From the very beginning of the GDPR enforceability, economic operators and commentators have wondered whether blockchain technology is GDPR compliant or not. Some commentators stated that when the GDPR entered into force, it was already too old because technology is faster than legislation, so any attempt to develop technologically neutral data protection legislation is bound to fail. Others stressed the importance of the principles of data processing, and how the general structure of the GDPR can be harmonised with the blockchain.
Some authorities and the European Union Blockchain Observatory & Forum (EUBOF) published some guidelines in order to harmonise the blockchain with the GDPR. In this article, you will learn more about what GDPR authorities say about blockchain.
The European Authorities Framework
A reader may find it hard to navigate among the different European authorities dealing with data protection regulation, because of their enforcement powers or the authoritativeness of their interpretation. In order to provide a simple frame, here is a short list of European authorities:
European Data Protection Supervisor (EDPS). This is the independent supervisory authority over data processing by European institutions, and it has the power to develop new policies on data processing.
European Data Protection Board (EDPB). This is a board made from Member States’ Data Protection Authorities and the European Data Protection Supervisor. Also, the supervisory authorities of States in the European Free Trade Association (EFTA) and the European Economic Area (EEA) participate in EDPB.
Data Protection Authorities (DPA). DPAs are the supervisory authorities that are in charge of enforcing the GDPR in each Member State. On this page containing useful resources for complying with the EU GDPR, you can find a list of all the DPAs.
These authorities can participate in associations, forums and observatories established by the European Commission. The aim of participating in the works of other entities is to harmonise interpretation of the GDPR and to spread the principles of the GDPR in other connected fields, like the blockchain.
The first authority dealing with blockchain and the GDPR was the French Data Protection Authority in September 2018.
The French approach
The French Authority on Data Protection (CNIL) published a document named “Blockchain and GDPR: Which solution for a responsible use in case of personal data?”.
Because they were the first Data Protection Authority to publish a document on the blockchain, it will likely become the primary reference among the Data Protection Authorities across Europe. The French CNIL requires, according to the privacy by design principle, that blockchain, before it starts processing personal data, defines roles, means and purpose of data processing in the blockchain. It is also required by the previous Data Protection Impact Assessment under Article 35 of the GDPR, in order to verify the compliance of the blockchain (as built) with the GDPR requirements.
Since the blockchain is structured through distributed ledgers that can be located anywhere, the French Authority reminds us to pay attention to the transfer of data outside the European Union, because the GDPR limits the transfer of personal data to countries where there is similar protection provided as in the European Union.
The entire structure of the blockchain – especially for permissioned blockchain, according to the “Privacy by Design” principle – should consider all those elements while designing the blockchain infrastructure. Then, those elements must be evaluated and considered in the Data Protection Impact Assessment, for the accountability of the data processor to the GDPR requirements. In the relationship with the data subjects, it is required to notify users about the blockchain structure, informing that the duration of data processing cannot be longer than the life of the blockchain.
EUBOF – An initiative of the European Commission
The document on the GDPR and blockchain published by the French DPA (CNIL) spread across Europe and gave the start to a new study of the European Union Blockchain Observatory & Forum. This entity is an initiative of the European Commission in order to accelerate blockchain innovation and the development of the blockchain ecosystem within the EU. It is composed of universities and companies operating in the blockchain fields. Because of its composition of experts in the blockchain field, studies and documents published by the Blockchain Observatory Forum will be taken into account by the European Data Protection Authorities and the Commission while interpreting the GDPR rules and its compatibility with the blockchain.
To learn more about how the GDPR impacts the blockchain, read the article The GDPR impact on blockchain development.
What EU authorities suggest
From the national authorities, and from the economic operators, there is demand for a harmonised legal framework on blockchain. From the technical point of view, solutions are works in progress while commentators suggest a path in order to maintain blockchain compliance with the GDPR.
In October 2018, the European Union Blockchain Observatory & Forum published a report on Blockchain and GDPR, trying to explain that “there is no such thing as a GDPR-compliant blockchain technology. There are only GDPR-compliant use cases and applications.” In fact, public blockchain systems, such as Bitcoin, have a huge impact on Data Protection rules as compared to a private or permissioned blockchain. Technology is neutral; it is its use that can be GDPR compliant or not.
The suggestions of the EUBOF are:
- Start with the big picture – how is user value created, how is data used, and do you really need blockchain?
- Avoid storing personal data on a blockchain. Make full use of data obfuscation, encryption and aggregation techniques in order to anonymise data.
- Collect personal data off-chain or, if the blockchain can’t be avoided, on private, permissioned blockchain networks. Consider personal data carefully when connecting private blockchains with public ones.
- Continue to innovate, and be as clear and transparent as possible with users.
The next steps
Time will tell if the approach of the European Union Blockchain Observatory & Forum will be implemented by the European Commission in its Data Protection regulation. Of course, that document, along with the recommendation from the French Data Protection Authority, can be considered as a good starting point in order to build a GDPR-compliant blockchain. The core of the GDPR – which is applicable also to the blockchain – is to leave data processors free to choose the right means to process personal data, by following the principles set in the GDPR. There is no intention to stop technology and business development, provided that personal data is processed according to GDPR principles.
To learn more about how to help any business comply with the GDPR (including blockchain) enrol in this free online training: EU GDPR Foundations Course.