Skip to main content

Op Ed: 10 Takeaways From Recent French Guidance on Blockchain and the GDPR

Op Ed: 10 Takeaways

“The GDPR, and more generally the classical principles of personal data protection, were conceived in a world where the management of data was centralized within specific entities. In this regard, the decentralized model of data governance embodied by blockchain and the multiplicity of actors involved in the processing of data complicate the definition of the roles of each one.” Blockchain: Premiers éléments d’analyse de la CNIL (unofficial translation).

In late September 2018, France became the first EU member state to release official guidance on the complicated interplay between the General Data Protection Regulation (GDPR) and blockchain technology. The Commission nationale de l’informatique et des libertés (CNIL) guidance is complex and nuanced but suggests some important takeaways about blockchain GDPR compliance.

Takeaway No. 1: Users of blockchain solutions may be considered to be controllers of their own data.

The CNIL guidance identifies a category of actors termed “participants” (i.e., initiators of transactions on a blockchain) who have rights to write data to the chain and who decide to submit that data for validation by other participants (i.e., miners and “validator nodes”). Because these participants are deciding the purposes for which personal data will be processed and have chosen blockchain technology as the means for processing, the CNIL remarks that they should be considered controllers.

This part of the CNIL guidance will have a significant positive impact on various blockchain solutions — especially self-sovereign identity solutions — that seek to take control over personal data away from business entities and put it back into the hands of individuals.

Takeaway No. 2: Cryptocurrency exchanges are controllers of personal data under the GDPR.

According to the CNIL guidance, a controller will be either (a) a natural person who is processing personal data in a professional or commercial context or (b) a legal person who is writing personal data to the chain.

In a specific example, the CNIL states that “a physical person who engages in the purchase or sale of bitcoin … can be considered a controller if he conducts these transactions in the course of a professional or commercial activity, for the accounts of other physical persons.”

This statement appears to put cryptocurrency exchanges squarely within the definition of a data controller under the GDPR and likely subjects them to all obligations applicable to controllers.

Takeaway No. 3: Miners or validator nodes of blockchain transactions are processors of personal data under the GDPR.

The CNIL guidance notes that any actor merely validating transactions or writing data to the chain at another’s direction should be considered a processor. Therefore, persons or entities operating as miners or validator nodes on a blockchain will likely be considered processors of personal data.

Takeaway No. 4: Blockchain is not incompatible with the GDPR’s right of erasure.

Despite previous conjecture that a blockchain’s immutability would put it forever at odds with the right of erasure, initial guidance proposes a welcome middle ground.

The CNIL suggests that erasure of personal data stored on a blockchain might be accomplished by rendering the data “almost inaccessible, and therefore approximat[ing] the effects of erasure of the data.” Further, destroying the underlying private key or value generating the encrypted or hashed result would be “sufficient to anonymize the cryptographic commitment in such a way that it loses its quality of personal data.” Of course, in order for these techniques to be effective, personal data residing off the blockchain must be deleted as well.

Takeaway No. 5: Participants on a permissioned blockchain must designate a single data controller or risk having all participants deemed joint controllers.

Among those who might be classified as controllers on a permissioned blockchain — those entities determining the purposes for the processing and writing to the chain — the CNIL offers two options: The controllers or group of participants may either create a legal entity in the form of an association or “GIE” (Economic Interest Group), or they may choose one participant to make data protection decisions for the group and designate that entity as the controller.

If the group chooses to do neither, then each participant will be considered jointly responsible as a controller under the GDPR and must separately adhere to all applicable obligations. (The application of this concept to a public permissionless blockchain remains unclear and will likely be a subject of future guidance.)

Takeaway No. 6: Developers of smart contracts will be considered data processors when they develop smart contracts at the direction of a third party.

With regard to smart contracts, the CNIL guidance keeps open the possibility for the designers of smart contracts to be either processors or controllers, depending on the circumstances. However, the guidance provides some clarity by citing an example that directly invokes a real-life smart contracts pilot called “fizzy,” which was launched last year by global insurance company AXA.

In the example, “a software developer offers an insurance company a solution in the form of a smart contract, which allows the company to automate the compensation of passengers when their flight is delayed. This developer will be viewed as a processor by virtue of the insurance company, the controller.” The entity directing the creation and use of the smart contract will likely be deemed a controller.

Takeaway No. 7: Any business looking to use blockchain technology should carefully assess privacy considerations before going live with its solution.

Any organization building or using blockchain solutions must keep privacy compliance at the forefront — both in meeting the requirements of the GDPR and in minimizing potential for harm to individuals. Organizations should begin by considering whether a blockchain solution is truly necessary or whether the same result can be achieved by more traditional, centralized means. The CNIL wisely points out, “Blockchain is not always the best technology for all processing of data; it may be the source of difficulties for the controller with respect to its GDPR obligations.”

If blockchain technology is still preferred, the CNIL strongly encourages entities to perform a privacy-by-design analysis in advance of any processing. The regulator repeatedly recommends that developers, businesses and other actors undertake a detailed assessment of the need for recourse to blockchain technology, the privacy “pros and cons” thereof, and the way that personal data will be handled on the blockchain platform.

It is also crucial that the controller determine the need for, and if necessary conduct, a data protection impact assessment (DPIA) for each processing operation envisioned on the blockchain. The DPIA will allow the controller to later demonstrate that it has weighed and documented the risks and protections in advance of processing.

