Otherwise, the regulator declares that they could be considered as joint controllers pursuant to the GDPR, art. 26, which would also entail a further definition of the respective roles. The clear definition of the data controller in this case would still create both the data subjects and the data protection authorities to contact, if necessary.
Overall, the CNIL considers two types of data controllers in a blockchain: a natural person when engaged in any professional or business activity and a legal entity. When it comes to data processors, the regulator uses an example of a development company to explain their position in data processing. As far as miners are concerned, as long as they do not have access to personal data, they should not be considered data processors.
Do you think ahead of time or do you even need blockchain?
Presumably, blockchain allows secure processing of data due to its suggested immutability. However, there are some inconsistencies that can make the blockchain and the GDPR incompatible due to the nature of the first one.
The CNIL critically reflects the fact that data controllers should implement blockchain technology primarily considering privacy by project rule, the GDPR, art. 25 (1). Basically addresses the intrinsic reliability of a specific technology used to process personal data. Blockchain may seem like a reliable technology in this sense, and yet the CNIL is not very sure by the way:
"In fact, a blockchain is not necessarily the most suitable technology for processing all data, it can be a source of difficulty for data controllers in terms of compliance with the obligations set by the GDPR."
The regulator highlights the inability of data controllers to use appropriate safeguards public blockchain when it comes to personal data transfers outside the EU pursuant to the GDPR, art. 44. The European Commission is sure to define Non-EU specific countries with an adequate level of data protection, or other "appropriate safeguards for a transfer outside the EU" [that] it can be used in a manage permissions blockchain, such as standard contractual clauses, binding corporate rules, codes of conduct or even certification mechanisms. "However, the CNIL emphasizes, data controllers do not have full control over the miner's position, where the data to be validated can include personal information.
Since it is difficult to ensure privacy compliance based on blockchain design, a series of questions may arise, particularly regarding data reduction and retention period.
In short, the data minimization principle states that the personal data of the processing must be adequate, relevant and limited to what is necessary; while below storage restriction principle data can not be stored longer than necessary ("retention period").
The CNIL believes that the public keys owned by the participants in the system can not be further reduced to a minimum. The retention period in this case is that of the blockchain itself. The question here, they can be considered as private data since they are publicly available and difficult to find for an individual? Since the GDPR mentions "The reasonably probable means to use", it is highly unlikely that a public key can be traced to its owner, making it not relevant to the GDPR.
Another problem of data minimization is the payload, or additional data connected to a block that may contain personal information. To meet the GDPR, the CNIL recommends to store this data in a form of "commitment", which is just a proof of the data with the link to the actual data outside the blockchain. Furthermore, hashing or encryption can be used to provide an adequate level of data protection. Otherwise, the regulator stresses that it is possible to store data as it is if appropriate precautions have been taken (such as data impact assessment).
All in all, the CNIL suggests that even if blockchain is considered to be secure in terms of data protection, one should always carefully consider using it. Firstly, following the rules of privacy by project, it is not always possible to have full control over the flow of data, particularly in a public blockchain. Secondly, it is necessary to take into account the storage time and the data minimization principle. You should always consider the amount of data you are willing to put in a blockchain, even if the actual data is stored outside this blockchain or cryptography is used.
Effective exercise of rights
Probably the most interesting part of the recommendation considers the alignment of the blockchain with the rights of the persons concerned under to the GDPR §3. CNIL recognizes that blockchain technology "significantly enhances people's rights" and "facilitates[s] the exercise of individual rights. "However, the regulator also draws a possible map of the problem concerning:
- the right to cancel (nicknamed "the right to oblivion") – check our previous feature on & # 39; subject,
- the right to rectification (dubbed "the right to correction"), and
- the right to the treatment restriction.
Regarding those, the right to correction (GDPR, Article 16) deserves special attention. It must face the same challenges as the right to cancel – once the information has been written on a blockchain, it can never be removed. This impossibility, according to the opinion of the CNIL, can be solved by "overwriting" the existing information with the updated information in a new block. Even if the original transaction with technically still appears in the blockchain, it will be deleted with the next one.
To make this possible, a whole chain can be bifurcated, either through a 51% attack, in which most miners agree to build a new valid chain, or through a hard fork made by the developers. At the same time, this branch will not change or completely erase the data, as it will still be present in the abandoned blocks. Furthermore, this creates the threat to the integrity of the entire ledger.
One possible way out to consider is tokenize data. CNIL actually proposes this option in a form of commitment when dealing with additional data (payload) relating to the principle of data minimization. Basically, the data itself is not stored on a blockchain. Instead, there are only tokens that serve as links to the actual data stored somewhere else. In this way, the original source of personal data can be changed at any time, and the link to it will be permanently stored on the blockchain.
Private chains are a different case. Here, it is assumed that any block can easily be modified if a blockchain is controlled by a private entity. This obviously raises the concern of "defeat"[ing] the point of using the blockchain first. "If it is so easy to change the private chain, then the immutability of that is very questionable.
In the end, solving the problem of the right to correction has the same implications as the right to cancel. The possible solutions to make it possible to implement this right in a public blockchain is to forge the chain, or to tokenize the data and store it outside. None of these solutions is quite perfect, as they involve other problems that have yet to be solved.
With the GDPR it is still a relatively new regulation, it is difficult to have particular standards on how to apply it in practice. Having blockchain in the background inevitably means that you have to ensure its compatibility with the GDPR or simply forget the whole decentralized thing.
As we can see, it is still quite difficult to define who is on a blockchain. How to exercise the right to oblivion or correction is another issue yet to be addressed. The effective need to use blockchain in certain areas may also be questionable.
The only thing on which the different parties agree is that nothing is certain.
Follow us on chirping and Facebook and join our Telegram channel to stay tuned to recent developments in the regulation of new technologies and be the first to read the opinions of experts.