The General Data Protection Regulation (GPDR), which was approved and adopted by the European Union (EU) Parliament in April 2016 and became effective on May 25, 2018, is being implemented rigorously throughout the European Union. GDPR replaced the 1995 Data Protection Directive to protect personally identifiable information (PII) of EU citizens, increasing the transparency around the use of PII and providing EU citizens with the right to restrict the use of their data. GDPR defines PII in a manner that includes pseudonymized or encrypted data, or in other words, data that could be included in applications employing blockchain technology.
Blockchain technology has immense potential for development throughout the world, including the EU, but the development of blockchain applications raises many questions, including questions about the compatibility of blockchain with GDPR and about the best way in which to reconcile the inconsistencies between blockchain and GDPR. Addressing these questions will require collaboration among regulators, on the one hand, and tech developers and investors, on the other hand. Collaboration among EU regulators, including the European Data Security Supervisor, will help create a stable, predictable environment in which PII can be reasonably protected without creating burdensome legal or commercial barriers to, or stifling, innovation.
The GDPR’s First Non-EU Violator
On the same day that the GDPR went into effect, None of Your Business (“NYB”), which seeks to defend the privacy rights of EU citizens, brought several complaints against Google, Facebook, WhatsApp and Instagram with both data protection regulators, or “supervisory authorities,” in France, Austria, Belgium and Germany. At issue in the complaints is what NYB calls “forced consent,” and is described in detail in the complaints as consent, which is not freely given by users (or data subjects) and is overly broad, and, as a result, violates a number of GDPR provisions.
The French supervisory authority the National Data Protection Commission (CNIL), reviewed the NYB complaint against Google, conducted its investigation of Google between June and September 2018 and, then, issued its judgment against Google on January 21, 2019. CNIL found that Google violated the GDPR and imposed a financial penalty on Google of €50 million (US$57 million) “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” Google secured “forced consent” from Android users by implying that services would not be available unless the terms and conditions are accepted. CNIL concluded that Google did not transparently communicate the scope of data processing used for targeted advertisements, and left consumers uninformed about how their information would be used. Google didn’t concisely explain that personalized ads run across multiple services, including YouTube, Google Maps, and search.
According to CNIL, these violations have yet to be rectified by Google, and the violations continue to be observed to date.
“The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.” – CNIL
Although the financial penalty of €50 million imposed on Google was significant, the penalty is well below the maximum fine allowable under Article 83(5)(a) of GDPR, which could have been as much as 4% of a company’s annual worldwide revenue. This means that Alphabet Inc. (the group of which Google is a member), with revenue of approximately US$136.8 billion (€120.3 billion) for the fiscal year-ended December 31, 2018, could have been subjected to a penalty of up to US$5.5 billion (€4.8 billion). The €50 million penalty does not include any fines that may be imposed by data protection regulators in other EU Member States, which may follow France’s (CNIL’s) lead and impose additional penalties.
Note: On January 23, 2019, Google announced that it would appeal the €50 million penalty, asserting that "[Google] worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing.”
Google was the first non-EU to be fined for failing to comply with GDPR. The fine for Google is likely to be the start of a much wider crackdown on non-compliance with GDPR, as there are still complaints pending against, and investigations of, Facebook, WhatsApp, and Instagram for alleged failures to comply with GDPR. NYB has also filed complaints against Amazon Prime, Apple Music, Netflix, SoundCloud, Spotify YouTube and other corporations for failure to comply with GDPR. The new complaints are targeting the companies’ non-compliance with the “right to access” under GDPR. The “right to access” provides each EU citizen with the right to obtain a copy of all data that a company holds about the user, as well as information about the sources and recipients of the data, the purpose for which the data is processed and information about the countries in which the data is stored and how long it is stored.
The Member State of the EU and their respective data protection authorities are unequivocally resolute about the enforcement of any violations of GDPR. As a result, there are serious implications for any tech applications, including those grounded in blockchain technology, that involve using the data of EU citizens.
