INSIGHT: French Guidance Takes First Steps Applying GDPR to Blockchain

“The GDPR, and more generally the classical principles of personal data protection, were conceived in a world where the management of data was centralized within specific entities. In this regard, the decentralized model of data governance embodied by Blockchain and the multiplicity of actors involved in the processing of data complicate the definition of the roles of each one.” Blockchain: Premiers éléments d’analyse de la CNIL (unofficial translation).

This observation comes straight from France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL). In late September, France became the first EU Member State to release official guidance on the complicated interplay between the GDPR and blockchain technology.

The CNIL’s willingness to take on the initial analysis of the GDPR’s application to blockchain technologies is laudable; the analysis itself is thoughtful and, at times, refreshingly candid in its acknowledgment of the practical challenges of putting the decentralized blockchain genie back into the GDPR regulatory bottle. The release also makes clear to blockchain developers around the world that EU regulators consider decentralized technologies to be well within the GDPR’s purview, and that they will not shy away from regulating the blockchain industry.

Although the CNIL guidance sheds significant light on EU Data Protection Authorities’ understanding of blockchain technologies and their views as to what would constitute a compliant blockchain solution, there are a number of issues left either unaddressed or even further complicated by the guidance.

Emerging Consensus

The CNIL’s guidance reaffirms many of the conclusions anticipated by data privacy lawyers and blockchain developers. Despite the nontraditional roles played by entities processing on a blockchain, the guidance confirms that the GDPR’s fundamental controller and processor distinctions will nonetheless apply. The guidance first identifies a category of actors it terms “participants” (i.e., initiators of transactions on a blockchain), who have rights to write data to the chain and who decide to submit that data for validation by other participants (i.e., miners, nodes). Because these “participants” are deciding the purposes for which personal data will be processed—and have chosen blockchain technology as the means for processing—the CNIL considers them to be “controllers.”

According to the guidance, in the blockchain context a controller will be either (a) a natural person who is directing the processing of personal data in a professional or commercial context, or (b) a legal person that is writing personal data to the chain. Thus, any company or entity utilizing blockchain technologies and writing personal data to the chain should consider itself subject to a controller’s obligations under the GDPR. The CNIL also explicitly states that “a physical person who engages in the purchase or sale of Bitcoin … can be considered a controller if he conducts these transactions in the course of a professional or commercial activity, for the accounts of other physical persons.” This direction appears to put both commercial traders (“physical persons”) and cryptocurrency exchanges (“legal persons”) squarely within the definition of a data controller under the GDPR, and likely subjects them to all obligations applicable to controllers. Trading by individuals for purely personal purposes is likely to fall within the “household” exemption outlined in Article 2(2)(c), and would therefore be outside the scope of the GDPR.

As anticipated, the CNIL’s guidance also notes that any actor merely validating transactions or writing data to the chain at another’s direction should be considered a “processor.” Therefore, persons or entities operating as “miners” or “validator nodes” on a blockchain appear to be considered processors of personal data. This distinction may create a number of obvious compliance challenges under Article 28, especially in the context of miners supporting public blockchains like Bitcoin or Ethereum. Recognizing the practical problems, the CNIL states that it intends to issue further guidance to address the difficulties presented by classifying miners of a public blockchain as data processors.

The CNIL guidance further recognizes that the form of data storage is at least as important as the role of the entity writing to the blockchain, observing that “the format used for writing data to the blockchain may facilitate the exercise of data subject rights,” although the exercise of some rights will be inherently more difficult than others.

The CNIL opines that the rights of access and portability are “entirely compatible with blockchain,” since the technology allows the controller to easily view and reproduce for the data subject the information stored on-chain. The facility of this right assumes, however, that the original controller is not required to delete any personal data subject to a portability request. The right of rectification is clearly more complicated, since anything written on-chain cannot be undone or erased. The CNIL suggests that while such data cannot be erased and re-submitted, the rectification could be added in a subsequent correcting transaction.

The biggest challenges, the guidance concedes, lie in the right to erasure and the right to object to processing. While noting that it is “technically impossible to comply with the right of erasure when the data has been entered onto a blockchain,” the CNIL also acknowledges that some level of identification, embodied in the public key, is a necessary part of the blockchain.

“The very architecture of the blockchain ensures that the identifiers (i.e., public keys) are always visible, because they are indispensable to its smooth functioning. The CNIL considers therefore that it is not possible to minimize them further and that their duration is essentially the duration of the life of the blockchain.”

Consistent with its risk-based approach, however, CNIL encourages minimizing any other identifiers stored on-chain by storing the personal data elsewhere and only using hashes, cryptographic references, or other validators proving the existence of such data. Erasure might then be accomplished by rendering the data “almost inaccessible, and therefore approximat[ing] the effects of erasure of the data.” Further, destroying the underlying private key or value generating the encrypted or hashed result would be “sufficient to anonymize the cryptographic commitment in such a way that it loses its quality of personal data.” Of course, personal data residing off the blockchain must be deleted as well.

