CNIL first element analysis of the GDPR Blockchain
The Blockchain: what are the solutions for responsible use in the presence of personal data?
Blockchain is a technology with strong development potential that is generating many questions, including sometimes its compatibility with the GDPR. That is why the CNIL has taken the subject and proposes concrete solutions to the actors who wish to use it in the context of processing of personal data. The Blockchain is a technology that can be supported by processing of personal data, and not treated with a purpose other than whole.
- Who is responsible for treatment in the GDPR Blockchain?
The GDPR, and more generally the classical principles of data protection, have been designed in a world where data management is centralized within specific entities. In this regard, the decentralized data governance model of Blockchain technology and the multiplicity of actors involved in the processing of the data complicates the defining the roles of each.
The CNIL notes however that participants, who have a right to write on the channel and who decide to submit data to the validation of minors can be considered as treatment managers.
In fact, the participants in a GDPR Blockchain determine the ends (the objectives pursued by the treatment) and the means implemented (data format, use of technology Blockchain, etc.).
More specifically, the CNIL is of the opinion that the participant is responsible for treatment:
- When a natural person and the processing of personal data is related to a professional or commercial activity (ie when the activity is not exclusively personal);
- When he is a legal person and that he enters a personal data on the Blockchain.
For example, if a notary records the title of his client in a Blockchain, he is responsible for treatment. In addition, if a bank enters the data of its customers into Blockchain as part of its client management treatments, it is responsible for treatment.
- Are all actors who interact on a GDPR Blockchain responsible for processing?
No. The minors are limited to the validation of the transactions which the participants submit to him and do not intervene on the subject of these transactions: they therefore do not determine the purposes and the means to be implemented.
Furthermore, natural persons who register personal data in the Blockchain, outside of a professional or commercial activity, are not responsible for treatment (in accordance with the principle of domestic exception provided for in Article 2 of the GDPR).
For example, a natural person who sells or purchases Bitcoin for his or her own account is not responsible for processing. It may, on the other hand, be considered to be responsible for processing if it carries out such transactions in the course of a professional or commercial activity on behalf of other natural persons.
- What happens if several participants jointly decide to implement a treatment on a GDPR Blockchain?
When a group of participants decides to implement a commonpurpose treatment, the CNIL recommends that the controllerbe identified upstream. For example, participants can create alegal entity in the form of an association or a GIE. They may also choose to identify a participant who makes the decisions for the group and designate it as the controller.
Otherwise, all participants could be considered to have joint responsibility in accordance with article 26 of the GDPR and will therefore have to define, in a transparent manner, the obligations of each person for the purpose of ensuring compliance with the Regulation.
It is necessary that the persons concerned (i.e. those whose personal data are recorded on the Blockchain) know which entity to turn to for an effective exercise of their rights and that the protection authorities have a Point of contact that can account for the treatment being implemented.
In the case of smart contracts, as with any software, the designer of the algorithm may be a simple solution provider or, when participating in the treatment, be called a subcontractor or processing manager according to his role in the determination of the purposes.
To remember
The CNIL considers that the participant may in a number ofcases be qualified as a treatment manager:
- when it is a natural person and the treatment is related to a professional or commercial activity;
- when it is a legal entity that records personal data;
When a group of organizations decides to implement a treatment on a Blockchain for a common purpose:
o The CNIL recommends that participants take a joint decision on the responsibility for treatment:
- By creating a legal entity and designating it as data controller;
- By designating the participant who makes the decisions for the group as the controller.
o otherwise, all participants are likely to be viewed as having ajoint responsibility
- Are there any GDPR subcontractors in a Blockchain?
Yes, such as “Smart contract” developers, who deal with personal data on on behalf of the controller.
As an illustration, a software developer proposes to an insurance company a solution in the form of a “smart contract”, which allows to automate the compensation of passengers when their flight has fallen behind in the framework of insurance contracts Travel. This developer will be qualified as a subcontractor on behalf of the insurance company, responsible for processing.
