New French Directive Further Complicates Contradiction Between Blockchain and GDPR

At the end of last month, CNIL (Commission Nationale de l’informatique et des Libertés) of France released a pioneering guidance document concerning how blockchain functions under the EU General Data Protection Regulation (GDPR). However, even as September drew to an end, it did not seem that the regulatory authorities had yet woken up to the need for uncompromising clarity to sort out the confusion.

Regulators are routinely vexed by the problem of applying GDPR to the emerging reality of blockchain technology because the very nature of the latter often contradicts the precepts of the former. According to the GDPR, a citizen’s request to delete data concerning him or her should be fulfilled immediately and any information storage should be preceded by consent from the relevant party. However, a principal feature of blockchain is that data cannot be erased on such networks. Moreover, nature of the technology makes it difficult to monitor or regulate it from a centralised source.

While CNIL is the first EU agency to even attempt to tackle this complex scenario, certain aspects of their directive have furrowed our brows even more. For example, the directive declares that the classification of data controllers would include users who work with blockchain ledgers on a commercial or professional capacity. This would mean even those who send funds over a blockchain network to pay for a good or service will be termed a data controller. The GDPR requires all data controllers to be responsible for making sure all data processing is in compliance with EU norms. They are further required to have binding agreements with the data processors to ensure compliance. While lawyer Laura Jehl of Baker & Hostetler theoretically agrees with such classification, she admitted to the difficulties of applying this in a practical scenario. Even if this were to function well on a private blockchain network, she opined, it would be practically impossible to ensure a common contract across a public blockchain.

CNIL also left several questions unanswered when it came to the standing of crypto miners. The guide suggests that the miners may be termed as data processors, depending on how they work with the blockchain network, but such classification would require further deliberation and research. Another expert, Doug McMahon noted that such a designation would require individual contracts between them and data controllers which is hardly a viable option on such a scale. Further, given many crypto miners remain anonymous, the problem of regulatory control intensifies.

With regard to erasure of data, CNIL suggested deleting user access via private keys altogether to make data deletion possible. However, not only is such a workaround not feasible on a long-term basis, nor is it pervasive enough to include public blockchain  such as Bitcoin and Ether. To be fair, the report does admit that not all its recommendations may be technically viable in reality. This leaves us with a bunch of unanswered questions and potentially some new tag questions as well.