Blockchain is THE technology of the future for data processing, storage and traceability. This solution is increasingly used by stakeholders in finance, the insurance sector, law, etc.
But what about blockchain when processing personal data? Is it compliant with the General Data Protection Regulation (GDPR)? Is personal data stored in blockchain safe and protected, and what is the CNIL’s (French National Commission on Informatics and Liberty) stance on blockchain privacy? This article explains everything you need to know, and how BCdiploma, the blockchain solution for badges, certifications, and digital diplomas, enables institutions to meet all their GDPR-related obligations.
Defining blockchain and the GDPR
What exactly is blockchain?
Blockchain authentication is a secure and transparent technology for storing and transmitting information. Data as well as all changes and manipulations are stored in a ledger that is verifiable by everyone and cannot be falsified.
Blockchain is a great solution for:
- Disintermediation of data: for instance, it allows transactions to be carried out without an intermediary such as a bank;
- Data security: no data input on the blockchain can be modified, falsified or deleted;
- Verifiability: any change made appears on the blockchain and is visible to all. Ultimate transparency is the main strength of blockchain technology.
Multiple stakeholders are involved when using blockchain to process data:
- Participants: they can add information to the blockchain ledger;
- Miners: they check that the participants do comply with the protocol when adding new data or modifying information stored on the ledger;
- All other members of the network: they oversee all data and changes carried out on the blockchain.
What is the GDPR?
The GDPR is the General Data Protection Regulation. It is an EU regulation in force since 2018, which complements the French Data Protection Act (1978 “Loi Informatique et Libertés”), which regulates the use of computers for data processing.
The GDPR aims to:
- Protect people whose personal data is processed, and help them regain control over their information: it lists a set of rights that everyone has over their personal data;
- Make companies that process personal data responsible for protecting users’ privacy.
According to the CNIL, personal data is defined as “any information relating to an identified or identifiable individual”. This relates to any data that allows direct (last name, first name) or indirect (telephone number, address, customer number) identification of an individual.
The processing of personal data relates to any operation for commercial or professional purposes that rely on the collection, recording, use or dissemination of personal data. Discover how Blockchain can restore security and trust in digital technology.
The purpose of the GDPR is to provide a legal framework for the processing of data by any public or private organization based in Europe or whose customers reside in the European Union. It also applies to these organizations’ subcontractors.
The CNIL is the independent supervisory authority responsible for ensuring proper implementation of the French Data Protection Act and compliance with the GDPR in France.
Blockchain and the GDPR: when are they compatible?
In what cases is blockchain used to process personal data?
Blockchain is subject to the GDPR when the data stored contains personal information.
Here are examples of the use of personal data by the blockchain:
- The transfer of financial assets, pension funds, insurance;
- Patient medical data hashes for blockchains in the health sector;
- Traceability of samples in scientific research;
- Academic or training data, for instance for the issuance of digital badges, certificates, micro-certifications, or digital diplomas.
The GDPR must be complied with in these cases, as well as for any transaction where personal data is recorded on the blockchain.
Which GDPR rights are compatible with blockchain?
In its analysis, the CNIL indicates that the responsibility for complying with the GRPD lies with the processing operator that sets up a service using blockchain. In this respect, it goes on to provide a set of recommendations and cites use cases, such as diplomas and credentials.
Several use cases are already well documented and comply with GDPR requirements, such as the one set up by BCdiploma for credentials certified using blockchain.
Which GDPR rights are at risk?
However, like any technology, blockchain has limitations and might not be suitable for all uses. For instance, the “right to be forgotten” (or “right to erasure”) is at the heart of the GDPR and blockchain debate:
“At first glance, blockchain and the right to be forgotten don’t appear to be compatible. Inalterability and decentralization not only imply that the register is indelible, but also that it is shared among all users who have recorded copies. If a person were to exercise their right to be forgotten, they would therefore be expected to go against blockchain’s principle of inalterability, and their right to be forgotten could only be ensured if each user individually deleted the desired encrypted data from their ledger”, as explained by legal expert Aurélie Bayle in her article “Peut-on concrètement espérer l’exercice d’un droit à l’oubli sur la blockchain et se conformer aux principes dégagés par le RGPD ?” (Is blockchain compatible with the “right to be forgotten” and can it comply with the requirements set out in the GDPR?)
CNIL’s Opinion: What Solutions for a Responsible Use of Personal Data by the Blockchain?
Where the CNIL stands: how can we ensure responsible use of personal data stored on blockchain?
In September 2018, the CNIL published its initial analysis concerning the compatibility of the blockchain with the GDPR. It also examined the following questions:
Who is responsible for processing data on the blockchain?
To comply with the GDPR, a data controller must be appointed to demonstrate that data operations do indeed respect users’ privacy rights.
According to the CNIL, in the case of blockchain, only participants are considered to be data controllers, as they are the ones deciding to use the blockchain to process data, whatever the intended purpose.
A data controller is defined as any person or structure that:
- processes data for non-personal purposes (e.g. a doctor or an attorney);
- is a legally established entity (e.g. banks).
On the other hand, miners who validate transactions on the blockchain database are not considered to be responsible. For a group of multiple individuals, the CNIL recommends that a legal entity or natural person be designated as data controller.
What solution can be implemented to protect personal data processed by blockchain while complying with the GDPR’s requirements?
The CNIL provides guidelines on how to ensure the processing of personal data complies with the GDPR:
- Think upstream of data processing: is it necessary to store the data on a public blockchain? In what format?
- Encrypt the personal data written on the blockchain, especially for public ledgers that can be consulted by anyone;
- Regarding the “right to be forgotten”: destroy the encryption key so that the data is no longer decipherable and thus permanently inaccessible.
BCdiploma, a GDPR-compliant solution
BCdiploma has created the very first secure, verifiable and forgery-proof digital credentials using blockchain technology, and demonstrates a robust approach that enables educational institutions using the service to comply with the GDPR.
Students can display their certificates, diplomas, certifications, or open badges on any digital platform (LinkedIn or resumes) and share them with recruiters through a URL transparently.
To comply with the CNIL’s approach, BCdiploma has patented a cryptographic method that allows for the management of the right to be forgotten. With more than 200 successful deployments, BCdiploma has developed expertise to support institutions in implementing GDPR during the deployment of the solution. The University of Lille’s work on this issue is documented in its 2024 White Paper, available here.
Learn more
Practice guide for the security of personal data : 2024 edition