07 Jul 2020
As discussed in a previous article, the main tensions between blockchain technology and the General Data Protection Regulation (GDPR) may be classified under four main categories, being the identification of a data controller, compliance with general principles of data processing, the exercise of data subject rights and territoriality.
The above mentioned article can be read here.
These tensions may be traced back to two fundamental conflicts. Firstly, while the GDPR is designed to regulate centralised networks, blockchain technology is purposely developed in a decentralised manner. Secondly, while the GDPR assumes that data can be modified or erased in order to fulfil certain requirements, blockchain technology is purposely designed to be tamper-proof, in order to create the necessary security and trust in the network.
In recent times, different stakeholders have shed light on possible solutions for the application of the GDPR to blockchain technology. Although these proposed solutions do not entirely address the above-mentioned tensions, they are definitely a step in the right direction and provide a basis for a deeper analysis of possible GDPR compliant blockchain applications.
The very first guidance note delivered by a European data protection authority regarding the interplay between blockchain technology and the GDPR was issued in late 2018 by the French Data Protection Authority (CNIL). In particular, the CNIL seeks to provide clarity on the roles of the data controller and the data processor.
The CNIL suggests that the participants, having the right to submit data on the blockchain for validation by the nodes, should be considered as data controllers. Nevertheless, the CNIL further clarifies that a participant should be classified as data controller only where it is either a natural person submitting personal data in relation to a profession or commercial activity, or when the participant is a legal person submitting personal data in the course of its business activities. Although the designation of participants as data controllers might work in theory, in the context of a public permissionless blockchain there are various practical issues arising from the nature of the technology itself, which undermine the participants’ ability to fulfil such role. In particular, the inability to have control over which third parties obtain access to the personal data of its data subjects and the inability to comply with certain data subject rights.
The CNIL further suggests that in a blockchain scenario there are certain parties, such as smart contract developers and nodes which validate transactions on the blockchain, that may be classified as data processors. Accordingly, a data processing agreement should be entered into between the relevant participant acting as data controller and each of the data processors, including the nodes. Nevertheless, the implementation of this requirement in a public permissionless blockchain gives rise to a number of practical difficulties, since the number of participants which may be classified as data controllers as well as the number of nodes which may be classified as data processors is unlimited.
The CNIL also makes recommendations on the application of certain GDPR rules and principles in a blockchain context. In order to be compliant with the ‘data protection by design principle’, the data controller should primarily assess whether the use of blockchain technology provides an appropriate environment for data processing. Accordingly, a Data Protection Impact Assessment should be carried out before making use of blockchain technology, in order to identify the risks to the personal data in using such technology. Furthermore, the CNIL suggests that private permissioned blockchains should be preferred over public permissionless blockchains, since the former’s centralised structure allows the data controller better control over personal data
Further to the above discussed solutions which seek to provide a degree of clarity from a legal perspective, the CNIL guidance note also refers to technical solutions which may be used to ease some of the tensions between blockchain technology and the GDPR. In this respect, the CNIL recommends that transactional data containing personal data should not be stored on the blockchain. Instead, the blockchain should only store a proof of existence of such data in the form of a commitment, hash function or ciphertext obtained through algorithms and keys. The actual personal data, especially that in cleartext form, should be stored in a separate databased managed by the data controller outside of the blockchain. While such solutions would make compliance with certain principles and data subject rights easier, it is nevertheless arguable that storing personal data off-chain would defeat one of the underlying purposes of blockchain technology.
Furthermore, we have also seen the development of various obfuscation, encryption and aggregation techniques for the processing of personal data, which are already being implemented in practice. Although these techniques will surely play an integral role in the development of GDPR compliant blockchain applications, it is ultimately up to data protection authorities, the EDPB and our national and European courts to provide legal certainty on the validity of these technical solutions.
While the compatibility of each blockchain use case with the GDPR has to be assessed on a case-by-case basis, it is clear that in order to achieve full compliance, there has to be a degree of centralisation in the particular blockchain use case. Naturally, centralisation is not at all desired by the blockchain community since it undermines the advantages put forward by blockchain technology, which is specifically designed to eliminate the necessity of having trusted entities controlling our data and transactions. In general, it seems that due to the fundamental conflict between blockchain technology and the GDPR, it is impossible to reconcile the two without any exceptions.
Ultimately, a balance needs to be struck so that data protection does not become an obstacle for innovation and at the same time, technology advancements are not attained at the expense of our data protection rights. In this context, it is essential for European regulators to engage in an open discussion, involving the relevant stakeholders in order to provide regulatory guidance on a European level. Furthermore, the development of a Code of Conduct should be encouraged in order to establish the necessary legal certainty in this area.