Everyone talks about it, has seen it, but no one really knows what it is… and where the personal data collected in the process are stored…
A little history: The first public Blockchain appeared in 2008 with the Bitcoin (virtual currency).
What is it?
Electronic peer-to-peer transactions without intermediaries have become possible. Under this new technology, a person can carry out a transaction, exchange value (a share or money for example) with another person without this transaction being regulated by a central bank. In this case, any person can participate in the transaction validation process. All data is recorded in a virtual ledger, accessible to all and replicated in several copies.
With the entry into force of the General Data Protection Regulations (GDPR) on May 25th, 2018, the question arose as to its compatibility with the Public Blockchain. Indeed, the new Regulation strengthens the protection of personal data for individuals within the European Union.
As part of this new technology, does the Public Blockchain meet the requirements of the GDPR? The CNIL has taken up this subject and proposed solutions to ensure that the Public Blockchain complies with the Regulations.
The qualification of the actors/users
The Commission considers that the participant (the person initiating the transaction) may in a number of cases be qualified as a controller:
- when it is a natural person and the processing is related to a professional or commercial activity
- when it is a legal person registering personal data
Indeed, the participant determines the purposes (the objectives pursued) and the means (the use of this technology, the format of the data) of the processing.
However, a person who, for example, sells or buys Bitcoin on her own behalf cannot be considered as the controller.
Concerning subcontracting, the question is more delicate. The GDPR provides for an obligation to contractualise the relationship between the controller and the processor. In the context of a public blockchain, this poses some difficulties.
The CNIL is currently considering this issue.
Rights compatible with the Blockchain
The Commission considers that the exercise of the right to information, the right of access and the right to portability is compatible with the technical properties of the Blockchain.
The Public Blockchain in the face of the GDPR challenge
The right to deletion, the right of rectification and the right to object to processing cannot be exercised effectively.
In accordance with the principle of irreversibility of data, once the transaction has been registered, it is not possible to delete or modify personal data.
Regarding the right to rectification, the controller may enter the updated data in a new block and the subsequent transaction may cancel the first transaction. However, the latter will always appear in the block chain.
The CNIL has become aware of technological solutions that would bring it closer to the compliance requirements of the Regulation. Their equivalence must be assessed, as the risks to the rights and freedoms of individuals are high in the context of a public blockchain.
Moreover, the obligations governing international transfers of personal data are particularly difficult to comply with. It must be noted that, as it stands, the controller has difficulty in exercising control over the location of minors.
So is the Blockchain compliant with the GDPR?
Clearly not in terms of data retention but above all in terms of asking the question differently:
Isn’t the GDPR already being outdated by such a free and innovative technology?