The French CNIL talks about GDPR compatibility and blockchain

Uncertainty about the compatibility of blockchain technology and the General Data Protection Regulation of the European Union (GDPR) has often been highlighted as a potential obstacle to the development and widespread implementation of blockchain systems involving personal data.

To address the tensions between the blockchain technology and the GDPR, the National Commission of Information Technology and Freedoms (CNIL), the French data protection agency, has published an initial report that analyzes some fundamental issues related to the interaction between blockchain technology and GDPR requirements (the "Report"). The Report was the first orientation issued by a European data protection regulator on this topic.

The CNIL approach to identifying Blockchain data controllers and data processors

The Report highlights the challenges associated with identifying data processors and data processors in the blockchain context: an important distinction that determines which set of regulatory obligations apply.

In discussing the probable classification of the various types of persons and entities involved in a blockchain, the CNIL has mainly distinguished between (i) participants (ie those who carry out transactions on the blockchain) that have the ability to determine which data will be entered into a blockchain or have permission to write about it or to write data, and (ii) miners or other validators (ie, those who do not perform transactions and instead validate the transactions sent by the participants). The CNIL has also provided an analysis on how to classify the developers of smart contracts and the natural persons who enter personal data into a blockchain, distinguishing, compared to the latter, between those who carry out personal or domestic activities and those who carry out activities professional or commercial.

• participants: According to the CNIL, because the participants on a blockchain determine the purposes and the means of processing personal data (eg, data formatting, use of blockchain technology for such processing, etc.), they should be held responsible for data processing. If a group of participants establishes a blockchain for a common purpose, CNIL recommends designating a data manager by creating a company for the purpose of being the controller or contractually designating one of the participants as a controller (in which case the other participants may be considered processors ). In the absence of such an agreement, all participants could be considered joint controllers under the GDPR.

• Miners / Validators: Since the validators only validate the data to be recorded on a blockchain, the CNIL believes that they are probably not data controllers. However, validators can be considered data processors if they process personal data on behalf of a controller, for example by executing controller instructions when they verify a transaction sent by the controller. Article 28 of the GDPR imposes in this case the obligation to stipulate a written contract, which the CNIL has recognized as potentially susceptible to a series of practical problems, in particular in the blockchain networks in which participants and validators do not have formal agreements between them.

• Individuals who enter personal data into a blockchain for personal and domestic activities, rather than as part of professional or commercial activities: According to the CNIL, a natural person who sells or purchases cryptocurrency, for example, for his own account is not a data controller, whereas a natural person conducts such transactions as part of professional or commercial activities (for example, on behalf of other natural persons) can be considered a data controller.

• Developers of smart contracts: The CNIL explains that the developers of smart contracts could, depending on the circumstances, be considered controllers or processors (or neither), as in the case of other types of software developers. For example, a developer who processes data on behalf of the blockchain participant could be considered a processor, while a developer who participates in determining the purposes and means of processing could be considered a controller. The point at which an intelligent contract developer falls into none (or none) of these categories is not yet clear.

Public and authorized blockchains

In the Report, CNIL recognizes that the GDPR was designed to respond to a world of centralized data management, while a key feature of blockchain technology is its decentralized model. CNIL notes that public blockchains represent a greater challenge for GDPR compliance than authorized blockchains (also called "private" ones). With regard to public blockchain, CNIL encourages the development of solutions that would facilitate the application of the necessary contractual agreements between the participants and the validators if the validators meet the criteria to be considered as data processors.

Minimize data protection risks in the context of Blockchain technology

• Privacy for design: Article 25 of the GDPR provides that data controllers establish appropriate technical and organizational measures to implement data protection principles and safeguard individual rights (a concept often referred to as "privacy by design"). According to the CNIL, given the GDPR privacy requirement by design, blockchain technology may not be a suitable technology in which a transfer of personal data outside the EU is involved. Concerning public blockchains, the data transfer mechanisms commonly used to allow such data transfers to comply with the GDPR (model contracts and binding corporate rules) may be difficult to implement because controllers may not be able to exercise control on the sites of the validators or effectively stipulate the necessary written agreements with all of them. Where a transfer of personal data outside the EU is involved, authorized blockchains are preferable to public blockchains because the controller can exercise greater control over the processing of personal data and the commonly used data transfer mechanisms are more compatible with authorized blockchains, where participants are approved, known and most likely to have formal business relationships outside the blockchain.

