The General Data Protection Regulation or GDPR is a European Union regulation that came into force and is applicable in all member states since May 25, 2018. It was thought to give back to individuals the control over their personal information and places the responsibility on the parties in charge of processing these data.
The entry into force of this regulation has seen the birth of new professions and new responsibilities. The blockchain technology revolution is underway: it is a technology with a strong development potential that raises many questions, including sometimes its compatibility with the GDPR. Is the blockchain compatible with the GDPR? Is this technology compliant with the regulation? Read our article to have more information!
The EU Regulation No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals concerning the processing of personal data and on the free movement of such data, also known as the General Data Protection Regulation or GDPR, is a European Union regulation that has come into force and is applicable in all member states since 25 May 2018.
It was designed to allow individuals to regain control over their personal information and to place responsibility on the parties in charge of processing this data. It establishes a legal framework for the protection of personal data and applies to any type of organization located in the European territory or whose activity concerns its citizens.
Until then, the law governing this data in France was the famous “Loi Informatique et Libertés” (Data Protection Act) of 6 January 1978. The choice was to maintain the latter, by ordinance, to make it compliant with the European Parliament’s regulation. This is where the new Data Protection Act of June 20, 2018, was born, which does not include the entire regulation but a large part of its provisions and thus allows the compliance of national law with EU law.
As soon as the regulation came into force, organizations had to comply with it or they could risk being fined up to 4% of their annual worldwide turnover. This is why organizations must be able to prove their compliance with data protection at any time.
Among the steps recommended by the French Commission on Information Technology and Civil Liberties (Commission Informatique et Liberté – CNIL) for successful compliance, we can mention the appointment of a data protection officer or DPO (not always mandatory in the private sector), the mapping of personal data processing or the keeping of a processing register.
The implementation of this regulation has created new jobs and responsibilities and while some organizations have increased their efforts to get up to speed, some have fallen behind while others have seen their attempts at compliance disrupted by the advent of the COVID-19 pandemic.
If this has not escaped the attention of the CNIL, which gives on its website the best practices to be followed by employees and their employers, there is another subject on which it has given its opinion and which remains uncertain: the blockchain.
This storage and transmission technology has been a hot topic since 2009 and seems to have become popular now that it has changed many sectors, but can it be used freely or are there measures to be respected when personal data is involved?
In other words, is the blockchain compatible with the GDPR? Is the technology compliant with the regulation?
To answer this question, we first need to define this technology.
What is blockchain?
The joint information mission on the blockchain of the French National Assembly defines in its information report of December 12, 2018, the concept of blockchain as “a registry, a large database that has the particularity of being shared simultaneously with all its users, all of whom are also holders of this registry, and all of whom also have the ability to enter data into it, according to very specific rules set by a very well secured computer protocol thanks to cryptography”.
In short, how does it work?
● Transactions are sent to a set of computers called a “node”. All participants can access them simultaneously, across the world. These transactions are encrypted, which prevents them from being intercepted.
● They are stored in a blockchain i.e. blocks chained to each other; therefore the modification of a block leads to the modification of the whole. Each one contains the history of the previous block.
● Transactions are decrypted and authenticated by “miners”, individuals or companies that perform “mining”, an activity that consists of solving a cryptographic problem by computer calculation.
In short, blockchain is a technology that allows keeping track of a set of transactions in a fast, secure, decentralized, transparent, and irreversible way.
What risks does this technology represent concerning personal data?
Today, a large part of the data exchanged around the world contains personal information such as identity or bank account numbers. Thus, more and more cases involve the application of the GDPR and consequently the protection of this data from the moment of its collection to the moment of its processing and storage.
The regulation refers to the implementation of this protection through some principles:
● Information and consent of the persons concerned: they must be informed upstream of the collection process so that their consent can be given in a free, informed, and explicit manner. Thus, the user must be reminded that his information will be stored, but also for how long and for what purposes.
● Data access: the individual who has authorized the collection and processing of his or her personal information must be able to access his or her data at any time to modify or delete it.
● Data protection: data voluntarily shared by an individual must be protected so that only expressly authorized persons can access it – material documents containing personal information must also be physically protected. The regulation thus aims to prevent the sharing and circulation of such data.
● Data security: all possible means must be implemented to ensure the security of these data on the computer level to avoid their hacking.
● Proportionality of the processing: the information requested must be in line with the purpose of its use.
● Duration of data retention: the unlimited retention of personal data is prohibited. The length of retention depends on the purpose of the data, but there are cases where the legislator has expressed his opinion, for example, article L3243-4 of the French Labor Code, which sets the retention of a copy of an employee’s payslip by his employer at 5 years. To help professionals to find this duration, the CNIL has published a guide.
Are these principles respected when using the Blockchain?
Is it possible to modify or delete one’s personal information stored in a blockchain, as required by the regulation?
The answer is no, whether it is a public or a private blockchain.
The first one is, as its name indicates, accessible to everyone and any user can join it after some formalities such as downloading the network’s operating charter for example. The network is therefore free to access. With this type of blockchain, it is difficult to know who has access to the data since it is encrypted but not anonymous. Compliance with the regulation seems to be lacking on this point.
As for the second, access to its network is limited by a control body, unlike the public blockchain, which is decentralized. The members of this network are selected by it. The data exchanged by private blockchains are therefore only accessible to authorized participants.
This type of blockchain is therefore a little more “controlled” and can be similar to a classic database, but this does not make it 100% compliant, since it would be necessary to be at least able to erase the data. However, one of the particularities of this technology is that its data is “unforgeable” and “non-deletable”. It is therefore impossible to modify or delete them once the information has been recorded.
The right to be forgotten is therefore impossible with this technology.
What recommendations to ensure compliance?
The CNIL has had the opportunity to express its opinion on the subject since it published its first elements of analysis on blockchain and its compatibility with the GDPR in September 2018.
Here is a summary of its recommendations on the subject:
● Prefer traditional means of storing and processing personal data that do not raise difficulties concerning the GDPR or use alternative technology if possible. This is reminded by the Privacy by Design principle in Article 25 of the Regulation.
● If the use of such technology is necessary, store the data with ” keyed hash functions” or encryption to make it unreadable.
● Prioritize the use of a private blockchain to minimize the risks on the rights and freedoms of individuals.
● If a user wishes to delete his data, simply destroy the encryption key to virtually delete the information.
● The CNIL advises the performance of a data protection impact assessment (DPA) to analyze the need for the use of this technology, show the risks involved and identify cases for which other solutions would seem more appropriate.
Although the CNIL has taken up the issue of blockchain, this is not the case for all its European counterparts. The GDPR is a European issue and therefore requires the competent authorities of the Member States to express themselves officially on the subject to obtain a definitive and harmonized framework in this area.
Finally, the purpose of the European regulation is to protect personal data and not to determine the type of technology used during the collection and processing phase. Since it is about the responsibility of the people in charge of this data, it can be considered that as long as the provisions of the regulation are respected, the technology used does not matter.