That is the clear message from the data protection authority in France in a recent paper it published on blockchain and the General Data Protection Regulation (GDPR).
The Commission Nationale de l’information et des Liberties (CNIL) said that, in some cases, businesses should consider using alternative technologies first before committing to their projects.
The views of the CNIL on data protection and blockchain had been requested by a number of organisations in the private and public sectors, in particular from health bodies and financial institutions.
CNIL identified that blockchain can be used in a number of different ways, including for transferring assets like cryptocurrencies or property titles, as a register that ensures traceability like the certification of diplomas, and for the launch of so-called 'smart' contracts.
CNIL acknowledged that not all blockchain projects involve the processing of personal data, but it said many uses of the technology do require the manipulation of such data, both in terms of the content of information stored or exchanged and in respect of information about those participating on the blockchain.
It highlighted two categories of personal data as being particularly relevant when blockchain is being used:
- the identification of participants and miners: each participant and miner has a public key, which makes it possible to identify the sender and recipient of a transaction;
- additional data, entered 'in' a transaction, such as within a title deed or diploma: if these data relate to people, possibly other than participants, and mean those people are directly or indirectly identifiable, they are personal data.
Where personal data is involved, businesses must identify who is data controller, provide for the various rights of data subjects, establish appropriate safeguards around processing and meet their obligations on data security.
According CNIL, in some cases, blockchain technologies are likely to pose a challenge for businesses in relation to their compliance with the GDPR. It said blockchain will therefore not always be the most suitable solution for all processing.
The authority identified the implementation of obligations related to sub-contracting and the rules governing international transfers of personal data as requiring particular vigilance from businesses using blockchain, particularly in cases where it is a public blockchain in use.
CNIL's paper highlights the need for businesses to check the value of using blockchain in concrete terms before beginning a project involving the technology. This means evaluating their objectives and the characteristics of their planned activities.
The CNIL therefore called on the players to consider at an early stage, in accordance with the principle of 'privacy by design', whether it is appropriate to use blockchain technology rather than an alternative technology for the implementation of activities involving the processing of personal data.
Beyond the question of whether or not to use blockchain, data controllers must also consider the type of blockchain they intend to use. The choices made by the controller between using a permissioned blockchain or a public blockchain, and between different formats for entering the data in the blocks, for example, can significantly impact the level of risks relating to data processing on the rights and freedoms of individuals.
Paris-based Annabelle Richard and Pauline Binelli are experts in data protection and technology law at Pinsent Masons, the law firm behind Out-Law.com.