Blockchain and the EU GDPR
An overview and translation of the CNIL’s Working Policy Paper
The Commission Nationale Informatique et Libertés (CNIL) has published “Blockchain: Premiers éléments d’analyse de la CNIL”, a document on blockchain and the European Union General Data Protection Regulation (GDPR). The document was released by the French Data Protection Authority (DPA) as a working policy paper and offers an overview of its initial reflection on the Blockchain technology and its compliance with the GDPR.
The document is only available in French. As several people asked me about it, my team and I prepared an English translation that can be downloaded here.
Please note that, in our translation, we endeavoured to maintain the CNIL’s word choices and retain the most similarity between the French and English versions as possible.
In its working paper, the CNIL notes the GDPR has been created to regulate data use, rather than any particular form of technology. As such, and without surprise to anyone familiar with privacy law, the CNIL states the GDPR applies to the use of blockchain in any instance where personal data is handled. However, this working paper is a very raw analysis. In our opinion, the document raises more questions than it answers — and highlights some legal uncertainty with respect to the qualifications of different actors on a blockchain under the GDPR taxonomy. In several areas, the CNIL highlights that more reflection is needed on its end, and that this reflection needs to be undertaken at the European level.
Beyond this document, and to highlight the uncertainty surrounding the subject matter, we would like to draw your attention to the Hungarian National Authority for Data Protection and Freedom of Information’s official Opinion on “Blockchain Technology in the Context of Data Protection”, which adopted a different position. In the Opinion, the President of the Hungarian DPA held that in a decentralized system such as a blockchain, practically all users carry out data processing. Each user who adds blocks and data to a blockchain qualifies as a data controller. Users who process data on behalf of the controller qualify as data processors. The Hungarian DPA’s Opinion states that blockchain users should keep cross border data processing rules in mind. With respect to jurisdictional issues, , the Hungarian DPA considers the place of data storage as irrelevant. Instead, the Hungarian DPA shifts the focus regarding jurisdiction (and of a DPA authority) to the territory where the data controller carries out the data processing operations.
Currently, there seems to be some legal uncertainty with respect to GDPR compliance. Blockchain developers need to be very careful about the design of blockchain technology, its implementation, and the information registered on such ledgers. These considerations may include avoiding any personal information. With blockchain technology, “privacy by design” takes on a whole new meaning! If a developer fails to implement specific requirements, the developer will not be able to revisit or fix the design. Essentially, the developer will have to restart and rebuild from scratch.
We hope that the European DPAs will conduct hearings with subject matter experts to better understand the technology, its uses, and what needs to be done from a compliance perspective. Hopefully, this will be achieved through the Article 29 Working Party to ensure coherence among the EU Member States DPAs.
