News and Insights
Data protection and blockchain systems: impossible coexistence?
What is the common point between Data protection regulation and Blockchain? TECHNOLOGY. Data protection regulation – as the GDPR – has been created to face data protection issues in relation to the growing internet and the sharing of much personal data. Blockchain is a decentralized database technology. But this technology arises questions about data storage, governance and how the GDPR can apply to this decentralized yet worldwide technology. Many “tricky” questions are linked to the use of some blockchain systems and the GDPR regulation. The French Data Protection Authority (CNIL) and the European Union Blockchain Observatory and Forum analyzed these questions and suggested ideas. One of the first questions is: who is the data controller in a blockchain system?
According to the report of the CNIL when a group of organizations decides to implement a treatment on a blockchain system (private and permissioned blockchain network) for a common purpose, the participants should it decide jointly to designate a legal entity or first designate who takes the decisions of the group as data controller. Otherwise, all participants are likely to be regarded as having joint responsibility. In practice, some solutions nevertheless seem complicated to put in place. What about the rights of individuals? Even if a data controller could be identified, it would be very difficult or impossible to go back and delete or update the record without destroying the chain. Concerning the right of rectification, the lack of possibility of modification of the data entered in a block requires the data controller to enter the updated data in a new block. Indeed, a subsequent block/transaction can always cancel a first block/transaction, even if this first block/transaction still appears in the chain.
The report of the European Union Blockchain Observatory and Forum outlines principles and invites you to pose appropriate questions before starting a blockchain in order to protect the rights of individuals as much as possible. The only certainty is that blockchain systems and the data protection legislations are linked to each other trying to establish a balance of all interests at stake in one way or another.
Yann Smadja, BRANDIT Consult *Legal in Digital*, firstname.lastname@example.org
CNIL report: https://www.cnil.fr/sites/default/files/atoms/files/la_blockchain.pdf
European Union Blockchain Observatory and Forum report: https://www.eublockchainforum.eu/sites/default/files/reports/20181016_report_gdpr.pdf