• Limited storage periods: According to the GDPR, personal data can not be stored indefinitely. A retention period must be determined based on the purpose for which the data is processed. The CNIL believes that the limited retention period required by the GDPR is, on its face, a clear incompatibility between the typical blockchain structure and the GDPR. For example, some data must be stored throughout the life of a typical blockchain – that is, participant identifiers or public keys – because the architecture of a blockchain usually requires that identifiers remain in the blockchain.

• encryption: The CNIL has generally recommended that unencrypted personal data be stored off-line and that all personal data stored on a blockchain should be encrypted. The CNIL has acknowledged that there may be some circumstances in which personal data subject to lower cryptographic protection (or even unencrypted personal data) may be stored on a blockchain in accordance with the GDPR. He noted, however, that this would be acceptable only if the purpose of the processing justifies such filing (perhaps for controllers who have a legal obligation to make certain information publicly available and accessible, as suggested by the CNIL) and an evaluation of the 39. impact of data shows that the associated risks are minimal for those concerned.

Rights on the subject of data pursuant to the GDPR

The CNIL has recognized that certain data rights under the GDPR (the right to be informed, the right of access and the right to data portability) can be met in the context of blockchain technology. However, he noted that other rights related to data subject to the GDPR, including the right to object, the right to rectification and the right to cancel, are in conflict with the basic attributes of a classic blockchain. With respect to these rights, the CNIL has suggested that, although an imperfect solution, the implementation of technical measures to obtain results that are practically equivalent to those envisaged by these rights could constitute a path towards the alleged compliance with these rights. For example:

• Regarding the right to cancel, the CNIL stated that the use of technical solutions that make data "almost inaccessible" (for example, by removing the private key from the hash function, which would make it impossible to verify the 39) information could be a way to achieve compliance, even if the data are technically still on the blockchain.

• Regarding the right of rectification, the CNIL noted that the corrected data could be included in a new block in a subsequent transaction that would replace the previous one. The replaced transaction would remain in the blockchain, however, and to solve this problem the CNIL suggested that the data containing the error could be treated with the same technical solutions as those recommended by the CNIL to make the data "almost inaccessible" in the context of the right to cancel.

Automated decisions and smart contracts

The CNIL has also analyzed the interaction between blockchain technology and the right of the interested not to be subject to a decision based exclusively on the automated treatment that produces legal effects on him or her significantly (defined as an "automated individual decision"). manufacture ").

The GDPR provides that automated individual decision making is allowed only in limited cases, including when the interested party has provided explicit consent or if it is necessary to execute a contract with the interested party. The CNIL recognizes that, in the case of smart contracts, the automated individual decision-making process may be necessary for the execution of a contract and therefore may be permitted under the GDPR.

In the context of smart contracts, CNIL has suggested that controllers should provide for the possibility of human intervention to allow automated decisions to be challenged by data subjects, even if the contract has already been executed.

The CNIL acknowledged that the Report is a preliminary analysis, acknowledged that numerous questions remain unanswered and called on the blockchain sector and other EU data protection regulators to find creative solutions to reconcile blockchain technology. with the strict requirements of the GDPR. The CNIL has also expressed its interest in working with other regulators on specific blockchain regulations, such as, for example, with the regulatory authority of the French financial markets, the Autorité des Marchés Financiers (AMF). In October 2018, the Assemblée Nationale (the French equivalent of the House of Representatives) adopted a proposal for a regulation concerning encrypted assets and initial offers of coins (ICO) which, if approved by the Senate French, would involve the involvement of AMF in some ICO transactions, making it likely that CNIL and AMF will cooperate and operate on specific privacy issues for data raised by ICOs.