The Commission nationale de l’informatique et des libertés (CNIL), an independent French administrative regulatory body charged with ensuring that data privacy law is applied to the collection, storage, and use of personal data, has published a first-of-its-kind guidance to for the implementation of GDPR requirement into blockchain development.

The CNIL is one of the first authorities to officially address the challenges raised by blockchains in terms of compliance with human rights and fundamental freedoms.

The CNIL notes that blockchains can take different shapes and that the choices made by data controllers (between a permissioned blockchain and a public blockchain, between different formats for recording data on blocks, etc.) can have a significant impact, both positively and negatively, on risks to individuals’ rights and freedoms.

Although all blockchain projects do not involve personal data processing, in practice, many uses of this technology require the manipulation of such data, both in terms of content and of information related to participants.

When a blockchain contains personal data, the GDPR is applicable. The architecture and characteristics specific to blockchains will, however, have consequences on how personal data is stored and processed. The impact of blockchains on individual rights

A blockchain can contain two categories of personal data:

  • participants’ and miners’ identifiers: each participant/miner has a public key, ensuring identification of the issuer and receiver of a transaction;
  • additional data contained “within” a transaction (e.g.: diploma, property deed). If such data concerns natural persons, possibly other than the participants, who may be directly or indirectly identified, such data is considered personal data.

Using this distinction, the usual GDPR analysis applies: identification of the data controller, enforcement of rights, implementation of appropriate safeguards, security obligations, and so on.

CNIL said it also intends to contact other national regulators to establish a foundation for inter-regulation that will allow the stakeholders involved to better understand the various regulations applicable to blockchains.