The application of the EU General Regulation on Data Protection (hereinafter referred to as GDPR) with respect to blockchain from the very beginning raised a lot of questions, as this technology in many respects seems to contradict the new European rules of personal data processing.
Who in blockchain should be considered a data controller and who should be considered a processor (processor)? Does blockchain have to implement the privacy-by-design principle? How can blockchain ensure that the rights of data subjects (individuals) to delete and correct data, as well as a ban on further data processing, are enforced?
The French regulator in the field of personal data protection CNIL (National Commission for Informatics and Freedoms of Citizens) tried to answer all these questions and formulated recommendations on what approaches in the context of GDPR can be applied to the processing of personal data in blockchain systems.
Today we can see the difference in the approaches to implementing the dispositive provisions of the GDPR depending on the specific EU territory.
The views of national regulators on data protection in the European Union may differ to some extent. It is good that CNIL has opened its vision of compliance with the mandatory requirements of the GDPR-Blockchain. CNIL’s publications are generally known for their uniqueness and sophistication.
As the expert notes, the main focus of CNIL is to determine the status of blockchain participants in the context of GDPR, legal risks of using blockchain and issues of effective implementation of their rights by personal data subjects.
The delimitation of subjects in the GDPR for the Russian audience may seem quite specific. The Center for Digital Rights previously made an extensive review of the entire content of the GDPR regulations and described in more detail the peculiarities of the legal status of each of the subjects.
It should be reminded that the composition of the GDPR can be briefly described as follows:
personal data subjects (hereinafter referred to as personal data subjects) – persons whose personal data are processed;
- Personal data controllers who determine how and for what purposes personal data are processed;
- Joint controllers of Personal Data – persons who together determine how and for what purposes Personal Data are processed (including to a different extent),
- PDN processors – persons who can process PDN on behalf of the controller.
The expert Ivan Chopyk notes that in blockchain, the unambiguous differentiation of subjects involved in personal data processing is problematic, since blockchain is essentially a decentralized technology.
For example, it is not always possible to establish who in blockchain defines the targets and the means of processing and thus becomes the controller.
According to the French regulator, “participants who have the right to make entries in blockchains and who transmit data to miners to confirm transactions can be considered controllers”. More specifically, CNIL distinguishes between two categories of PDT controllers:
- A natural person who processes Personal Data within the scope of his or her professional or business activity;
- A legal entity that deposits PDD in blockchain.
CNIL gives the example of the first category of blockchain-based PDN controllers (the notary registers documents in blockchain, which is an excellent example of “professional activity” performed by an individual).
Thus, the entity that created the private blockchain is the PDN controller. But the situation is more complicated if we are talking about a public blockchain, where there is no specific regulator, and personal data is entered into blockchain by users themselves.
The French regulator CNIL also tries to determine the position of PDN processors in blockchain.
In particular, the article on Lawless.tech gives an example of an insurance company AXA. It has launched a service that operates on the basis of Ethereum smart contracts and provides an automatic system of insurance payments for flight delays. Taking into account the position of the French CNIL, the software developer in this case will be considered a processor, and AXA – a controller.
As for miners, they are not processors as a general rule, as they do not have direct access to PDN and do not actively participate in processing. But maybe in a different way. To illustrate this situation, CNIL gives the following example: several insurance companies join the blockchain system, gaining access to the data of clients of other insurance companies.
In this case, according to CNIL’s position, one company can be considered a PDN controller, while the others will act as processors, who must conclude a contract with the controller, as prescribed in Art. 28(3) GDPR. Such companies (processors) are miners, as they perform the functions of transaction confirmation.
However, as the expert Ivan Čopyk notes, in fact any of these insurance companies can be considered as a controller, processor and miner at the same time. An insurance company becomes a controller in relation to the personal data of its clients, a processor in relation to the personal data of clients of other insurance companies and, as each of them will confirm transactions, all of them will be miners at the same time.
In other words, there are concerns that the example given by CNIL does not take into account the possibility of mixing the roles of subjects in such a situation. In particular, miners can potentially be other companies and their clients using the same private blockchain and confirming smart-contract transactions without any actual access to personal data contained in the system.
It is important to note that the CNIL regulator believes that, as a general rule, miners are neither controllers nor processors, as they are usually considered simple users. Ordinary users are covered by the exception of Art. 2(2)(c) of the GDPR as natural persons carrying out activities for personal or domestic purposes.
With regard to the group of persons, CNIL recommends either to create a legal entity or to appoint one of the participants as a controller. Otherwise, according to the position of the regulator, all these persons can be considered as joint controllers within the meaning of Art.
26 GDPR, which may entail the need to further formalize their status and define joint procedures for the implementation of the GDPR. In addition, it is noted that an unambiguous definition of the controller will facilitate the interaction with it both of data subjects and of the authorized bodies for the protection of personal data.
Summarizing the above mentioned, CNIL distinguishes the following types of subjects with regard to the subjective composition of personal data processing in blockchain:
Two types of controllers: legal entities and individuals who are engaged in any professional or commercial activity (e.g. notaries);
- Processors: these are usually software companies;
- Miners: the regulator does not generally classify them as processors (let alone controllers), provided that they do not have direct access to personal data.
Risks of using blockchain in the context of GDPR
In general, the position of CNIL in relation to the use of blockchain technology is quite balanced. The regulator notes that blockchain’s invariability ensures the safety of PDN processing, but at the same time there are some significant risks of blockchain’s incompatibility with GDPR requirements.