Last month, the French data protection authority (the CNIL) issued initial guidance addressing issues that applications utilizing blockchain technology should consider in order to comply with the European General Data Protection Regulation (GDPR).

As recognized by the CNIL, there are certain natural conflicts between GDPR and blockchain technology. A critical feature of the blockchain is its immutability – the fact that once information is entered into the public ledger regarding a transaction, that information cannot be changed or removed from the ledger. The benefits of providing a transparent and permanent public ledger will have to be reconciled with the data subject rights granted by GDPR, including the right to be forgotten and principles of data minimization. Blockchain applications also raise thorny questions about whether participants in the network are acting as data controllers or processors, subject to the GDPR’s requirements. Additionally, how can a worldwide network of computers involved in data processing activities comply with GDPR requirements related to cross-border data transfers outside of the EU?

The CNIL’s guidance begins with a simple premise: “When a blockchain contains personal data, the GDPR is applicable”. While acknowledging that there are various different types of blockchain applications that may present different compliance concerns, the CNIL guidance offers the following analysis and potential solutions to actors wishing to use blockchain to process personal data and still comply with GDPR:

  1. Who is a data controller / processor?
    • Generally, participants who have the right to write on the chain and decide whether to send data for validation by miners, are considered as data controllers under GDPR.
    • Miners who are validating transactions submitted by participants are not data controllers under GDPR.
    • Smart contract developers who process personal data on behalf of a participant and miners who validate transactions may both be considered as data processors.
    • CNIL is continuing to explore the issue of whether miners in a public blockchain qualify as data processors.
  2. How can actors minimize risks for data subjects?
    • If using a blockchain technology is not necessary for a particular processing activity, the CNIL recommends that alternative solutions that allow for full compliance with GDPR be considered.
    • Use of permissioned blockchains allows for better control over personal data governance and, in particular, transfers of data outside of the EU.
    • While visible public keys are essential to the blockchain’s proper functioning, blockchain applications should implement solutions to ensure that any additional personal data is not stored on the blockchain in cleartext format.
  3. How can blockchain applications ensure data subject rights?
    • The CNIL guidance indicates that the rights of data subjects to information and to portability are compatible with blockchain technology.
    • While it is technically impossible to grant requests for erasure of personal data registered on a blockchain, use of cryptological solutions can make such data practically inaccessible and closer to the goal of ensuring the right of erasure.