French data protection authority issues a guideline on blockchain and GDPR

Commission Nationale de l’informatique et des Libertés (CNIL), the data protection regulatory body in France, issued a guideline on how blockchain should interact with the EU General Data Protection Regulation (GDPR), which was introduced earlier this year across EU member states. France is the second country, after Hungary, to issue such a document, joining forces with others in GDPR compliance. The document is looking to offer guidance for data controllers, and data processors.

The CNIL defines blockchain as the following:

  • Transparency: all participants can view all the data entered;

  • Sharing and decentralization: several copies of the blockchain exist simultaneously on different computers;

  • Irreversibility: once data is entered, it cannot be modified or deleted;

  • Disintermediation: any decision is made by consensus between the participants, without a centralized body.

CNIL suggests that a person who puts their personal data on a blockchain is a data controller. Unlike other legislation referring to deleting personal files if needed, granted by the GDPR, CNIL takes a lighter approach, admitting that there might be cryptographic techniques that can render the personal data practically inaccessible and close to deleting it.

You can read more from the original document here [French].