Furthering the Conversation

In addition to affirming some key conclusions about blockchain and GDPR compliance, the CNIL’s guidance offers new considerations that had not previously received much public discussion. By furthering the conversation on liability, controllership, and risks of processing activities, the guidance should inform best practices and alleviate some privacy concerns of those in the blockchain industry.

Joint Participants. First, the CNIL addresses the issues presented by joint actors on a blockchain. In order to create “trust,” blockchain—especially the public, permissionless type—relies on decentralized technology, transparency, and shared governance among multiple players. But the GDPR requires that at least one entity be identified as a “controller” of the data. Among those who might be classified as controllers—those entities determining the purposes for the processing and writing to the chain—the CNIL offers two options. The controllers or group of participants may either create a legal entity in the form of an association or “GIE” (Economic Interest Group), or they may choose one participant to make data protection decisions for the group and designate that entity as the controller. If the group chooses to do neither, then each participant will be considered jointly responsible as a controller under the GDPR.

The identification of a single “point person” or entity may be a net-plus for both the participants and the data subjects, since joint controllers or participants may avoid confusing issues of shared responsibility, and data subjects will have a clear point-of-contact and corresponding supervisory authority. Nonetheless, the idea of a single participant becoming the “controller” of the chain with greater rights and responsibilities than other participants stands in a philosophical contrast to the principles of decentralization and trust fundamental to blockchain.

Clarifying Processor Roles. Next, the guidance acknowledges that actors who merely validate entries to the chain function as processors. Therefore, even if an entity is actually writing data to a blockchain, the CNIL’s guidance suggests that it will avoid the responsibilities of a controller if it is only writing at the direction of another entity. With regard to smart contracts, the guidance keeps open the possibility for the designers of smart contracts to be either processors or controllers, depending on the circumstances. However, the guidance provides some clarity by citing an example that directly invokes a real-life smart contracts pilot, called “fizzy,” that was launched last year by global insurance company AXA. (See “Insurance Giant AXA Launches Self-Executing Smart Contracts,” Artificial Lawyer (Sept. 19, 2017).) In the example, “a software developer offers an insurance company a solution in the form of a smart contract, which allows the company to automate the compensation of passengers when their flight was delayed. This developer will be viewed as a processor by virtue of the insurance company, the controller.”

While the CNIL cites blockchain miners as clear examples of processors, it is possible that this analysis could be extended to apply to digital identity or other platforms that put the use of blockchain technology solely in the hands of the individual user. For now, organizations developing digital identity solutions should proceed with caution until further guidance is provided, keeping in mind the CNIL’s view that developers of blockchain applications may function as controllers.

Privacy by Design. In perhaps its most helpful direction for industry, the CNIL emphasizes privacy by design analysis in advance of processing. The regulator repeatedly recommends that developers, businesses, and other actors undertake a detailed assessment of the need for recourse to blockchain technology, the privacy “pros and cons” thereof, and the way that personal data will be handled on the blockchain platform.

Any organization building or using blockchain solutions must keep privacy compliance at the forefront—both in meeting the requirements of the GDPR and in minimizing potential for harm to individuals. Organizations should begin by considering whether a blockchain solution is truly necessary, or whether the same result can be achieved by more traditional, centralized means. The CNIL wisely points out that “[b]lockchain is not always the best technology for all processing of data; it may be the source of difficulties for the controller with respect to its GDPR obligations.”

If an organization does decide to utilize blockchain, the guidance strongly implies that a detailed and good faith analysis of privacy and data security issues will be invaluable, should its compliance posture ever be scrutinized. Before undertaking any processing, controllers should focus specifically on privacy by design (GDPR Art. 25) and data protection impact assessments (DPIAs) (GDPR Art. 35). A controller must consider how the processing can be made secure, and how to minimize the personal data required for that processing. In doing so, it must take into account available methods for collecting, writing, and storing data, and must choose the one with “the least impact on the rights and freedoms of individuals.” The CNIL generally recommends that data in its regular form be stored “elsewhere” and that only validators be placed on the chain. According to the guidance, only in rare cases will a DPIA justify the writing of unencrypted personal data to a blockchain.

Once the format has been chosen, it is equally crucial that the controller assess the need for—and conduct a DPIA for—each processing operation envisioned on the blockchain. Because such assessments are required when processing will involve “new technologies,” developers and other controllers should complete DPIAs whenever they intend to use personal data on this platform. The DPIA will allow the controller to demonstrate that it has weighed and documented the risks and protections in advance of processing.

Practical Difficulties and Unanswered Questions

The CNIL’s detailed directions regarding prior assessment, joint liability, and general safeguards help to clarify the muddied waters of blockchain and privacy compliance. While this advice is welcome, much work is yet to be done, particularly where the authority identifies issues and either fails to propose a solution or suggests one that is entirely impracticable.

