GDPR & Blockchain: is the technology compliant with the regulation?

The General Data Protection Regulation, or GDPR, is a European Union regulation that came into force and has been applicable in all member states since May 25, 2018. It was designed to give individuals back control over their personal information and places responsibility on those responsible for processing this data.

The entry into force of this regulation has given rise to new professions and new responsibilities. The blockchain technology revolution is underway: it is a technology with strong development potential that raises many questions, including, in some cases, its compatibility with the GDPR. So, are blockchain and the GDPR compatible? Is the technology compliant with the regulation? Read our article for more information!

Quick reminder…

Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also known as the General Data Protection Regulation or GDPR, is a European Union regulation that came into force and has been applicable in all member states since May 25, 2018.

It was designed to give individuals back control over their personal information and places responsibility on those in charge of processing this data. It thus establishes a legal framework for the protection of personal data and applies to all types of organizations established on European territory or whose activities target European citizens.

Until then, the law governing this data was the famous “Data Protection Act” of January 6, 1978. The decision was made to maintain the latter, by means of an ordinance, in order to bring it into line with the European Parliament's regulation. This gave rise to the new Data Protection Act of June 20, 2018, which does not incorporate the entire regulation but does include a large part of its provisions, thereby bringing national law into line with EU law.

As soon as the regulation came into force, organizations were required to comply with it or risk being fined up to 4% of their global annual turnover. This is why organizations must be able to prove their compliance with personal data protection regulations at all times.

Among the steps recommended by the French Data Protection Authority (CNIL) to achieve compliance are the appointment of a data protection officer or DPO (not always mandatory in the private sector), mapping the processing of personal data, and keeping a record of processing activities.

The entry into force of this regulation has given rise to new professions and new responsibilities, and while some organizations have redoubled their efforts to get up to speed, others have fallen behind, and still others have seen their attempts at compliance disrupted by the advent of the COVID-19 pandemic.

While this has not escaped the attention of the CNIL, which provides best practices for employees and employers on its website, there is another topic on which it has issued a statement and which remains uncertain: blockchain.

This storage and transmission technology has been talked about since 2009 and seems to have become popular today, as it has disrupted many sectors, but can it be used freely or are there measures to be respected when personal data is involved?

In other words, are blockchain and the GDPR compatible? Is the technology compliant with the regulation?

To answer this question, we must first define the technology.

What's blockchain?

In its December 12, 2018 report, the National Assembly's joint fact-finding mission on blockchains defines the concept of blockchain as "a ledger, a large database that has the particularity of being shared simultaneously with all its users, who are all equally holders of this ledger and who also all have the ability to enter data into it, according to very specific rules set by a computer protocol that is highly secure thanks to cryptography."

Blockchain is best known for its use in the financial sector. It has developed in cryptocurrency transactions (including the famous bitcoin) and its main feature is that it does not depend on a centralizing body, such as a central bank, for example. It is found in many other sectors, such as healthcare and insurance, where blockchain enables the automation of reimbursement procedures, thereby reducing paperwork.

In summary, how does it work?

• Transactions are sent to a group of computers called “nodes.” All participants can access them simultaneously, anywhere in the world. These transactions are encrypted, which prevents them from being intercepted.

  
  

• They are stored in a “blockchain,” which is a chain of blocks linked together; therefore, modifying one block results in modifying the entire chain. Each block contains the history of the previous block.

  
  

• Transactions are decrypted and authenticated by “miners,” individuals or companies that perform “mining,” an activity that consists of solving a cryptographic problem through computer calculations.

In short, blockchain is a technology that allows a set of transactions to be tracked quickly, securely, decentralized, transparently, and irreversibly.

What risks does this technology pose with regard to personal data?

Today, a large proportion of the data exchanged around the world contains personal information such as identity or bank account numbers. As a result, more and more cases involve the application of the GDPR and, consequently, the protection of this data from the moment it is collected until it is processed and stored.

The regulation outlines the implementation of this protection through a number of principles:

• Information and consent of the individuals concerned: they must be informed in advance of the collection process so that their consent can be given freely, knowingly, and explicitly. Users must therefore be reminded that their information will be stored, as well as for how long and for what purposes.

  
  

• Access to data: individuals who have authorized the collection and processing of their personal information must be able to access their data at any time in order to modify or delete it.

• Data management: data voluntarily shared by an individual must be protected so that only expressly authorized persons can access it (physical documents containing personal information must also be physically protected). The regulation thus aims to prevent the sharing and circulation of such data.

• IT data security: all possible measures must be taken to ensure the security of this data in IT systems in order to prevent hacking.

• Proportionality of processing: the information requested must be proportionate to the purpose for which it is used.

• Data retention period: the unlimited retention of personal data is prohibited. The retention period depends on the purpose for which the data is used, but there are cases where the legislator has specified a period, such as Article L3243-4 of the Labor Code, which sets the retention period for an employer's copy of an employee's pay slip at five years. The CNIL has published a guide to help professionals determine this period.

Are these principles respected in the context of blockchain use?

Is it possible to modify or delete personal information stored in a blockchain, as required by the regulation?

The answer is no, whether it is a public or private blockchain.

The former, as its name suggests, can be viewed by anyone and any user can join it (after completing a few formalities, such as downloading the network operating charter, for example). The network is therefore freely accessible. With this type of blockchain, it is difficult to know who has access to the data since it is encrypted but not anonymous. Compliance with the regulation therefore seems to be lacking on this point.

As for the latter, access to its network is limited by a control body (unlike the public blockchain, which is decentralized). The members of this network are selected by the network itself. The data exchanged via private blockchain is therefore only accessible to authorized participants.

This type of blockchain is therefore a little more “controlled” and can be likened to a traditional database, but this does not make it 100% compliant, since it should at least be possible to delete the data. However, one of the unique features of this technology is that its data is “unforgeable” and “indelible.” Once the information is recorded, it cannot be modified or deleted.

The right to be forgotten is therefore impossible with this technology.

What recommendations can be made to ensure compliance?

The CNIL had the opportunity to weigh in on the subject when, in September 2018, it published its initial analysis of blockchain technology and its compliance with the GDPR.

Here is a summary of its recommendations on the matter:

• Prefer traditional means of storing and processing personal data that do not raise difficulties with regard to the GDPR, or use alternative technology if possible. This is reiterated in the principle of Privacy by Design (or data protection by design) in Article 25 of the regulation.

• If the use of this technology is necessary, store the data with “key hashing” or encryption functions to make it unreadable.

• Give preference to the use of a private blockchain in order to minimize risks to individuals' rights and freedoms.

• If a user wishes to delete their data, simply destroy the encryption key to delete the information virtually.

• The CNIL recommends conducting a data protection impact assessment (DPIA) to analyze the need for using this technology, highlight the risks involved, and identify cases where other solutions would be more appropriate.

Conclusion

While the CNIL has taken up the issue of blockchain, this is not the case for all of its European counterparts. Indeed, the GDPR is a European issue and therefore requires the competent authorities of the Member States to express themselves jointly and officially on the subject in order to obtain a definitive and harmonized framework in this area.

Nevertheless, it should be noted that the CNIL considers that blockchain is not a technology to be favored, but in cases where it is not possible to store and process personal data in any other way, private blockchain should be favored and it should be borne in mind that in the event of a request for modification, only the deletion of the encryption key will be possible.

Finally, the purpose of the European regulation is to protect personal data, not to regulate the type of technology used during the collection and processing phases. Since it concerns the responsibility of those in charge of this data, it can be considered that as long as the provisions of the regulation are respected, the technology used is irrelevant.