The CNIL – the French authority responsible for GDPR enforcement – has recently issued guidelines concerning Public Blockchains and GDPR compliance.
As many know , France is willing to take a step forward in favor of Blockchain. A law with provisions for ICOs and bank normalization has passed the first stages of its enactment.
An article of the law provides for a Visa from the AMF (Financial Markets Authority) that will make ICOs “official”, allowing them to open a bank account more easily.
In practice, there is little information concerning the actual process to obtain the Visa. It is known for example that the AMF would like to be able to impose all or part of the funds to be secured through a secure deposit, in order to avoid fraud from project leaders. The AMF would have liked the “CDC” to manage ICO accounts (Caisse des Dépot et Consignation, a bank of the French state with a mission of public interest). But the CDC declined the invitation for undisclosed reasons, that could be because ICO are private and not public or general interest, or because the CDC does not have enough resources to provide the quality service that it is known for in case of a sudden increase of accounts. the most probable explanation is that CDC does not want to mix state interest with private ICOs, because it is contrary to its status. It is good news if this means less state interventionism, right?
At the same time, the CNIL has declared that it will try to collaborate with the AMF to make sure that the Visa is given to data-aware projects.
Such a prior intervention of the CNIL could be beneficial if it is collaborative, but detrimental if it makes the AMF Visa a too heavy process, impossible to match at an early stage of the project. After all, ICOS are made to make project happen, but if the ICO is not successful, the project is likely not to happen just yet. The natural fear of project leaders is that the process to obtain the visa is such a burden that no ICO will ever happen. For some, there is a confidentiality risk, and a prior control by Data Authorities could be a serious exception to the “responsabilisation” philosophy of the GDPR, where companies are deemed mature enough to take data matters seriously and to comply with the law by themselves, which they are responsible for. I have adressed this issue more in detail in this article (in French).
In reply to these concerns, the CNIL has recently issued a statement – more exactly an interview of its in-house legal team – in order to share their own approach of Blockchain technology.
GDPR and Blockchain: not incompatible
First, the CNIL says it should remain practical, meaning that it takes into account the general commitment to cryptography, and it has to be deemed acceptable in terms of data protection.
GDPR provides a right of minimization which is the right of an individual to minimize the data necessary for a given usage.
According to CNIL, encryption is a practical way to minimize the data. It is encrypted and difficult to retrieve. It cannot be minimized more than it is. It’s related to the functionality of the blockchain and this functionality must be accepted. For companies, it means that recording “GDPR data” on the blockchain is possible if sufficiently encrypted. What is certain is that data cannot remain “clear” or readable on a public Blockchain.
Who is the controller in a public blockchain?
The CNIL reminds that they would not be looking for a liability of “the creator of the blockchain” who is merely a technical service provider, just like an internet provider, or the IT consultant who puts in place a specific architecture to achieve various computer tasks. The technology provider is not ta primary target here. It is the entities that use or manipulate data, on the blockchain or not. According to CNIL, it is always possible to identify the person who is the initiator of a data entry : for example, when a university delivers a diploma. The criteria is who can be linked to the data processing.
Of course, CNIL reminds that they would address the public blockchain and not private blockchains. Private Blockchain are not different from what existed before in terms of data (cloud storage, computing, databases). But the Public Blockchain is something specific that requires attention to make sure that operators respect the rights of individuals.
There are different situations concerning legal liability:
- one participant who is responsible for the processing.
- several actors who decide to implement a data processing together
- It can be a legal entity, which will bear the responsibility for the processing or they will decide to appoint a participant among them, who will take responsibility for the group.
- Without a specific agreement between the parties, they could be jointly responsible for the processing.
The controller has his own obligations under GDPR, and the fact that he stores a copy of the data on the blockchain is almost indifferent to the obligations he has towards the individuals, provided some steps are taken to protect the data recorded on the Blockchain.
How to erase Data
The corollary of the right to erasure is conservation of the data for a limited period.
The CNIL recommends not to store data exclusively on the blockchain, but to have a copy on the information system of the controller: if it is necessary to suppress the data, to cut the accessibility to the data, the controller is able to do so.
It is probably also necessary to delete all the available keys, in order to forbid access to intelligible data.
For example, if I have a controller and a subcontractor, both must delete the keys and be able to prove they did so.
This is not a complete deletion of the data remaining of the Blockchain, but has a similar effect because the data is not intelligible and cannot be translated anymore thanks to the destruction of keys, unreferencing, and other technics that operators can put in place to make the data unuseable for the future.
Automated decision making based on user data, including profiling
According to the CNIL, “In the case of smart contracts more specifically, this right must be implemented in the drafting of the code so that the person can challenge the decision”.
It means that, if a smart-contract is triggered by a decision made upon data, then the smart-contract must provide the possibility for the user to challenge the decision. In practice, it means that the user could become the final authority upon the execution of the smart-contract. The execution is suspended until he consents, or cancelled if he refuses. These are only a first approach, and does not has value of law. it shows however that the authorities are willing to let the sector develop, provided some criteria are met once projects are operational.
MDTI-LEGAL beleives this idea could probably be implemented more efficiently in through Proof of Authority protocols of higher levels, or “more simply” through calls to non-fungible tokens, or any kind of trigger from the concerned individual, that is probably better to leave out of the smart contracts in action in such a situation.