It is also possible to consider in some cases minors as subcontractors within the meaning of the GDPR. Indeed, they execute the instructions of the processing manager when they verify that the transaction meets technical criteria (for example, a format and a certain maximum size, and that the participant is in capacity, vis-a-vis the string, to make its transaction).
They should therefore establish with the participant, the controller , a contract specifying the obligations of each party and incorporating the provisions of article 28 of the GDPR (to learn more about the obligations of the subcontractor, click here ).
For example, if several insurance companies decide to create a Blockchain for their treatment for the purpose of complying with their legal obligations of client knowledge, they may decide that one of them is responsible of treatment. In this case, the other insurance companies, which validate the transactions, will be liable to be considered as minors and therefore subcontractors.
Aware of some practical difficulties that may result from the qualification of minors as a subcontractor in the public Blockchain (particularly as regards the obligation to contract the relationship with the controller), the CNIL is currently conducting an in-depth reflection on this issue. It encourages actors to use innovative solutions that enable them to ensure compliance with the obligations that the GDPR places on the subcontractor.
To remember
In a GDPR Blockchain, the subcontractor can be:
- The smart contract developer who processes personal data on behalf of the participant controller;
- Minors who validate the recording of personal data in a Blockchain.
In the case of public Blockchain, the CNIL is currently conducting a reflection and encouraging the development of solutions allowing a framework of contractual agreements between participants/controllers and minors.
How do you minimize the risk to people when the treatment is based on a GDPR Blockchain?
- Make a preliminary reflection on the need for recourse to Blockchain, especially publicly
The characteristics of the Blockchain are not without implications for the fulfilment of the obligations arising from the GDPR. Within the framework of its obligations of Privacy by Design (Article 25), the controller must consider, upstream, the suitability of the choice of this technology for the implementation of its treatment.
In fact, Blockchain is not necessarily the most suitable technology for any data processing; it may cause difficulties for the controller in compliance with the obligations imposed by the GDPR.
For example, the issue of transfers outside the European Union (EU) may be particularly problematic, particularly in the context of a public Blockchain.
As a reminder, any transaction on the blockchain implies:
- sending to all minors of the Blockchain a request for validation of a transaction (and therefore potentially personal data);
- an update of the Blockchain by adding the new block in the blockchain to all participants.
However, participants, whether minor or not, may be located incountries outside the EU. This raises the question ofcompliance with non-EU transfer obligations (for more information see the page « Transfer data outside the EU “).
If it appears that there are solutions to frame transfers in a Blockchain, such as standard contractual clauses, binding business rules, codes of conduct, or certification mechanisms, CNIL finds that they are more difficult to implement in the context of a public Blockchain, insofar as the controller can hardly exercise control over the whereabouts of minors.
To remember
- If the properties of a Blockchain are not necessary to achieve the objective, the CNIL recommends that other solutions be used to ensure full compliance with the GDPR.
- It is advisable to give preference to a Blockchain which allows abetter control over the governance of personal data, particularly in the case of non-EU transfers.
- Existing solutions for the framework of non-EU transfers, such as binding business rules or standard contractual clauses, are fully applicable in the Blockchain.
- Choose well the format under which the data will be entered
The principle of data minimization requires that the data collected be relevant and be limited to what is necessary inrelation to the purposes for which they are processed. In addition, personal data cannot be kept indefinitely: a shelf life must therefore be determined according to the objective pursued by data processing.
However, one of the characteristics of the Blockchain is that the data listed therein cannot be technically modified or deleted: once the block to which a transaction is integrated has been accepted by the majority of the participants, a transaction can no longer be changed in practice.
Some technical solutions, presented below, deserve to be evaluated by the actors in order to remedy this difficulty.
The CNIL measures the value of these solutions but at this stage questions their ability to ensure full compliance with the GDPR. This topic is one of the issues on which European reflection is essential.