Guidance from an EU Data Protection Regulator: CNIL’s View of Blockchain and GDPR
On November 6, 2018, CNIL published a report, “Solutions for a Responsible Use of the Blockchain in the Context of Personal Data,” discussing concerns that have been raised about the compatibility of blockchain technologies that involve the use or processing of personal data and GDPR. The report was the first such guidance issued by a data protection regulator of a Member State within the EU. In the report, CNIL acknowledged that “GDPR, and more broadly classical data protection principles, were designed in a world in which data management is centralized within specific entities.” CNIL openly recognizes the challenges and tensions that exist between GDPR, as currently codified, and the development of blockchain applications. Moreover,
Data Controllers. That any one entity or individual is in control of users’ PII on any blockchain network is not consistent with the fundamental idea of blockchain, which is a decentralized data governance model. Currently, there is no “central node” on blockchain networks; rather, blockchain networks are each comprised of decentralized nodes that add data to, and process the data on, blockchain networks. However, “data controllers” are held responsible for using any such PII in compliance with GDPR. CNIL guidance has expanded the universe of entities and individuals that could be considered as data controllers, and contrasted the role of data controller from that of a data processor (e.g., a miner who validates a transaction).
CNIL explained that “participants, who have the right to write on the [blockchain] and who decide to send data for validation by the miners, can be considered as “data controllers.” In describing the role of “data controllers” with more particularity, CNIL appears to be working toward creating helpful distinctions among the different types of participants who act within a blockchain network so that the appropriate participants can (1) understand their roles and responsibilities in complying with GDPR, and (2) be held accountable for compliance with GDPR and any fines that may result from any failure to comply.
Erasure Compared to Other GDPR-Compatible Rights. Certain rights granted to EU citizens under GDPR are, in fact, compatible with blockchain technology and its applications. These GDPR-compatible rights include: the information right, the right of access and the right to portability. The right of erasure, or the right to be forgotten is, however, not GDPR-compatible.
CNIL acknowledges that once data is added to the blockchain, the ability of the EU citizens to have their PII erased is not possible at this time. In fact, CNIL noted that, currently, “it is technically impossible to grant the request for erasure” of PII.
CNIL Recommendations and Additional Thoughts
While this post only addresses certain aspects of the tensions between GDPR and blockchain technology laid out in the CNIL report, the writers recommend a full-read of the report as the first of its kind from an EU Member State.
In its report, CNIL had several recommendations which include those listed below. The simplest, yet likely the most important of the recommendations listed below may, in fact, be No. 1. Notably, Amandine Jambert, IT specialist and cryptographer at CNIL, explained that “[b]lockchain is such a buzzword," and she advanced the concern that “companies think they may need [blockchain] when they really don't, meaning that a careful assessment of whether it's necessary must be considered up front.”
- Consider Alternatives Before Implementing Blockchain Technology. If blockchain technology is not required for a transaction or for data processing, other solutions that allow for full compliance with the GDPR should be favored.
- Favor Permissioned Blockchains. Permissioned blockchains should:
be favored as they allow a better control over personal data governance, in particular as regards transfers outside of the EU.
maintain a critical mass, so no one party has the ability to out compute the other nodes. CNIL recommends carrying out an evaluation of the minimal number of miners which would ensure the absence of a coalition that could control over 50% of powers over the chain.
- Allocate Data Controller Responsibilities. Groups of Participants on a Blockchain Network. A Group of participants that have implemented a blockchain should allocate the data controller responsibilities amongst the group.
- Use Off-Chain Processing/Linking. Personal data should be processed off the blockchain and linked back. If this is not possible, CNIL recommends solutions in which the following are stored on the blockchain, in order of preference: a commitment of the data; a hash generated by a keyed hash function on the data; or a ciphertext of the data.
- Establish and Implement Risk Management and Emergency Plans. Companies should develop risk management plan, including technical and organization-wide procedures, to mitigate the impact of a potential algorithm failure on security of the transactions (and the organization). Specifically, an emergency plan that enables algorithms to be changed when a vulnerability is identified.
