On September 24, 2018, the French data protection authority, Commission Nationale de l’Informatique et des Libertés (CNIL), became the first data protection authority to issue written guidance on the intersection of the use of blockchain technology and the General Data Protection Regulation (GDPR). Due to the decentralized and permanent nature of the blockchain, there is an inherent tension between blockchain technology and the GDPR, particularly with respect to data subject rights and data storage limitation principles. Therefore, the CNIL guidance provides some welcome clarification on how it views these inherent tensions, although the CNIL left open certain important issues that will require deeper analysis and explanation in the future. The summary below was prepared based upon an unofficial translation of the CNIL guidance, and therefore may change if and when the CNIL releases an official English translation of the guidance. Our high-level takeaways based on the CNIL guidance are as follows:
- The legal analysis of whether the GDPR applies to a blockchain must be conducted on a participant-by-participant basis. Some participants on a blockchain may be subject to the GDPR while others may not.
- The greater the ability of a participant to intervene and influence blockchain transactions, the more likely such a participant is subject to the GDPR.
- Whether a participant is a controller or a processor, as such terms are defined under the GDPR, is a determination based on the particular facts and circumstances, influenced by the architecture of the blockchain and the types of users who engage with it.
- Data minimization principles apply to some but not all aspects of blockchain technology. Notably, there is no data minimization requirement for public addresses and public keys.