“The GDPR, and more generally the classical principles of personal data protection, were conceived in a world where the management of data was centralized within specific entities. In this regard, the decentralized model of data governance embodied by blockchain and the multiplicity of actors involved in the processing of data complicate the definition of the roles of each one.” Blockchain: Premiers éléments d’analyse de la CNIL (unofficial translation).
In late September 2018, France became the first EU member state to release official guidance on the complicated interplay between the General Data Protection Regulation (GDPR) and blockchain technology. The Commission nationale de l’informatique et des libertés (CNIL) guidance is complex and nuanced but suggests some important takeaways about blockchain GDPR compliance.
Takeaway No. 1: Users of blockchain solutions may be considered to be controllers of their own data.
The CNIL guidance identifies a category of actors termed “participants” (i.e., initiators of transactions on a blockchain) who have rights to write data to the chain and who decide to submit that data for validation by other participants (i.e., miners and “validator nodes”). Because these participants are deciding the purposes for which personal data will be processed and have chosen blockchain technology as the means for processing, the CNIL remarks that they should be considered controllers.
This part of the CNIL guidance will have a significant positive impact on various blockchain solutions — especially self-sovereign identity solutions — that seek to take control over personal data away from business entities and put it back into the hands of individuals.
Takeaway No. 2: Cryptocurrency exchanges are controllers of personal data under the GDPR.
According to the CNIL guidance, a controller will be either (a) a natural person who is processing personal data in a professional or commercial context or (b) a legal person who is writing personal data to the chain.
In a specific example, the CNIL states that “a physical person who engages in the purchase or sale of bitcoin … can be considered a controller if he conducts these transactions in the course of a professional or commercial activity, for the accounts of other physical persons.”
This statement appears to put cryptocurrency exchanges squarely within the definition of a data controller under the GDPR and likely subjects them to all obligations applicable to controllers.
Takeaway No. 3: Miners or validator nodes of blockchain transactions are processors of personal data under the GDPR.
The CNIL guidance notes that any actor merely validating transactions or writing data to the chain at another’s direction should be considered a processor. Therefore, persons or entities operating as miners or validator nodes on a blockchain will likely be considered processors of personal data.
Takeaway No. 4: Blockchain is not incompatible with the GDPR’s right of erasure.
Despite previous conjecture that a blockchain’s immutability would put it forever at odds with the right of erasure, initial guidance proposes a welcome middle ground.
The CNIL suggests that erasure of personal data stored on a blockchain might be accomplished by rendering the data “almost inaccessible, and therefore approximat[ing] the effects of erasure of the data.” Further, destroying the underlying private key or value generating the encrypted or hashed result would be “sufficient to anonymize the cryptographic commitment in such a way that it loses its quality of personal data.” Of course, in order for these techniques to be effective, personal data residing off the blockchain must be deleted as well.
Takeaway No. 5: Participants on a permissioned blockchain must designate a single data controller or risk having all participants deemed joint controllers.
Among those who might be classified as controllers on a permissioned blockchain — those entities determining the purposes for the processing and writing to the chain — the CNIL offers two options: The controllers or group of participants may either create a legal entity in the form of an association or “GIE” (Economic Interest Group), or they may choose one participant to make data protection decisions for the group and designate that entity as the controller.
If the group chooses to do neither, then each participant will be considered jointly responsible as a controller under the GDPR and must separately adhere to all applicable obligations. (The application of this concept to a public permissionless blockchain remains unclear and will likely be a subject of future guidance.)
Takeaway No. 6: Developers of smart contracts will be considered data processors when they develop smart contracts at the direction of a third party.
With regard to smart contracts, the CNIL guidance keeps open the possibility for the designers of smart contracts to be either processors or controllers, depending on the circumstances. However, the guidance provides some clarity by citing an example that directly invokes a real-life smart contracts pilot called “fizzy,” which was launched last year by global insurance company AXA.
In the example, “a software developer offers an insurance company a solution in the form of a smart contract, which allows the company to automate the compensation of passengers when their flight is delayed. This developer will be viewed as a processor by virtue of the insurance company, the controller.” The entity directing the creation and use of the smart contract will likely be deemed a controller.