Takeaway No. 8: Permissioned blockchains should have a minimum number of nodes to protect the integrity of blockchain data.

The CNIL’s security guidance advises blockchain operators to account for the possibility of “51 percent attacks,” where actors controlling more than half the network’s computing power would be able to modify or prevent further transactions or entries on the chain. To prevent such an event, the CNIL recommends that evaluations be performed to determine the minimum number of miners needed to mitigate this risk.

Still, while it is advisable to ensure that a blockchain is adequately distributed among at least a minimum number of independent nodes, far more complex controls will be required to guard against risks related to collusion and consolidated control over those nodes.

Takeaway No. 9: Data subjects must have recourse to challenge the outcome of smart contracts — although the form this recourse should take is unclear.

The CNIL’s guidance is seemingly inconsistent on the extent to which a data subject should be able to contest the output of smart contracts.

In one sentence, the guidance appears to require that data subjects be able to intervene in smart contracts, stating that a “data subject should be able to obtain human intervention, to express his point of view and contest the decision, after which the contract may be executed.”

In the very next sentence, the guidance appears to state that it is sufficient to allow a data subject to challenge a smart contract after execution, stating that it is “appropriate that the controller provides for possibility of human intervention that allows … the data subject to challenge the decision, even if the contract was already executed.”

Perhaps the only thing that is clear is that in scenarios where smart contracts process personal data, the data subject should have some level of recourse to challenge the outcome of the smart contract transaction.

Takeaway No. 10: There will be “right” and “wrong” ways to use blockchains from a privacy and security perspective, and more guidance is forthcoming.

On October 3, 2018, the European Parliament passed a resolution titled “Distributed ledger technologies and blockchains: building trust with disintermediation.” The resolution, which acknowledges distributed ledger technology as “a tool that promotes the empowerment of citizens by giving them the opportunity to control their own data,” makes recommendations to member states encouraging adoption and best practices of blockchain platforms.

Both the EU resolution and the release of the CNIL’s guidance send a strong signal that the EU will not, as some have feared, decree blockchain technology to be fundamentally incompatible with the GDPR. To the contrary, these official actions indicate an acute awareness of the advantages of blockchain technology and a willingness to work with industry to increase adoption, so long as participants understand that there may ultimately emerge right and wrong ways to “do blockchain” from a privacy perspective.

This is a guest post by Laura Jehl, Robert Musiala, Stephanie Malaska of BakerHostetler. Views expressed are those of the authors and do not necessarily reflect those of BakerHostetler. its clients, Bitcoin Magazine or BTC Inc.

Robert A. Musiala Jr. is BakerHostetler’s Blockchain Counsel. His practice includes advising blockchain industry clients that have previously completed “initial coin offering” events on strategies for mitigating personal and business risk, limiting business disruption and achieving regulatory compliance.

Stephanie Malaska, an associate with the firm, focuses her developing litigation practice on international disputes and related cross-border issues.

This article originally appeared on Bitcoin Magazine.

Popular posts from this blog

Virtual Currency Games

Every little boy's (and many grown men's) dream of making a living by playing video games is edging closer to reality. The recent release of HunterCoin and the in-development VoidSpace, games which reward players in digital currency rather than virtual princesses or gold stars point towards a future where one's ranking on a scoreboard could be rewarded in dollars, and sterling, euros and yen. The story of the millionaire (virtual) real estate agent... Digital currencies have been slowly gaining in maturity both in terms of their functionality and the financial infrastructure that enables them to be used as a credible alternative to non-virtual fiat currency. Though Bitcoin, the 1st and most well known of the crypto-currencies was created in 2009 there have been forms of virtual currencies used in video games for more than 15 years. 1997's Ultima Online was the first notable attempt to incorporate a large scale virtual economy in a game. Players could collect gold coins

The Basics of Cryptocurrency and the Way It Works

In the times that we're living in, technology has made unbelievable advancement as compared to any time in the past. This evolution has redefined the life of man on almost every aspect. In fact, this evolution is an ongoing process and thus, human life on earth is improving constantly day in and day out. One of the latest inclusions in this aspect is cryptocurrencies. Cryptocurrency is nothing but digital currency, which has been designed to impose security and anonymity in online monetary transactions. It uses cryptographic encryption to both generate currency and verify transactions. The new coins are created by a process called mining, whereas the transactions are recorded in a public ledger, which is called the Transaction Block Chain. Little backtrack Evolution of cryptocurrency is mainly attributed to the virtual world of the web and involves the procedure of transforming legible information into a code, which is almost uncrackable. Thus, it becomes easier to track purchases

How to find the Right Currency Trading Course

A currency trading course can be an excellent way to learn the fundamentals needed to become a successful trader. It can potentially provide you with a solid base on which to build your trading future. However, what you get out of it will depend on how much your really commit to the learning experience and how much you end up applying it to you future trading. A currency trading course can come in various formats including books (both electronic and hard-copy), video, webinars, and live trading rooms. They can also vary a lot in cost - some might be free but others could be several thousand dollars. The key is to find the right type of training for your personal circumstances and your level of trading experience. What To Avoid Not every currency trading course will be the same. You can check on the major forex forums or portals to get people's recommendations, although often someone's opinion of a particular course will be influenced by how profitable their trading