On July 24, 2019, the European Parliament published a study entitled “Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?” The study explores the tension between blockchain technology and compliance with the General Data Protection Regulation (the “GDPR”), the EU’s data protection law. The study also explores how blockchain technology can be used as a tool to assist with GDPR compliance. Finally, it recommends the adoption of certain policies to address the tension between blockchain and the GDPR, to ensure that “innovation is not stifled and remains responsible”. This blog post highlights some of the key findings in the study and provides a summary of the recommended policy options.
Continue Reading European Parliament Publishes Study on Blockchain and the GDPR
blockchain
The CNIL Publishes Report On Blockchain and the GDPR
On November 6, 2018, the French data protection authority (the “CNIL”) published a report that discusses some of the questions raised by the use of blockchain technology and perceived tensions between it and foundational principles found in the General Data Protection Regulation (the “GDPR”). As we noted in an earlier blog post on this topic, some pundits have claimed that certain features of blockchain technology, such as its reliance upon a de-centralised network and an immutable ledger, pose GDPR compliance challenges. The CNIL has attempted to address some of these concerns, at least in a tentative manner, and further guidance from EU privacy regulators can be expected in due course.
De-centralised network
The CNIL acknowledges that EU data protection principles have been designed “in a world in which data management is centralised,” and where there is a clear controller of the data (“data controller”) and defined third parties who merely process the data (“data processors”). Applying these concepts to a de-centralised network such as blockchain, where there are a multitude of actors, leads to a “more complex definition of their role.” In brief, EU data privacy rules are the square peg to blockchain’s round hole.
Notwithstanding this, the CNIL considers that participants on a blockchain network, who have the ability to write on the chain and send data to be validated on the network, must be considered data controllers. This is the case, for instance, where the participant is registering personal data on the blockchain and it is related to a professional or commercial activity. By contrast, according to the CNIL, the miners, who validate the transactions on the blockchain network, can in certain cases be acting as data processors. As a consequence, data processing agreements would need to be in place between the data controllers and the data processors on any blockchain network.
The CNIL further considers that where there are multiple participants who decide to carry out processing activities via a blockchain network, they will most likely be considered “joint controllers,” unless they identify and designate their roles and responsibilities in advance. Individuals who use the blockchain for personal use (i.e., individuals who access the network to buy and sell a virtual currency), however, would not be data controllers as they can rely on the “purely personal or household activity” exception.
Continue Reading The CNIL Publishes Report On Blockchain and the GDPR
The GDPR and Blockchain
Blockchain technology has the potential to revolutionise many industries; it has been said that “blockchain will do to the financial system what the internet did to media”. Its most famous use is its role as the architecture of the cryptocurrency Bitcoin, however it has many other potential uses in the financial sector, for instance in trading, clearing and settlement, as well as various middle- and back-office functions. Its transformative capability also extends far beyond the financial sector, including in smart contracts and the storage of health records to name just a few.
A blockchain is a shared immutable digital ledger that records transactions / documents / information in a block which is then added to a chain of other blocks on a de-centralised network. Blockchain technology operates through a peer network, where transactions must be verified by participants before they can be added to the chain.
Notwithstanding its tremendous capabilities, in order for the technology to unfold its full potential there needs to be careful consideration as to how the technology can comply with new European privacy legislation, namely the General Data Protection Regulation (the “GDPR”) which came into force on 25 May 2018. This article explores some of the possible or “perceived” challenges blockchain technology faces when it comes to compliance with the GDPR.
Continue Reading The GDPR and Blockchain