Is the blockchain GDPR compliant?
For a little less than a week, the data protection regulation or GDPR has been in force. This regulation will influence all sectors of activity as well as the various strategies of companies using data. Will this regulation, which is a logical continuation of the 1978 Data Protection Act, impact new technologies? New technologies like blockchain, which wants to be non-conformist, will they have to apply this regulation? The blockchain, which has the principle of restoring confidence in a system through data security and fewer intermediaries, meets Iraq Email List certain requirements of the GDPR. However, despite data security, the GDPR will lead to changes in the use of the blockchain. We can therefore ask ourselves whether the blockchain should respond to the GDPR or not? We will see and compare the point of view between advocates of GDPR and those of blockchain.
The latter judging the text of the CNIL as not revealing the reality around the blockchain. What the CNIL says about blockchain compliance with the GDPR The CNIL’s digital innovation laboratory clearly posed the question of the link between blockchain and GDPR. He distinguishes two types of blockchain: a public and a private. The CNIL mentions the fact that the blockchain must comply with the RGPD. Indeed, the data of a blockchain is not anonymous. She uses a pseudonym. Therefore rights and obligations must apply . This situation turns to the public side of the blockchain where all third parties would be able to know the conformations. Therefore, if a person is not on this network then he will not be able to control the processing of data.
The public space of the blockchain must submit to regulations
In order to ensure additional protection. Although the information is encrypted these being pseudonyms make the GDPR applicable. However, this does not apply to a private blockchain because they go against the principle of blockchain. In short, what the CNIL recommends is that the non-public blockchain consists of an administrator. The task of this administrator will be the same as that of a DPO (Data Protection Officer) in a company. Which part of the blockchain is affected by the GDPR Blockchain partner takes the opposite view of this regulation by evoking several points which show that the two are not incompatible: The blockchain can contain personal data but the blockchain cannot be considered as processing Blockchain is a technology that preserves the confidentiality and security of data.
Consequently, the blockchain is no longer based on the massive collection of personal data. Only third parties responsible for validating the blocks are affected by the GDPR, in particular the right to erasure. In addition, blockchain partner claims that blockchain players are not responsible for processing data. It invokes the principle of responsibility that the RGPD defines as being: The natural or legal person, the service or other bodies which, alone or jointly with others, determine the purposes and means of the processing. Therefore, the blockchain is not subject to the GDPR because it is not a service but a protocol . That is to say a computer language allowing machines to communicate with each other.
Therefore, the question of the RGPD linked with the blockchain as such is called into question
The blockchain obviously contains personal data but its processing is not carried out by this technology. Therefore the GDPR applies to the third party of the blockchain. Therefore, the debate on whether the blockchain should comply with the GDPR continues. The blockchain ensuring the security of data whether in the public or private domain must be transformed? Will the blockchain have to submit to the obligation of an administrator ensuring compliance with the GDPR? If you liked this article, check out our white paper on the legal aspects of lead generation.
The regulation also devotes its entire chapter 5 to data transfers outside the European Union. Article 44 states that such a transfer may be carried out by the controller and the processor to a third country or an international organization if the level of data protection is not impeded. The only condition for the transfer to take place legally is that it does not compromise the protection of the data. From now on, four situations are clearly stated: Transfer based on an adequacy decision (article 45) Then, the transfer with appropriate guarantees (article 46) But also, the transfer being carried out via internal company rules (article 47) Finally, the transfer taking place by virtue of a court decision (article 48) Article 49 of the Regulation also provides for other possible exemptions.