Takeaway No. 7: Any business looking to use blockchain technology should carefully assess privacy considerations before going live with its solution.
Any organization building or using blockchain solutions must keep privacy compliance at the forefront — both in meeting the requirements of the GDPR and in minimizing potential for harm to individuals. Organizations should begin by considering whether a blockchain solution is truly necessary or whether the same result can be achieved by more traditional, centralized means. The CNIL wisely points out, “Blockchain is not always the best technology for all processing of data; it may be the source of difficulties for the controller with respect to its GDPR obligations.”
If blockchain technology is still preferred, the CNIL strongly encourages entities to perform a privacy-by-design analysis in advance of any processing. The regulator repeatedly recommends that developers, businesses and other actors undertake a detailed assessment of the need for recourse to blockchain technology, the privacy “pros and cons” thereof, and the way that personal data will be handled on the blockchain platform.
It is also crucial that the controller determine the need for, and if necessary conduct, a data protection impact assessment (DPIA) for each processing operation envisioned on the blockchain. The DPIA will allow the controller to later demonstrate that it has weighed and documented the risks and protections in advance of processing.
Takeaway No. 8: Permissioned blockchains should have a minimum number of nodes to protect the integrity of blockchain data.
The CNIL’s security guidance advises blockchain operators to account for the possibility of “51 percent attacks,” where actors controlling more than half the network’s computing power would be able to modify or prevent further transactions or entries on the chain. To prevent such an event, the CNIL recommends that evaluations be performed to determine the minimum number of miners needed to mitigate this risk.
Still, while it is advisable to ensure that a blockchain is adequately distributed among at least a minimum number of independent nodes, far more complex controls will be required to guard against risks related to collusion and consolidated control over those nodes.
Takeaway No. 9: Data subjects must have recourse to challenge the outcome of smart contracts — although the form this recourse should take is unclear.
The CNIL’s guidance is seemingly inconsistent on the extent to which a data subject should be able to contest the output of smart contracts.
In one sentence, the guidance appears to require that data subjects be able to intervene in smart contracts, stating that a “data subject should be able to obtain human intervention, to express his point of view and contest the decision, after which the contract may be executed.”
In the very next sentence, the guidance appears to state that it is sufficient to allow a data subject to challenge a smart contract after execution, stating that it is “appropriate that the controller provides for possibility of human intervention that allows … the data subject to challenge the decision, even if the contract was already executed.”
Perhaps the only thing that is clear is that in scenarios where smart contracts process personal data, the data subject should have some level of recourse to challenge the outcome of the smart contract transaction.
Takeaway No. 10: There will be “right” and “wrong” ways to use blockchains from a privacy and security perspective, and more guidance is forthcoming.
On October 3, 2018, the European Parliament passed a resolution titled “Distributed ledger technologies and blockchains: building trust with disintermediation.” The resolution, which acknowledges distributed ledger technology as “a tool that promotes the empowerment of citizens by giving them the opportunity to control their own data,” makes recommendations to member states encouraging adoption and best practices of blockchain platforms.
Both the EU resolution and the release of the CNIL’s guidance send a strong signal that the EU will not, as some have feared, decree blockchain technology to be fundamentally incompatible with the GDPR. To the contrary, these official actions indicate an acute awareness of the advantages of blockchain technology and a willingness to work with industry to increase adoption, so long as participants understand that there may ultimately emerge right and wrong ways to “do blockchain” from a privacy perspective.
This is a guest post by Laura Jehl, Robert Musiala, Stephanie Malaska of BakerHostetler. Views expressed are those of the authors and do not necessarily reflect those of BakerHostetler. its clients, Bitcoin Magazine or BTC Inc.
Robert A. Musiala Jr. is BakerHostetler’s Blockchain Counsel. His practice includes advising blockchain industry clients that have previously completed “initial coin offering” events on strategies for mitigating personal and business risk, limiting business disruption and achieving regulatory compliance.
Stephanie Malaska, an associate with the firm, focuses her developing litigation practice on international disputes and related cross-border issues.