Blockchain is THE technology of the future for data processing, storage and traceability. This solution is increasingly used by stakeholders in finance, the insurance sector, law, etc.

But what about blockchain when processing personal data? Is it compliant with the General Data Protection Regulation (GDPR)? Is personal data stored in blockchain safe and protected, and what is the CNIL’s (French National Commission on Informatics and Liberty) stance on blockchain privacy? BCdiploma brings you all the information you need on that matter.

Defining blockchain and the GDPR

What exactly is blockchain?

Blockchain is a secure and transparent technology for storing and transmitting information.Data as well as all changes and manipulations are stored in a ledger that is verifiable by everyone and cannot be falsified.

Blockchain explanation

Blockchain is a great solution for:

  • Disintermediation of data: for instance, it allows transactions to be carried out without an intermediary such as a bank;
  • Data security: no data input on the blockchain can be modified, falsified or deleted;
  • Verifiability: any change made appears on the blockchain and is visible to all. Ultimate transparency is the main strength of blockchain technology.

Mutliple stakeholders are involved when using blockchain to process data:

  • Participants: they can add information to the blockchain ledger;
  • Miners: they check that the participants do comply with the protocol when adding new data or modifying information stored on the ledger;
  • All other members of the network: they oversee all data and changes carried out on the blockchain.

What is the GDPR?

The GDPR is the General Data Protection Regulation. It is an EU regulation in force since 2018, which complements the French Data Protection Act (1978 “Loi Informatique et Libertés”), which regulates the use of computers for data processing.

The GDPR aims to:

According to the CNIL, personal data is defined as “any information relating to an identified or identifiable individual”. This relates to any data that allows direct (last name, first name) or indirect (telephone number, address, customer number) identification of an individual. 

The processing of personal data relates to any operation for commercial or professional purposes that rely on the collection, recording, use or dissemination of personal data.

The purpose of the GDPR is to provide a legal framework for the processing of data by any public or private organization based in Europe or whose customers reside in the European Union. It also applies to these organizations’ subcontractors.

The CNIL is the independent supervisory authority responsible for ensuring proper implementation of the French Data Protection Act and compliance with the GDPR in France.

Blockchain and the GDPR: when are they compatible?

In what cases is blockchain used to process personal data?

Blockchain is subject to the GDPR when the data stored contains personal information.

Blockchain is subject to the GDPR when the data stored contains personal information.

  • The transfer of financial assets, pension funds, insurance;
  • Patient medical data hashes for blockchains in the health sector;
  • Traceability of samples in scientific research;
  • Cryptocurrency launches;
  • Student identity, school and degree title for blockchain certifications such as degrees issued via the BCdiploma blockchain application.

The GDPR must be complied with in these cases, as well as for any transaction where personal data is recorded on the blockchain.

Which GDPR rights are compatible with blockchain?

In its analysis, the CNIL indicates that the responsibility for complying with the GRPD lies with the processing operator that sets up a service using blockchain. In this respect, it goes on to provide a set of recommendations and cites use cases, such as diplomas and credentials.

Several use cases are already well documented and comply with GDPR requirements, such as the one set up by BCdiploma for credentials certified using blockchain.

Which GDPR rights are at risk?

However, like any technology, blockchain has limitations and might not be suitable for all uses. For instance, the “right to be forgotten” (or “right to erasure”) is at the heart of the GDPR and blockchain debate:

“At first glance, blockchain and the right to be forgotten don’t appear to be compatible. Inalterability and decentralization not only imply that the register is indelible, but also that it is shared among all users who have recorded copies. If a person were to exercise their right to be forgotten, they would therefore be expected to go against blockchain’s principle of inalterability, and their right to be forgotten could only be ensured if each user individually deleted the desired encrypted data from their ledger”, as explained by legal expert Aurélie Bayle in her article “Peut-on concrètement espérer l’exercice d’un droit à l’oubli sur la blockchain et se conformer aux principes dégagés par le RGPD ?” (Is blockchain compatible with the “right to be forgotten” and can it comply with the requirements set out in the GDPR?)

L’avis de la CNIL : quelles solutions pour un usage responsable des données personnelles par la blockchain ?

En septembre 2018, la CNIL publiait ses premiers éléments d’analyse concernant la compatibilité de la blockchain avec le RGPD. Elle s’est en outre penchée sur les questions suivantes :

Where the CNIL stands: how can we ensure responsible use of personal data stored on blockchain?

In September 2018, the CNIL published its initial analysis regarding the compatibility of blockchain with the GDPR principles. And also looked into the following issues:

data et blockchain

Who is responsible for processing data on the blockchain?

To comply with the GDPR, a data controller must be appointed to demonstrate that data operations do indeed respect users’ privacy rights.

According to the CNIL, in the case of blockchain, only participants are considered to be data controllers, as they are the ones deciding to use the blockchain to process data, whatever the intended purpose.

A data controller is defined as any person or structure that:

  • processes data for non-personal purposes (e.g. a doctor or an attorney);
  • is a legally established entity (e.g. banks).

On the other hand, miners who validate transactions on the blockchain database are not considered to be responsible. For a group of multiple individuals, the CNIL recommends that a legal entity or natural person be designated as data controller.

What solution can be implemented to protect personal data processed by blockchain while complying with the GDPR’s requirements?

The CNIL provides guidelines on how to ensure the processing of personal data complies with the GDPR:

  • Think upstream of data processing: is it necessary to store the data on a public blockchain? In what format?
  • Encrypt the personal data written on the blockchain, especially for public ledgers that can be consulted by anyone;
  • Regarding the “right to be forgotten”: destroy the encryption key so that the data is no longer decipherable and thus permanently inaccessible.

BCdiploma’s 100% blockchain certifications

BCdiploma has created the very first secure, verifiable and forgery-proof digital credentials using blockchain technology, and demonstrates a robust approach that enables educational institutions using the service to comply with the GDPR.

Students can publish their degrees, certifications or open badges on any digital medium (LinkedIn profile or CV) and share them with recruiters through a seamless URL link.

Learn more about BCdiploma and its blockchain technology for authenticating diplomas.

Learn more:

https://www.cnil.fr/fr/blockchain-et-rgpd-quelles-solutions-pour-un-usage-responsable-en-presence-de-donnees-personnelles

https://www.cnil.fr/sites/default/files/atoms/files/la_blockchain.pdf

RGPD : de quoi parle-t-on ? | CNILhttps://www.cnil.fr › rgpd-de-quoi-parle-t-on

https://www.cnil.fr/les-droits-pour-maitriser-vos-donnees-personnelles