Blockchain is seen as the new application in a wide variety of fields. It could be a solution to many existing problems and can provide new insights regarding approaches to existing processes. It puts money transactions, logistics and fraud prevention in a new light, and even climate change could be solved using the blockchain.
The blockchain is a public database that can be used to capture and distribute data to a large number of parties to whom the data is visible. Because a transaction occurs only when it meets the rules required by a party and the transaction can be validated by technology, transactions can be closed without human intervention. Or, as in the case of cryptocurrency, without the intervention of a traditional bank. The transaction data captured in the chain can always be accessed and will not disappear. This makes the blockchain a popular application for transactions: it is a transparent method and appears to be impossible or difficult to manipulate.
When a blockchain contains personal data, the AVG applies. The data brought into the blockchain will never disappear from it. In doing so, the data is also not editable. Therefore, the power of the blockchain, namely an unbreakable and verifiable chain that cannot be manipulated, might well violate the AVG when personal data is brought into the blockchain.
CNIL, the French regulator, released an article on Nov. 6 on blockchain in relation to personal data[1]. In it, it presents concrete solutions for parties wishing to use blockchain as part of their data processing.
Blockchain is irreversible and thus lends itself perfectly to demonstrating, for example, consent. In doing so, it can provide insight into and record processing of personal data. It thus lends itself perfectly to the development of solutions that can demonstrate consent or keep a processing log.
Furthermore, one can think of recording the incident register and version management of cookie and privacy statements. With the help of the latter, it can always be demonstrated and verified which version of the statement the consumer has agreed to. This would be a good mechanism for the regulator, among others, but also for the accountant.
However, there are areas of blockchain technology that require additional attention. Consider international data transfer. A blockchain is not location-specific, making it extra difficult to limit the blockchain to transfer within the EU or to make additional arrangements. A second difficulty may lie in the "right to be forgotten. It is not possible to delete personal data from the blockchain. This right cannot possibly be invoked by a data subject.
The CNIL therefore indicates that any party wishing to use blockchain technology for processing should apply privacy by design. It should consider whether the blockchain application is necessary, or whether another, less intrusive solution may be available. This should also include what type of blockchain is being used: a public blockchain has a greater impact on the protection of personal data than a private blockchain[2]. Whether blockchain technology violates the AVG is entirely determined by the potential risks to the rights and freedoms of the individual. And thus depends on several factors such as the type of blockchain being used, what data is being stored and which parties can all access it. The general note the CNIL makes is that it is important not to store personal data in "clear text" on a blockchain.
The moment personal data is put on the (public) blockchain, it seems to be in violation of the AVG from that moment on. This is because certain rights the data subject has under the AVG cannot be fulfilled. Because data on the blockchain cannot be changed, invoking the right to rectification is precluded. At least, not without the previous data disappearing. Because the data on the blockchain cannot be deleted, an appeal the right to oblivion also becomes a moot point.
However, depending on the application of the blockchain, this technology can also be used for accountability purposes. The technology can be used to track incidents, accurate version control of privacy and cookie statements, demonstrating consent and so on, and there are more applications where you can use the blockchain for compliance purposes without processing personal data on the blockchain.
[1] CNIL. (2018). The blockchain in the context of personal data. Accessed from https://www.cnil.fr/en/blockchain-and-gdpr-solutions-responsible-use-blockchain-context-personal-data
[2] A third variant of the blockchain is the permissioned blockchain. In a permissioned blockchain, rules are defined regarding who is allowed to participate in the validation process, who is allowed to record transactions, etc.
This article can also be found in the AVG file
