Applying the GDPR to blockchain technology: Guidance from data protection authorities

| Insight

The French data protection regulator (CNIL) has, as the first European data protection authority, addressed the tension between the GDPR and blockchain technology. The question of whether the Regulation can coexist with blockchain has been the focus of many in the past year, as there are obvious legal and practical issues to address. CNIL's initial report discusses several fundamental questions that are raised through the interaction between blockchain technology and the rights and obligations under the GDPR.

The question of compatibility of the GDPR and blockchain can be answered from different viewpoints. Some argue that the ideology behind the GDPR and the blockchain technology is coinciding, because both systems strive to give individuals control of their data in different ways. The GDPR focuses on individuals being in control of their own personal data by providing rights and information in relation to their controllers. Blockchain too offers powers to its users through a decentralized peer-to-peer network that focuses on transparency, verification and resistance to modification of data. Others argue that the systems are on opposite sides, as personal data in the blockchain is difficult to regulate. One problem is that the roles and responsibilities of the GDPR are almost impossible to determine when there exists a multitude of actors in a decentralized model. Also, implementing safeguards when transferring data outside the EU is difficult with a public blockchain where there is no real control over the location of miners. These are just two of many concerns being raised in relation to blockchain and the regulation of personal data.

Regardless of the view on blockchain’s compatibility with the GDPR, it seems this new technology is in it for the long haul. CNIL describes blockchain as a «technology with a high potential for development», and thus provides guidance for actors who want to use blockchain to process their personal data. CNIL points out that blockchain will not necessarily be the most suitable technology for all data processing. Yet, their focus seems to be on finding solutions to the problems so that personal data can be processed lawfully using blockchain technology. This might be the first step of many in providing harmony between this fast growing technology and data protection under the GDPR.