Data Transfers. Cross-border data transfers, for example, are always highly regulated but become impracticable in a blockchain context—especially a public blockchain. The CNIL rightly acknowledges that “the question of transfers outside the EU may become particularly problematic,” but goes on to propose the use of Standard Contractual Clauses, binding corporate rules (BCRs), or other bulky, inflexible certification mechanisms to cover transfers on a permissioned blockchain.

While these common data transfer mechanisms might be feasible in the case of a private blockchain with one controller and a small number of participants, their use in any other blockchain context could quickly become nightmarish. Blockchain’s raison d’être is, after all, decentralized ownership, governance, and access. One might argue that blockchain is most effectively utilized in contexts with numerous actors and contributors who do not know or trust each other, functioning separately but bound together by a standard protocol. Imagine, then, executing data transfer agreements with every person accessing the Bitcoin blockchain, or with every global entity in a supply chain. For these situations—arguably those for which blockchain applications are hoped to be most transformative—the CNIL appears to have no good solution in mind.

Apart from the complex issue of data transfers, any communication of personal data from a controller to a processor triggers the application of GDPR Art. 28. If, as the CNIL suggests, each miner or entity validating transactions must be considered a processor, a data protection agreement must therefore be implemented with each one. The CNIL’s guidance itself even recommends the enactment of “a contract specifying the obligations of each party and incorporating the provisions of Article 28.” Although the guidance goes on to note the “certain practical difficulties” of classifying bitcoin miners as processors, it offers no viable solution to this complex dilemma. Instead, the CNIL throws up its hands, vaguely stating that it is bringing a “thorough evaluation” on the matter and encouraging actors to use “innovative solutions” to ensure compliance with Article 28. Whether such “innovative solutions” will be sufficiently compliant for European regulators is anyone’s guess.

Security. Then there is the CNIL’s security guidance, which advises operators of blockchains to account for the possibility of “51 percent attacks,” where actors controlling more than half the network’s computing power would be able to modify or prevent further transactions or entries on the chain. To prevent against such an event, the CNIL recommends that evaluations be performed to determine the minimum number of miners needed to mitigate this risk. While it is advisable to ensure that a blockchain is adequately distributed among at least a minimum number of independent nodes, far more complex controls will be required to guard against risks related to collusion and consolidated control over those nodes.

Nuances of Blockchain Applications. Finally, while broad guidance is certainly preferable to none at all, the CNIL’s analysis is at times characterized by oversimplification and generalizations regarding the technology. Although it makes mention of the various applications—public and private (or permissioned) blockchains, cryptocurrency blockchains involving miners, and smart contracts—the CNIL fails to fully recognize or address the significant differences among these applications. For instance, validating transactions may have different roles and levels of responsibility in different contexts, and certain smart contracts or supply chain platforms may require that personal data be available on-chain in order to self-execute. Even more troubling is the CNIL’s suggestion that, for automated decision-making or smart contracts, a “data subject should be able to obtain human intervention to express his point of view and contest the decision, after which the contract may be executed.” If smart contracts are meant to be efficient and impartial, such a proposal seems counter-productive.

The Road Ahead

Problems and questions aside, the CNIL’s release of its guidance addressing GDPR’s applicability to blockchain is an important step not only for global industry but also for European regulators. The mere existence of such analysis signals that these complex issues are being assessed at a high level, and that at least some authorities are mapping a way forward.

In a further sign that the EU is not inclined to wall itself off from technological advances and instead is willing to grapple with GDPR-compliant adoptions of blockchain, on Oct. 3, the European Parliament passed a resolution titled, Distributed ledger technologies and blockchains: building trust with disintermediation. The resolution, which acknowledges distributed ledger technology as “a tool that promotes the empowerment of citizens by giving them the opportunity to control their own data,” makes recommendations to Member States encouraging adoption and best practices of blockchain platforms. As the EU moves forward with its own adoption of distributed technologies, including blockchain, it clearly will need to confront lingering privacy concerns head-on.

Both the EU resolution and the release of the CNIL’s guidance send a strong signal that the EU will not, as some have feared, decree blockchain to be fundamentally incompatible with the GDPR. To the contrary, these official actions indicate an acute awareness of the advantages of blockchain technology and a willingness to work with industry to increase adoption, so long as participants understand that there may ultimately emerge “right” and “wrong” ways to do blockchain from a privacy perspective.

______

Author Information

Laura Jehl is a partner at BakerHostetler based in Washington, D.C. She is co-leader of the firm’s General Data Protection Regulation (GDPR) and Blockchain Technologies and Digital Currencies initiatives.

Robert Musiala is counsel at BakerHostetler based in Chicago, where he advises blockchain industry clients on strategies for mitigating personal and business risk and achieving regulatory compliance.

Stephanie Malaska is an associate at BakerHostetler based in Washington, D.C. Her practice includes advising companies on data privacy, including GDPR, and on blockchain and other emerging technologies.

The views expressed in this article are those of the authors and not necessarily those of BakerHostetler or its clients, or of Bloomberg Law.