Logo du cabinet Mathias avocat : image cliquable pour retourner à la page d'accueil
Blockchain and the GDPR: how do they interact?
13 novembre 2017

13The General Data Protection Regulation (Regulation n°2016/679, GDPR), which comes into effect on May 25th 2018, will have significant impacts on personal data protection legislation. In this regard, questions have arisen regarding the relation between the Blockchain and the GDPR.

Let us recall that the Blockchain is a decentralized technology or open ledger of information that is verified and distributed across a peer-to-peer network. It is composed of a set of nodes which are similar to registrars. Each node holds personal data pertaining to each participant server or computer.

Therefore, Blockchain allows the flow of data from one person to another in a secure, flexible and convenient manner. How is personal data on blockchain technologies protected? Will they be subject to the GDPR? How can blockchain technologies and the participants be characterised under this new legislation?

Mathias Avocats examines some of the crucial questions regarding the articulation between the Blockchain and the GDPR.

Is the Blockchain subject to the GDPR?

The first question which comes to mind is whether blockchain technologies are subject to the GDPR.

For the Regulation to apply, there must be a processing of personal data. Processing activities are “any operation or set of operations which is performed on personal data or on sets of personal data” (article 3,2° of the GDPR). Personal data means any information relating to an identified or identifiable data subject (article 3, 1° of the GDPR). The nodes on the Blockchain are digitally signed by the participant and the signature is a means of identification. It is personal data. The latter is collected, recorded and stored on the Blockchain. As such, it processes personal data and may be subject to the GDPR.

Furthermore, the Regulation has a large territorial scope. Indeed, in a few words, the Regulation will apply when the controller or processor is established in the European Union (EU) or when the processing activities relate to data subjects in the EU.

This leads to another question: who are the data controllers and/or processors? The controller is the legal or natural person who determines the purposes and means of the processing of personal data whereas the processor is the legal or natural personal processing the personal data on behalf of the controller (article 4, 7° and 8° of the GDPR).

Regarding the Blockchain, miners, the persons confirming the transactions and writing them into the ledger, could be considered as joint data controllers. They process the information in the node. However, this characterisation is not fully satisfactory considering the fact that computers accomplish most of the processing. Miners could also be characterised as processors.

The GDPR also sets out certain conditions for the lawfulness of processing personal data (article 6 of the GDPR). What legal basis could be applied to blockchain technologies? Can the participant be considered as having consented? Is the processing necessary for the performance of a contract to which the participant is a party? Is the processing necessary for the purpose of legitimate interests pursued by the controller? These questions have yet to be answered and have also been raised regarding liability in the Blockchain.

Can the Blockchain protect the rights of data subjects?

Under the Regulation, data subjects hold certain rights such as the right to rectification (article 16 of the GDPR) and the right to erasure (article 17 of the GDPR). The immutability of the data on the Blockchain seems to counter these rights. If the code cannot be changed or amended, how can the data subject rectify or have his or her data erased?

It could be argued that nodes could be changed either by a court order or by the miners. However, this situation raises another set of issues pertaining to the integrity and security of the Blockchain. Nodes are verification means. If one were modified or deleted, what impact would this have on the chain?

Data subject also have a right to be informed about the data processing. How can this be done through the Blockchain? How can the Blockchain ensure transparency? If these conditions are not met, a data subject cannot give informed consent.

Furthermore, data subject may also have the right to be informed of a data breach if it is “likely to result in a high risk to [fusion_builder_container hundred_percent= »yes » overflow= »visible »][fusion_builder_row][fusion_builder_column type= »1_1″ background_position= »left top » background_color= » » border_size= » » border_color= » » border_style= »solid » spacing= »yes » background_image= » » background_repeat= »no-repeat » padding= » » margin_top= »0px » margin_bottom= »0px » class= » » id= » » animation_type= » » animation_speed= »0.3″ animation_direction= »left » hide_on_mobile= »no » center_content= »no » min_height= »none »][his or her] rights and freedoms” (article 34 of the GDPR). How can a data controller inform a data subject of a data breach on the Blockchain? What system could be put in place? What measures could the data controller subsequently take if the code is immutable? The same hurdle must be overcome for the notification of personal data breaches to the supervisory authority (article 33 of the GDPR and WP29 guidelines on Personal data breach notification on October 3rd, 2017).

Another issue arises regarding Data Privacy Impact Assessments (DPIA). The controller must carry out a DPIA when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (article 35 of the GDPR). Article 29 Working Party (WP29) clarified this obligation in its guidelines regarding data protection impact assessment on October 4th, 2017. A DPIA will namely be mandatory for large scale processing activities. The Blockchain falls within this category.

However, is it possible to carry out a DPIA of all transactions on the Blockchain? How can a controller determine the scope of the DPIA? Will the risks be the same for all data subjects? If data processors cannot be qualified on the Blockchain, are there other means to fulfil this obligation?  The DPIA is of importance to prove conformity with the GDPR and with the principle of accountability.

Can data transfers on the Blockchain be conform to the GDPR?

Blockchain technologies have no geographical limit and data can transfer quickly across the world. This is one of the major assets of the Blockchain. However, this asset may become a hurdle under the Regulation. The later provides that personal data transfers may only occur if the other country conforms to the Regulation and presents a similar level of protection or appropriate guarantees (articles 44 to 49 of the GDPR).

How can one determine in which country the other participant is? How can the Blockchain ensure that transfers only occur in countries with a sufficient level of protection? Or, could blockchain technologies be considered as providing a similar level of protection?

There are various means of providing appropriate grantees such as standard contractual clauses or binding corporate rules. Could standard contractual clauses be defined in regard to transactions on the Blockchain? How could one access binding corporate rules? Could an approved certification mechanism be appropriate?

Sum up

It is important to note that most questions arise with un-permissioned Blockchains. The latter are open to anyone whereas permissioned Blockchains are maintained by a limited group of actors which retains power to access, check and add transactions to the ledger. Seeing as each participant is identified, most issues presented in this article are more easily resolved.

One must bear in mind the lack of State regulations regarding these issues. Participants on the Blockchain must rely on contractual law. Blockchain technologies offer a new means for transactions which operate just as any other transaction and, as such, are subject to a contract. Indeed, there is an offer, acceptance, consideration, mutuality of obligation, competency and capacity.

In this context, participants must be particularly vigilant and keep in mind that the transaction answers to contractual law and the obligations they define. Once again, permissioned Blockchains offer a significant advantaged with the limited group of actors.

Mathias avocats will keep you informed of any new developments.[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]