As a reminder, the Blockchain can contain two main categories of personal data:
The identifiers of participants and minors:
Each participant has an identifier consisting of a sequence ofalphanumeric characters that appear to be random and thatconstitute the public key of the participant’s account. Thispublic key refers to a private key that it is the only one to know (for more information about cryptology and encryption, click here).
The very architecture of the Blockchain means that the identifiers will always be visible because they are essential to its proper functioning.
The CNIL, therefore, considers that it is not possible to minimize them further and that their shelf life is, in essence, aligned with those of the lifespan of the Blockchain.
Additional data (or “payload”):
In addition to the participant ID, the additional data stored on the Blockchain may contain personal data, which may also relate to persons other than participants and minors.
As a reminder, the principle of data protection from conception (article 25 of the GDPR) requires that the format chosen be the one with the least impact on the rights and freedoms of people.
The CNIL considers that personal data should be recorded in the Blockchain, preferably in the form of a cryptographic commitment. If it is not possible, a recording in the form of a fingerprint obtained with a function of hashing is possible, or at least a cipher, to ensure a high level of confidentiality.
The common principle of some of these solutions is that the data is clearly stored elsewhere than on the Blockchain (for example on the information system of the controller) and that only information proving the existence of the data is stored (cryptographic commitment, fingerprint from a key hash function, etc.).
If the purpose of the treatment justifies it and an impact assessment has shown that residual risks are acceptable, data may exceptionally be stored on the Blockchain in the form of a traditional fingerprint (without key) or even clear. Some data controllers may have a legal obligation to make public and accessible, without limitation of duration, certain information: in this particular case, a storage of personal data on a Blockchain may be considered, provided that an impact assessment can conclude that the risks are minimal for individuals.
To remember
To the extent that the identifiers of the participants, i.e. their public keys, are essential to the proper functioning of the Blockchain, the CNIL finds that it is not possible to minimise them further; their shelf life is aligned with that of theBlockchain;
With regard to the additional data, in order to ensure compliance with data protection requirements from conception and by default, and data minimisation, the CNIL recommends that the solutions in which the information is treated outside the Blockchain or, in order of preference, stored on the Blockchain:
- a cryptographic commitment;
- an imprint of the data obtained by a key hash function;
- an encrypted data.
If none of these solutions can be implemented, and where thisis justified by the purpose of the treatment and an impactstudy has shown that the residual risks are acceptable, thedata can be stored either with a key-free hash function Either,in the absence of other possibilities, in clear.
How to ensure an effective exercise of rights?
The GDPR was designed to give individuals control over their personal information. It thus considerably strengthens the rights of individuals in relation to those who exploit their data and create, moreover, new rights (for an explanation on the rights of the people in the era of the GDPR, click here)
In addition to minimising the risk to the person, previously seen, the format chosen to record the data on a Blockchain can facilitate the exercise of the rights of persons.
If the effective exercise of certain rights does not seem to be a problem, the application of the law erasure, the right of rectification and the right of opposition to the Blockchain deserve a more detailed analysis.
- Rights fully compatible with the Blockchain
The right to information of persons does not pose any particular difficulties: the participant in charge of the processing will thus have to provide concise information, easily accessible and formulated in clear terms to the person concerned before submitting to the validation of minors a personal data.
The same applies to the right of access and the right to portability: the CNIL considers that the exercise of these rights is compatible with the technical properties of the Blockchain.
- Technical solutions for the exercise of rights to approximate compliance with the GDPR
The CNIL notes that it is technically impossible to comply with the cancellation request of the data subject when data are entered in the Blockchain. However, when the data entered on the Blockchain is a commitment, a fingerprint from a key hash function or an encrypted algorithm and keys that conform to the state of the art, the controller can make the data almost inaccessible, and thus approximate the effects of a deletion of the data.