- Conduct a Data Protection Impact Assessment (DPIA) When Warranted. Article 35 of the GDPR provides for a data protection impact assessment in circumstances where the processing of data is likely to result in a high risk to the rights and freedoms of the data subjects. DPIAs are conducted to assess risks, identify the measures to address them and determine the efficacy of the measures in addressing the risks.
And, as insightful as the report was, it did not provide guidance on cross-border safe guards, for the many blockchain participants who are across the globe, nor did it address how to implement data processing contracts that adhere to Article 28 of the GDPR, which requires controllers to appoint processors who can provide “sufficient guarantees” to meet the requirements of the GDPR. Processors must only act on the documented instructions of the controller, and they can be held directly responsible for non-compliance with the GDPR obligations, or the instructions provided by the controller, and may be subject to administrative fines or other sanctions and liable to pay compensation to data subjects.
Complying With GDPR
Using Off-Chain Processing/Linking
Blockchain experts agree that confidential and PII data should not be stored directly on the blockchain in order to ensure full compliance with GDPR. Rather entities or individuals linking PII to the blockchain with a hash pointer, should implement revocable links between the PII and blockchain. Blockchain also allows for information that is stored using “off chain” mechanisms, in which PII or other data are maintained separately in separate database or other system, which have access control restrictions and which are to be linked back to the blockchain through the use of private and public cryptographic keys. In this case, the only information that will be stored on chain will be a one-way cryptographic key of the metadata corresponding to the PII or other data stored off-chain. Utilizing the off-chain method allows for maintaining a history of the data without revealing the parties linked to it. This method also allows for an entity or individual to unlink the off-chain mechanism from the blockchain when data subjects (customers, clients or others) request erasure.
Storage of PII off-chain is one the best solutions for adhering to the GDPR regulations. Though, by using blockchain together with one or more “off-chain” mechanisms, it is important to recognize that the “blockchain can no longer be a single, shared source of truth and in most cases … counterparties will be required to maintain their own records.”
Using Anonymized Identity
Though the data on the blockchain maybe anonymized, members of the blockchain can still be identifiable through blockchain trade services, which require information such as email addresses when setting up the account. Because the GDPR requires that data not be linked to a specific person, anonymizing such data means that the data cannot be re-linked back to that person. The idea is that all personal data linked to an individual is stored on the blockchain in the form of a hash, therefore making it difficult to associate the data with corresponding data subject. To comply with the regulations of the GDPR, private blockchains and blockchain trade services must not be traceable back to the individual.
Compliance may also be accomplished by encrypting personal data. Each member of the blockchain would encrypt each record on the blockchain with its own key and store only the encrypted cipher text on the chain. Instead of deleting the ciphertext, the member would simply delete the associated public key.
Next Steps and Reconciling the Inconsistencies Between Blockchain and GDPR
Google is unlikely be the last entity fined by CNIL or the data protection authorities of other Member States as the EU and Member States crack down on violations of the privacy rights of their citizens. In addition, EU is also unlikely to relax GDPR compliance requirements.
Developers and innovators will have to learn how to design with GDPR in mind. This will require developers and innovators to work hand-and-hand with their privacy and compliance counsel when using blockchain technologies. In addition, developers and innovators and their legal counsel will have to proactively reach-out to regulators to help regulators understand how to strike a balance between creating a stable, predictable environment in which PII can be reasonably protected, on the one hand, and creating burdensome legal or commercial barriers to, or stifling, innovation, on the other hand.
Significantly, in its report, CNIL committed to “work cooperatively with its European counterparts to suggest a strong and harmonised approach” to address the challenges presented by blockchain technology and its applications in a post-GDPR environment. CNIL also committed to help “establish a foundation for inter-regulation that will allow the stakeholders involved to better understand the various regulations applicable to blockchains.” So, CNIL has laid the foundation for collaboration – collaboration that, ideally, will foster the advancement of blockchain technology and its applications.