Blockchain and the European Union General Data Protection Regulation: The CNIL's Perspective

Abstract

The Commission Nationale Informatique et Libertes (CNIL), has published “Blockchain: Premiers elements d’analyse de la CNIL”, a document on blockchain and the European Union General Data Protection Regulation (GDPR). This document was released by the French Data Protection Authority (DPA) as a working policy paper and offers an overview of its initial reflection on the Blockchain technology and its compliance with the GDPR. The CNIL notes the GDPR has been created to regulate data use, rather than any particular form of technology. As such, and without surprise to anyone familiar with privacy law, the CNIL states the GDPR applies to the use of blockchain in any instance where personal data is handled. However, this working paper is a very raw analysis. In our opinion, the document raises more questions than it answers – and highlights some legal uncertainty with respect to the qualifications of different actors on a blockchain under the GDPR taxonomy. In several areas, the CNIL highlights that more reflection is needed on its end, and that this reflection needs to be undertaken at the European level.