For example, the mathematical properties of certain cryptographic commitments can ensure that, upon deletion of the elements allowing its verification, it will no longer be possible to prove or verify what information was engaged. The commitment itself no longer presents any risk interms of confidentiality. The information should also be removed from other systems where it has been stored for processing;
Another example is the removal of the secret key from the hash function that will have a similar effect. It will no longer be possible to prove or verify which information was hashed. In practice, the imprint will no longer pose a risk to confidentiality. The information should also be removed from other systems where it has been stored for processing.
Apart from the specific case of certain cryptographic commitments, these solutions do not constitute an erasure of the data in the strict sense as far as the data would still exist on the Blockchain. Nevertheless, the CNIL notes that it needs closer effective exercise of the right of erasure for the person concerned. Their equivalence with the requirements of the GDPR must be assessed.
It is technically impossible to grant the request for rectification or deletion of the data subject when data in clear or hashed are registered in a Blockchain. It is therefore strongly recommended not to register personal data in clear on the Blockchain, and to favour the use of one of the cryptographic processes mentioned.
With regard to the right to rectification, the absence of the possibility of modification of the data entered in a block must lead the data controller to register the updated information in a new block. In fact, a later transaction can always undo the first transaction, even if the first transaction will always appear in the string. The same solutions as in the case of a request to delete the personal data could be applied to the erroneous data if it is to be deleted.
The approach is somewhat different, although it requires, as for other rights, an upstream reflection, as far as the right to limitation (introduced by Article 18 of the GDPR) and human intervention in the context of making a decision fully automated (Article 22 paragraph 3).
For example, it would be possible to achieve a limitation of the use of data in smart contracts, simply by providing it upstream in the program.
It appears that the fully automated decision from a smart contract is necessary for its execution, in so far as it makes it possible to realise the very essence of the contract (what the parties have committed themselves to). With regard to appropriate measures, the data subject should be able to obtain human intervention, express his point of view and challenge the decision after the smart contract has been executed. It is therefore appropriate for the controller to provide for the possibility of a human intervention which will allow the decision to be questioned by allowing the person concerned to challenge the decision, even if the contract has already been executed, and this is regardless of what is listed in the Blockchain.
To remember
- The right to information, the right of access and the right to portability do not pose a prior particular difficulties related to Blockchain technology.
- As for the minimization of risks, the choice of the data storage format via a cryptographic process makes it possible to approximate an exercise of the effective rights for the person concerned: the deletion of the information stored outside the Blockchain and verification elements allow for the sever ability of the evidence recorded on the Blockchain, making it difficult or impossible to recover;
- Consideration of rights in the program prior to the implementation of a smart contract makes it possible to grant a request for limitation of the treatment or of human intervention.
- The equivalence of these solutions with the requirements resulting from the GDPR, in particular with regard to the limitation of the shelf life and the right to erasure, implies a thorough assessment.
What are the security requirements?
The different properties of Blockchain (transparency, decentralisation, falsifiability, disintermediation) are largely based on two factors: the number of participants and minors, and a set of cryptographic functions on the other hand.
In the case of Blockchains with permission, the CNIL recommends that, depending on the possible divergence or convergence of interests of the participating actors, a minimum of minors be used to ensure the absence of a coalition to control more 50% of the power on the chain.
The CNIL also recommends setting up technical and organisational procedures to limit the impact on the security of transactions of the possible failure of an algorithm (including cryptographic), including an emergency plan to implement modifying algorithms when a vulnerability is identified.
On the other hand, it is necessary to document the governance of the evolutions of the software used to create transactions and undermine, and to provide for technical and organisational procedures to ensure the adequacy between the planned permissions and implementation put into practice.
Particular vigilance should be given to the measures implemented to ensure the confidentiality of the GDPR Blockchain if it is not public.
Any controller who implements his processing through transactions on a Blockchain, must ensure that the security of the secret keys are implemented, for example by ensuring their storage on a secure support.
