CNIL is the the first EU Data Protection Authority to acknowledge and try to address some of the issues regarding the use of blockchains to process personal data trough a published preliminary analysis. CNIL intends to collaborate closely with its European counterparts to propose a harmonized approach. CNIL recognizes that blockchain technology has strong development potential and proposes to offer concrete solutions to those who wish to use it. This post takes a discerning look at CNIL's guidance and aims to summarize its main takeaways.
Alexander Popescu, CIPP/E
CNIL uses the following classification to differentiate blockchains:
- Public Blockchains, which are accessible to anyone in the world. Anyone can make a transaction, participate in the block validation process, or obtain a copy of the Blockchain;
- Permissioned Blockchains, which have rules that define who can participate in the approval process or even perform transactions. They may, depending on the case, be accessible to all or have limited access;
- Private Blockchains, which are under the control of a party who has sole control over participation and validation in the blockchain. In CNIL's view, these private blockchains do not pose a particular question of conformity to the GDPR, as they are simple "classic" distributed databases.
It is important to note that CNIL excludes from its analysis Distributed Ledger Technology ("DLT") solutions that are not blockchains and private blockchains.
Actors in a blockchain network and personal data
The CNIL distinguishes three types of actors in a Blockchain:
- accessors, who have the right to read and obtain a copy of the chain;
- participants, who have a right to write (and submit a transaction for validation);
- miners, who validate a transaction and create the blocks by applying specific rules so that they are "accepted" by the community.
CNIL considers participants to be data controllers if (i) (a) that participant is a natural person who processes personal data in the context of a professional or commercial activity, or (b) a legal person that is writing personal data to the chain. The reasoning CNIL applies is that the participants in a blockchain determine the ends (the objectives pursued
by the processing) and the means implemented (data format, use of blockchain technology etc.).
Miners may be considered as data processors when they execute the instructions of the person in charge of processing or when they verify that the transaction meets technical criteria (e.g. a format and a certain maximum size, and that the participant has the permission to perform a specific transaction), which CNIL acknowledges it creates compliance issues in the case of public blockchains (e.g. Bitcoin). However, CNIL recommends miners acting within permission and private blockchains to execute adequate data processing agreements with participants which include the obligations set forth in Article 28 of the GDPR.
CNIL identifies two types of personal data which a blockchain may contain:
- Identifiers of participants and miners (public keys which ensure identification of the issues and recipient of the transaction) ; and
- Additional data, written on chain (title deed, diploma, e.g.) which may related to identifiable persons.
To the extend the blockchain uses such personal data, then GDPR applies and a GDPR analysis should be performed.
How to minimize risks for data subjects when using a blockchain to process personal data?
1. Determine if the use of blockchain technology is necessary and the type of blockchain to be used. CNIL opines that, to comply with its obligations pursuant to Article 25 of the GDPR (Privacy by design) data controllers must consider, upstream, the relevance of the choice of this technology prior to processing. CNIL notes that particular difficulties may be encountered when participants are located in countries outside of the EU, which raises questions of compliance regarding transfers of personal data outside EU.
As such, data controllers should assess if the specific properties of the blockchain are necessary to achieve the purposes of processing and the proportionality of the system to be analyzed. If the use of blockchains is determined to be necessary, then CNIL recommends using a permission blockchain that ensures better control of the governance of personal data, in particular with respect to data transfers outside of the EU. According to the CNIL, the existing data transfer mechanisms (such as Binding Corporate Rules or Standard Contractual Clauses) are fully applicable to permission based blockchains and may be implemented easily in that context. Implementing such data transfer mechanisms in the context f a public blockchain may prove difficult because the data controller does not have any control over the location of the miners.
2. Consider minimizing the personal data to be written in the blockchain. While CNIL acknowledges that identifiers (the public key) are necessary for the very functioning of the blockchain's architecture, and cannot further minimized, CNIL recommends that any additional personal data should be minimized. CNIL's opinion indicates that using solutions where (1) data in clear form is stored outside of the blockchain; or (2) only information proving the existence of the data is stored on the blockchain (i.e., cryptographic commitment, footprint of the data obtained by using a keyed hash function, etc.); and (3) data is at least encrypted, are to be considered. These solutions have in common the idea that data in clear will reside off the blockchain.
If none of the above solutions could be implemented, CNIL states that a data privacy impact assessment will be necessary to determine if residual risks are acceptable and if the purposes of processing warrants the storage of personal data on the blockchain. If so determined, and only in this exceptional situations CNIL sees it as appropriate to store personal data in the form of traditional footprint (without key) and even in clear format, if there is no other option.
How to ensure that data subject can effectively exercise their rights under GDPR
According to the CNIL, the exercise of the right to information, the right of access and the right to data portability does not pose any particular difficulties in the context of blockchain technology. However, the CNIL recognized that it is technically impossible for data controllers to meet data subjects’ requests for erasure of their personal data when the data is entered into the blockchain in clear format or hashed and recommends using a cryptographic method instead.
In this respect, the CNIL pointed out that technical solutions exist to move towards compliance with the GDPR. This is the case if the data is stored on the blockchain using a cryptographic method (see above). In this case, the deletion of (1) the data stored outside of the blockchain and (2) the verification elements stored on the blockchain, would render the data almost inaccessible.
Regarding the right to rectification, CNIL recommends recommends writing a new block to cancel the transaction containing erroneous data, and follow the same procedure described above to delete the inaccurate data if needed.
Security measures recommended by CNIL in the context of processing personal data using a permissioned blockchain
- Establish a minimum number of miners to avoid collusion attacks by 50% or more of the hashrate;
- Limit the impact on the security of transactions of the eventual failure of an algorithm (including cryptographic), such as by implementing a contingency plan to modify the algorithms when a vulnerability is identified;
- Document the governance of the software developments used to create transaction and mine, and implement technical and organizational procedures to ensure adequate implementation of the permissions granted;
- Implement technical and organizational measures to ensure the confidentiality of the blockchain, if it is not public.
- Store any secret key on a secure support.
Some unanswered questions
- Joint Controllers. CNIL recommends the participants take a joint decision regarding the liability of processing personal data on a blockchain, by either creating a legal entity to be designated as data controller or by designating the participant who makes decision for a the group as data controller. In the absence of such a decision, CNIL warns that all participants will have joint responsibility. Applying this recommendation in practice, however, leaves a lot of open issues regarding decentralization, more difficult to reconcile in the context of a public blockchain or multi-layered blockchains.
- Miners as data processors. CNIL is likely to reflect more on the issue of miners being considered as data processors and having to enter data protection agreements with participants, in the context of a public blockchain. The operation of validating transactions is basically running the protocol in the hope of winning a reward, or in order to contribute to the stability of the network, and/or as a way to access the data that is relevant to them without relying on third-party intermediaries. In a public blockchain, the participants have not control where the miners are located, so considering miners as data processors can may trigger obligations under GDPR for both participants and miners cannot objectively be complied with.
More questions and issues are in the process of being explored by an initiative by EU commission - The European Union Blockchain Observatory and Forum, including in a recent report which can be viewed here.