On October 16, 2018, the European Union Blockchain Observatory and Forum published a thematic report on the Blockchain and the GDPR (“Report”).
The report includes the input of a number of different stakeholders and sources.
The report aims at answering the question of whether GDPR compliant blockchain is possible. The paper highlights a fundamental point: there isn’t per se a GDPR compliant technology; it is the way the technology is used that must be compliant with the GDPR’s requirements.
Here are some of the most interesting questions and answers included in the Report. Many of the questions don’t have set answers and each case has to be evaluate.
Identifcation and obligations of data controllers and processors. Who is the controller in a transaction that uses blockchain technology? It is not always easy to identify the controller when a blockchain technology is being used.
The Report clarifies that the following people should not be considered data controllers: protocol developers who create and maintain open-source blockchain technology (like bitcoin), miners who act as validating nodes or participating nodes in public, permissionless networks.
Network users who sign and submit transactions to the blockchain network via a node for personal use (for example to buy crypto-assets) should not be considered data controllers. However, they should be considered data controllers if they submit those data to the blockchain ledger as part of their business activity (like entities that operate software).
The Report doesn’t classify the publishers of smart contracts as data controllers due to a debate as to “whether this software should be seen as being operated by its publisher, by the network user calling it or by both.”
GDPR principles and blockchain. How does the blockchain relate to the GDRP’s data protection principles?
As for the lawfulness of processing, the Report highlights how it is not always possible to determine on what legal basis data is being processed. When the users initiate a transaction, it enters into a contractual obligation with the platform. In this case, consensus could constitute the basis for processing, even though it may be difficult to define the roles of controller and processor. The lawfulness of processing may be easier to sort out in the context of a private, permissioned network, where each participant may agree to certain terms and conditions before being granted access to the network.
Data minimization may be hard to achieve considering the way blockchain is designed. To this end, the report refers to the solution proposed by the CNIL (see here) according to which encryption, coupled with key destruction, could potentially grant erase data abiding to the principle of minimization.
As for the right to access information contained in the GDPR, the report highlights the difficulties that the subjects may have in addressing the controller to obtain their data since it might be difficult to even identify the controller.
Automated profiling. This might specifically be an issue when this technology is used in smart contracts that do not provide for the right to inform the parties about their data being automatically profiled.
Also the transfer of personal data may constitute an issue for permissionless blockchain with a global scope.
Overall the report proposes the following four principles to be considered when designing blockchain-based applications.
- Evaluate how is data used and only after designing a solution that uses blochchain technology in a GDPR compliant way.
- Avoid storing personal data on a blockchain. Use data obfuscation, encryption and aggregation techniques.
- Collect personal data off-chain or, if the blockchain can’t be avoided, on private, permissioned blockchain networks.
- Continue to innovate, and be as clear and transparent as possible with users.
The thematic report on the Blockchain and the GDPR published by the European Union Blockchain Observatory and Forum is available at https://www.eublockchainforum.eu…
More on Blockchain is available at http://www.technethics.com…
For more information on blockchain and on how privacy may affect your global business, contact Francesca Giannoni-Crystal & Federica Romanelli.