What does the report say?
The CNIL considers four main areas:
- the qualification of the parties (data controller vs data processor);
- the mitigation of risks associated with the technology;
- compatibility of the technology with rights under the GDPR; and
- security measures that should be implemented when using the technology.
What are the challenges and can they be overcome?
The CNIL recognises that elements of Blockchain technology are entirely compatible with GDPR (for example, the right of access to data and the data portability). However, the CNIL has identified other elements which in its view are more problematic.
1. Is it possible to inform data subjects fully about the proposed processing of their personal data?
The CNIL's opinion seems to be that data controllers using Blockchain solutions will easily be able to comply with their obligations to inform data subjects of the purposes for which personal data will be processed, as well as the legal basis for the processing, before the processing takes place (as required under GDPR). However, it's hard to see how Blockchain operators will be any more capable of anticipating all future uses of personal data than any other technology providers.
The technology also presents some unique challenges in this respect. Because personal data on a Blockchain is accessible by any participant (who may not be a contributor and, therefore, not a controller in the CNIL's opinion), it may end up being processed in a way that was not envisaged by the controller (and notified to data subjects) at the outset.
As such, compliance with these particular obligations may not in fact be as straightforward as the CNIL seems to think. For this reason, personal data stored and made publicly available on the Blockchain should be limited as far as possible.
2. Who are the controllers and processors of data on a Blockchain?
The CNIL gives a view on whom they consider to be controllers – broadly, any businesses or professional adviser who inputs personal data onto the relevant Blockchain. By contrast, consumers who put personal data on a Blockchain are not data controllers.
This gives rise to an obvious question to which the CNIL offers no response – where a data subject inputs data directly, who in fact is the data controller and, therefore, who do they have recourse against if their data is misplaced? We would also query whether it is logical that a professional inputting data onto a Blockchain on behalf of a client should automatically be considered a data controller of data on that Blockchain. While it undoubtedly makes identification of the controller straightforward, it seems to us that it would impose unnecessarily stringent obligations on the professional, who will not necessarily control how the Blockchain operator uses the personal data.
Our view is that, in this sense, Blockchain is no different from other technologies and the identification of controllers and processors should remain a question of fact – i.e. which person/entity is responsible for deciding how the data is processed? – and that controllers and processors should be appropriately identified in relevant agreements or privacy policies. The CNIL's suggestion that, where there are multiple controllers, each should bear responsibility unless expressly stated otherwise, is a helpful proposal, but also raises questions about whether diffuse responsibility will lead to undesirable behaviour.
The CNIL also discusses the status of miners, who it considers are unlikely to be controllers but will likely be processors or sub-processors. As a Blockchain involves a huge number of miners, the requirement under GDPR to put in place written contracts between controllers and processors represents a potential operational challenge, although it would seem possible for the required contractual relationship to be created fairly simply through miners' acceptance of appropriate terms and conditions before being able to validate transactions on the Blockchain.
Equally, thought should be given as to the role of developers of smart contracts, and indeed other blockchain participants, in relation to personal data and, therefore, whether they need to be bound by appropriate contractual terms.
3. Does Blockchain allow for the effective exercise of data subjects' rights under GDPR?
The CNIL recognises the difficulties related to the immutability of records on a Blockchain. In particular, it identifies the right to be forgotten and the right to rectification of personal data, as well as the principle of data minimisation, as key problem areas. The CNIL recognises that it is impossible to erase historical personal data from a Blockchain completely.
However, some comfort can be taken from its view that, if personal data are sufficiently encrypted, the technical inability for third parties to access the personal data could be sufficient to consider that the rights of the data subjects are respected. In our experience, this question has troubled many in the Blockchain space, so evidence of a regulatory pragmatism should put minds at ease, although a more conclusive view would eliminate a significant risk area.
Fundamentally, the CNIL says that the right to rectification can't be met, because, even if a new block is entered onto the chain with the correct information, the previous block (containing the incorrect data) remains. The regulator does not say as much, but it seems to us that the essence of this right could be respected if encryption measures similar to those used to "erase" personal data were applied to the inaccurate block. These measures should also be implemented at the end of the relevant data retention period.
4. What security measures should be implemented?
The CNIL strongly recommends that data stored on the Blockchain is protected through the use of strong, state-of-the-art encryption technologies (including hashing, digitisation and anonymisation techniques). The CNIL also recommends that Blockchain operators implement contingency plans to ensure that adequate operational and technical procedures are implemented to ensure the protection of personal data. In particular, any upgrades to the software used for conducting transactions and mining operations should be documented. Finally, the CNIL emphasises the need to ensure the security of secret keys.
While these security standards are sensible, they highlight the reality that the technology is almost always ahead of the regulatory understanding, not to mention the law. In reality, very little (if any) personal data tends to be stored on a Blockchain (as to do so would be inefficient and expensive) and all of the measures recommended in the note are typically already implemented within most Blockchains.
Confirmation from the regulator that these standards are likely to be required is useful, but in our view additional guidance would help Blockchain operators to understand precisely what will constitute an adequate level of security in both private and public Blockchains in the eyes of the regulator.
Blockchain operators will welcome commentary in an area where regulators have been notable for their silence. That said, this is just one regulator's view and the extent to which others agree or disagree remains to be seen. The distributed nature of Blockchain means that it's almost always going to be relevant to consider the position in more than one territory, so we look forward to hearing other regulators' views on the CNIL's analysis.
Lastly, French law practitioners have considered the balance between the obligation imposed on French administrative authorities to provide information of general interest to the public and GDPR compliance. In our view, Blockchain technology could be used by those authorities to make information easily accessible to the public, while ensuring that their Blockchain respects the guidelines issued by the CNIL.