CNIL publishes analysis of blockchain in light of the GDPR

In September 2018, the French Data Protection Agency, the Commission Nationale de l’informatique et des Libertés (CNIL) published a report explaining how Blockchain relates to the GDPR (“Report”).

In particular the Report highlights the following.

  • WHO IS THE CONTROLLER IN A BLOCKCHAIN TRANSACTION. Users of the web who decide to submit a transaction to the validation of miners are data controllers as defined under Article 4, GDPR, since they determine the purposes (such as the objectives sought with the use of the blockchain) and the means of the processing of personal data (such as for example data format, use of Blockchain technology).

According to the CNIL, this is particularly true when the processing is related to a professional or commercial activity (i.e. the activity is not exclusively personal); or when it is a legal entity that submits the transaction to the ledgers.

The CNIL provides an useful example: when a notary public records the ownership title of his client in a Blockchain, the notary is the controller. Similarly, a bank that enters customers’ data into a Blockchain to manage its client portofolio is a controller.

However, the CNIL highlights how not all subjects interacting on a blockchain can be considered controllers. For example, a natural person who sells or purchases Bitcoin for her own account is not a controller under the GDPR. On the other hand, it may be a controller if he/she conducts these transactions as part of a professional or commercial activity, on behalf of other natural persons.

  • “GDPR ROLE” OF CREATORS OF ALGORITHMS IN A SMART CONTRACT: The programmers creating the smart contracts’ algorithms may be a simple service provider (with no “GDPR role”) or, when participating in the processing, may be qualified as controllers or processors, depending on their role in the determination of the purposes.
  • “GDPR ROLE” OF MINERS:While encouraging the various stakeholders to agree in writing their respective responsibilities and roles, the report leaves space for further reflections on the role of miners, since it is not always clear.
  • CAN BLOCKCHAIN BE FULLY COMPLIANT WITH DATA SUBJECTS’ RIGHTS? According to the CNIL, the Blockchain technology can be fully compliant with the right to information, the right to access information and the right to data portability contained in the GDPR.

However, the fact that the hash contained in a block may not be altered may be in contrast with the duty – established by GDPR – to minimize the data collected and to retain them only for as long as necessary.

CNIL recommends to use the Blockchain only when this technology is really necessary to active the parties’ objectives because blockchain’s complete compliance with the GDPR is not possible. While the use of Blockchain can raise some problems vis-a-vis the GDPR, the CNIL provides the following recommendations in order to keep the processing of personal data as safe as possible while using the Blockchain technology:

i) Privilege a permissioned Blockchain, which would allow to have a better control over the processing of personal data, particularly with regard to transfers outside the EU. Binding corporate rules are fully applicable in a permissioned Blockchain.

ii) Choose the format in which the data will be written.

iii) Use cryptographic techniques to give participants selective visibility into the ledger.

iv)  Set up policies to limit risks for the security of transactions, including a contingency plan to remedy faults when a vulnerability is identified.

The CNIL report, Premiers éléments d’analyse de la CNIL, Blockchain, is available (in French) at…

More on Blockchain is available at…

For more information on blockchain and the GDPR: Francesca Giannoni-Crystal and Federica Romanelli.


Follow us on& Like us on