The Blockchain and the GDPR

If the blockchain is still unknown for some, companies when to them, seem to want to subscribe to it more and more … Through his numerous assets, this one is nevertheless in conflict with certain fundamental set up by the GDPR.

0

The blockchain, so many people talk about it, but it is still a foreign notion for some. But if that’s your case, do not worry, it should change quickly! Indeed, if the blockchain is today’s reality only for some, it is undoubtedly everyone’s reality for tomorrow.

However, if more and more companies want to take part of it, the GDPR sometimes seems to be in distortion with some of blockchain operations. What then are the blockchain practices which remain into question by the standards imposed by the GDPR ?


Understand the blockchain

The Blockchain and the GDPR- httpcs

A blockchain definition is given by French law in the Monetary and Financial Code. According to its article L 223-12, it is a “shared electronic recording device enabling the authentication of these operations, in particular under security conditions, defined by decree in the Council of State”.

Well, such an information… This legal definition given, let’s try to understand a little more about what it really is.

On what is based the blockchain ?

blockchain decentralization

Decentralization. The basic idea of the blockchain is that the information is not stored on a single central server. It is based on a set of participants who support it and not on a single person who manages the entire system.

What’s the blockchain for?

  • If at first the blockchain was used for cryptomoney (especially Bitcoin), it is now possible to do more than just assets transfer.

cryptomoney and blockchain

  • It guarantees a better transparency thanks to a reinforced traceability of the products/assets. Thus, in a production line for example, it will be easier for the consumer to know the whole manufacturing process and thus to make informed consumption choices (which is far from being the case today…)

 

transparency and blockchain

 

  • Finally, it allows the execution of smart contract. These contracts thanks to the blockchain system will be executed in an autonomous and automated way. How? Through a program which captures when the necessary conditions to trigger the implementation of the contract are met.

 

smart contract and blockchain

Why is it right?

For transparency. Once information is created in the blockchain, it can be consulted at any time and by anyone (depending on the type of blockchain, but let’s stay on the basic diagram).  The blockchain contains a history of all exchanges between its users since its creation.

Moreover, the data are immutable. Once registered they cannot (in principle and for now) be modified.

For autonomy / trust. Those who act in the blockchain are real actors of the actions they put in place. The blockchain eliminate the intermediaries. Thus, for banking transactions for example, Paul can give Jacques 100€ without asking Marie (banker).

Nota bene : what is transmitted by the blockchain is called digital assets.

The GDPR, a problem….

blockchain- gdpr-httpcs

The general obligation of limited data retention

Through its fundamental principles the GDPR imposes, to keep only the necessary data to carry out the mission. This requires a clear and stated justification of why the data should be retained. In other words, if the data has no reason to exist, it must be absolutely deleted.

How then, this right to the limitation offered by the GDPR to natural persons can be combined with the irreversibility of the data contained in the blockchain? For now, there is no answer to this question. This is why the incompatibility between the blockchain and the GDPR is completely patent.

The controller and the processor

The blockchain is based as seen above on a decentralized and autonomous system. In other words, nobody controls the hole system, nobody is at the head of this system. Does this mean that all actors are responsible? At the very least, everyone is responsible for the actions they take…

What about the obligation made by the GDPR to designate a controller? Who takes responsibility in the event of a shared data breach? If there’s a rift, who do we turn against? Nobody? All the identifiable actors (but who will really have the heart to do so)?

How to reconcile the obligation to have a clearly identified and easy to question data controller with this totally disparate operation of responsibilities? No solution is currently advanced…
The same thought can be given to processors…

The right to deletion / rectification

 

 

The right to delete/ rectify -blockchain -httpcs

 

The GDPR was keen to restore a real power to individuals over their data. To do so, they must be able – at any time and without difficulty – to request the deletion of their data that are held by a company.

Conversely, the blockchain is based on an essential element: the irreturnability. Once stored, files can no longer be modified, deleted…

 

How then this aspect can be reconciled with one of the essential characteristics of the blockchain? The question remains for the moment whole…

The CNIL is currently studying these questions which arise from the implementation of the blockchain. In the coming months, it will not fail to position itself on the various issues that this raises.

More

Comment

Your email address will not be published.