The French data protection authority has issued the first formal guidance on the relationship between #blockchain and the #GDPR in the #EU.
I'll tweet some of the main points. Here is the full text: cnil.fr/sites/default/…
I'll tweet some of the main points. Here is the full text: cnil.fr/sites/default/…
1. The @CNIL makes clear that its goal issuing this publication is to provide concrete guidance to actors in the space. This is to be applauded. Many in this space try to build compliant systems but are having a hard time figuring out what this entails.
2. *Data controllers*: unsurprising: where users directly engage with the ledger they can sometimes be controllers.
This, however, is only so where natural or legal persons exercise a professional or commercial activity (broad interpretation of household activity).
This, however, is only so where natural or legal persons exercise a professional or commercial activity (broad interpretation of household activity).
The latter points seems to be a perhaps overly broad interpretation of household activity under Art 2 GDPR.
Miners =/ controllers as their function is limited to validating transactions submitted by participants as they dont det. the means and purposes of processing.
Miners =/ controllers as their function is limited to validating transactions submitted by participants as they dont det. the means and purposes of processing.
The guidance leaves open the question of whether nodes are controllers or not.
Crucially, the @CNIL adds that #developers of smart contracts can be data processors.
Sometimes, #miners can be processors where they verify whether a transaction meets technical specifications - this means they need a contract w the controller under A28GDPR.
Sometimes, #miners can be processors where they verify whether a transaction meets technical specifications - this means they need a contract w the controller under A28GDPR.
The @CNIL doesn't seem ready to pronounce itself on the status of miners in public and permissionless BCs - saying its is conducting further research on this.
3. The @CNIL notes that there is considerable tension btw #blockchain and the #GDPR and that choosing to rely on this tech may be problematic from a data protection by design approach (meaning the very reliance on BC can be problematic from a GDPR perspective).
It cites the transfer of data outside of the EU in public and permissionless blockchains as an example of this problematic tension.
4. Data minimisation: the @CNIL considers that perpetual storage and BCs tamper-proof nature. It prefers not to prononce itself on whether data minimization can ever be achieved in #blockchains and calls for solutions at #EU level.
It tentatively notes that for public keys, perpetual storage seems inevitable. For transactional data it recommends off-chain storage of personal data where possible.
It also recommends the use of encryption and hashes but doesn't provide and further guidance on when cryptographic techniques can meet the GDPR anonymization threshold.
5. Right to erasure: the @CNIL notes that proper erasure is impossible on a #blockchain. However, it appears to imply that deleting private keys (a technique that has long been discussed as a solution) may amount to 'erasure' under the GDPR.
This isn't 'erasure' in the strict sense or in the way it has been interpreted by some Advocate Generals. But it would be somewhat analogous to Google implementing the #RTBF by simply delinking certain search results from select domains.
The @CNIL concludes that such methods allow providers to 'approach' GDPR compliance but stresses that there is no certainty as to whether this would *actually* be considered to meet the GDPR threshold.
6. The right to modification. The @CNIL considers that rectifying on-chain information is impossible and that the only conceivable solution would be the addition of new rectifying information in a new bloc.
7. The @CNIL considers that smart contracts *are* measures of solely automated data processing meaning that human intervention must be possible under A22GDPR.
I have an upcoming paper on this that reaches the same conclusion and discusses options.
I have an upcoming paper on this that reaches the same conclusion and discusses options.
8. Finally the @CNIL concludes with some reflections on security: there should be a minimum of miners to prevent 51% attacks and measures that allow for the modification of the algorithm in case a vulnerability is identified.
Overall this approach really is to be welcomed: it is an important step in providing more clarity to actors in the space.
Note, however, that @CNIL is intentionally vague on many aspects and that courts won't necessarily agree with its assessment.
Note, however, that @CNIL is intentionally vague on many aspects and that courts won't necessarily agree with its assessment.
