Out of all the challenges facing EU regulators tasked with translating the EU’s General Data Protection Regulation (GDPR) from text to reality, none is more potentially troublesome than how to apply the data law to blockchain technologies. Blockchain, after all, seems to inherently conflict with all that the GDPR demands. Data cannot be erased on the blockchain, nor can many blockchain networks be easily monitored or controlled by a central authority.
But among other things, the GDPR requires that enterprises honor any EU citizen’s request to erase their personal data from any system, and obtain an EU citizen’s “affirmative consent” before storing or processing personal data. So how can the GDPR and blockchain live side by side?
In late September 2018, France’s data protection authority Commission Nationale de l’informatique et des Libertés (CNIL) became the first, and so far only, EU agency to weigh in. But while CNIL’s recently released guidance does offer some solutions in allowing blockchain to exist under the GDPR, it creates even more questions about how these solutions would work in practice.
For instance, CNIL declared that users who interact with blockchain ledgers for professional or commercial purposes, such as sending funds through a blockchain to pay for a service, can be classified as data controllers.
Under the GDPR, data controllers are entities that must determine the purposes for which personal data is processed, and they have a responsibility to ensure such processing complies with EU regulations and is done in a secure fashion. Controllers also must issue binding contracts to data processors with instructions on how to process their information.
Laura Jehl, partner at Baker & Hostetler, noted that classifying some blockchain users as data controllers “conceptually makes sense” under the regulation because it is “consistent with the GDPR’s principle that you should have your control over data.” But she added that it may not work in practice.
Normally, data services, such as social media platforms, decide and publicly disclose how they will process their users’ data instead of having each user contractually dictate how their data is to be managed. Allowing users to run the show, after all, likely creates operational burdens, not in the least because of the sheer amount of contracts needed.
“The main consequence is the obligation to have written agreements in place between the data controllers and the data processors,” said Maarten Stassen, Brussels-based senior counsel at Crowell & Moring. “As the CNIL rightfully indicates, there are certain practical difficulties to make this happen.”
Still, Jehl noted CNIL’s guidance could work in private blockchain services, which could restrict user participation. In this scenario, all users of a private blockchain service would have to agree to a “single a code of conduct,” essentially an overarching, collective contract dictating how their all data is to be processed, before joining.
For public blockchains, however, it’s a far different story. “A code of conduct across bitcoin blockchain? Not going to happen,” Jehl said.
Doug McMahon, senior associate at McCann FitzGerald, explained that “the whole point of a lot of these [public blockchain] systems is that they all function as cryptographic hashes … so you don’t have the information about users, or the access or control” to enforce contracts.
While CNIL tackled how GDPR applies to blockchain users, it was far less clear on the status of cryptocurrency miners. The regulatory authority noted that miners could be classified as data processors depending on the circumstances of how they interact with the blockchain, but called for further research on the topic.
McMahon, however, said that designating miners as processors would mean each of them have to enter into contracts with data controllers on whose behalf they were mining. “The consequences of trying to get agreements with all those miners would potentially be a big headache and time-consuming to do,” he said.
What’s more, it may not even be possible, given that cryptocurrency miners often operate anonymously online. “If their identity is obscured and they’re working anonymously on the blockchain, then I don’t see any practical means by which a data protection authority like CNIL would enforce the GDPR against those individuals,” said Elizabeth Hinson, partner at Morris, Manning & Martin.
To be sure, in its guidance, CNIL did note that some of its suggestions may not be entirely feasible from a technical perspective and called for the development of innovative solutions to help address blockchain GDPR compliance.
However, the French authority did still seek to address one of the most challenging compliance issues: how to enforce the GDPR’s right to erasure on blockchain technology. Essentially, CNIL suggested that such erasure can be possible on private blockchains if one deletes the private keys by which users access the blockchain in the first place.
“To my mind it seems like a reasonable workaround,” McMahon said. But he added that whether “destroying a private key amounts to erasure under GDPR that may be tested by EU courts.”
It’s also an open question of if such a workaround, which essentially locks someone out of the blockchain indefinitely, will be feasible in the future. “There was a question in some people’s mind about what is foreseeable technology that will essential crack the encryption, whether it’s quantum computing or something else,” Jehl said.
The fact that the workaround only applies to private blockchain is also telling. While private blockchains can be managed and controlled, public blockchains are a free-for-all that will likely pose an ongoing challenge for CNIL and other EU regulators. “I think [regulators] are conceiving that with public blockchains like bitcoin and ether, basically they can’t put the genie back in the bottle,” Jehl said. “They can’t regulate them under GDPR, because they already exist and they’re decentralized and no one is in charge.”