Blockchain and Data Protection: Trustless Should Not Mean Distrusted
Amidst the international tidal wave caused by the entry into force of the EU General Data Protection Regulation (“GDPR”) in May 2018, many half, or even false truths have been spread about hindrance on a global scale of innovative technologies. However, we must keep in mind that Europe has adopted a long-standing position of technology-neutral regulations and data protection is no exception.
Indeed, from a GDPR perspective, no technology would be prohibited or regulated by nature – only its application to a specific purpose may be regulated, inasmuch as it involves personal data -whether relating to the participants and miners or the payload data itself- and falls within its broad geographical scope (see our previous Alert for more details).
The French Data Protection Authority (the “CNIL”) has just published a white paper analyzing the key aspects of blockchain-based services and reiterated that a case-by-case analysis would be required in order to assess the roles of the parties involved, the resulting regulatory undertaking and how the rights of the individuals could be ensured on solutions that are oftentimes confusing “anonymization” (which sits outside the scope of GDPR) and mere “pseudonymisation”. To that extent the last section of the white paper addresses how operational considerations in the implementation of a blockchain-based solution could safeguard the privacy of individuals, even though erasure of the blockchained data is at ends with the core philosophical tenets of the blockchain.
While many RegTech solutions aim at facilitating global compliance, this first reflection on the compatibility of blockchain and GDPR, two key buzzwords of 2018, is welcome and should initiate a concerted discussion among the European stakeholders in the coming months.