Akord
App
Use end-to-end encryption or publish public files to Arweave.
API
Plug Akord vaults into existing products and workflows.
Explorer
Find, discover and follow Akord vaults with our Permaweb dApp.
Mission and team
Community
Blog
Case studies
Insight

GDPR and blockchain

Céline Autreux-Steinberg
Céline Autreux-Steinberg
8 Feb 2023 · 11 min

Introduction

Blockchain is undoubtedly the technology for data storage and traceability. While it is still not widely accepted, most people outside the Blockchain ecosystem have started to understand this.

Blockchain technology acts like a decentralised database shared simultaneously with all its users, without depending on a central authority for access. Any data uploaded and stored on a blockchain (e.g. Arweave) cannot be modified, tampered with or "revoked" without it being visible to all. A real breakthrough technology!

However, when one uses the term "data" within the context of data storage, what quickly comes to mind, particularly among Europeans, is the General Data Protection Regulation (GDPR). And the resulting question is: does GDPR apply to blockchain technology?

The answer given by the French Commission Nationale de l'Informatique et des Libertés (CNIL – French Data Protection Agency) in 2018 on this subject is clear: "when a blockchain contains personal data, GDPR is applicable".

What exactly is meant by personal data in the sense of GDPR? CNIL specifies that it is, "any information concerning an identified or identifiable natural person". The blockchain is therefore not, in itself, a data processor with a purpose in its own right, but a technology that can be used in support of different data processing. And this is where GDPR applies.

But is the very philosophy and operating principles of a blockchain compatible with GDPR? The answer is not so obvious and deserves to be considered for a moment.

Innovation and the protection of fundamental rights of individuals are not, in our opinion, contradictory objectives. Indeed, GDPR does not aim to regulate technologies as such, but rather the way actors use these technologies in a context involving personal data.

So a blockchain storing data can satisfy many of the rules set out in GDPR.

Even though cryptographic processes predate the publication of the data protection rules, major technological developments in protecting privacy are taking place now. Through advanced encryption, web3 developers can implement GDPR compliant solutions. Web3 is still in its nascent phase and will come to understand the spirit and the details of data protection rules over time.

The architecture and technological characteristics of each blockchain are unique. The consequences for the way personal data is stored and processed in light of GDPR may vary from one blockchain to another. It is, therefore, necessary to carry out a case-by-case analysis.

The applications built on the Arweave blockchain show great promise in terms of data protection by their design and the control offered to users. We will further develop how an application such as Akord and the Arweave blockchain can address GDPR compatibility issues.

Some useful concepts

The objectives of GDPR are to protect, on the territory of the European Union, people whose personal data is processed, and to reinforce the responsibility of those processing this data.

Any private or public company, regardless of the technology they use, that processes personal data of European citizens must comply with certain obligations, which are based on 5 major principles.

  • Inform data subjects so that they can give their consent to the collection and processing of their personal data.

  • Use data in a transparent and relevant way with regard to its collection and processing;

  • Give data subjects access to their data so that they can consult, modify, and delete it at any time.

  • Control and limit the sharing and circulation of data.

  • Secure personal data both electronically and physically.

Understanding whether we are processing personal data is therefore key to understanding whether GDPR applies to activities carried out on a blockchain.

After the previous section, you will understand more easily that the intention of the legislator is to give back the control of personal data to its owner and to limit, or at least to frame the use and the processing by the professionals who can have access to it.

What is personal data? What is personal data on a blockchain?

According to CNIL, personal data is "any information concerning an identified or identifiable natural person". Generally, an individual can be identified by a name, an address, a number, but this can also include other identifiers such as an IP address, a cookie identifier or similar identifying metadata collected by a website or an application.

Even if a person cannot be strictly identifed from the information processed, that person may still be deemed identifiable. Therefore, only information that is truly anonymous (i.e. “such a manner that the data subject is not or no longer identifiable”) or not "about" the person is not covered by GDPR.

On a blockchain, the personal data processed can be quite basic. For example, a pseudonym, a bank account number, the public address of a wallet, a signature; or much more complex, such as the transfer of financial or insurance assets, the "hash" of patients' medical data.

Once processing of personal data is established on a blockchain, GDPR analysis applies: identification of the data controller, enforcement of rights, implementation of appropriate safeguards, security obligations, etc.

Who are the main actors involved in a blockchain?

Data protection originated in the management of centralised data within specific entities. For blockchain technology, the decentralised governance of data and the multiplicity of actors involved in the processing of data make it considerably more difficult to define the role of each actor.

Three types of actors can be identified:

  • The "accessors", who have the right to read and hold a copy of the chain;

  • The "participants" who have the right to make entries, ie, to carry out a transaction for which they request validation;

  • The "miners" who validate a transaction and create blocks by applying the rules of the blockchain to have them "accepted" by the community.

Which actor acts as the data controller in a blockchain?

According to CNIL, a controller is, "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

CNIL has clarified that participants, who have the right to write on the blockchain and who decide to send data for validation by miners, can be considered as data controllers. Indeed, the participants in the blockchain must define the purposes (objectives pursued by the processing) and the means (data format, use of blockchain technology, etc) of the processing.

More specifically, CNIL considers that the participant may be qualified as a data controller,

  • "when said participant is a natural person and the processing is related to a professional or commercial activity (ie, when the activity is not strictly personal);

  • when the said participant is a legal person that registers personal data in the blockchain".

On the other hand, miners are not considered as data controllers, since they only validate the transactions submitted by participants and are not involved in the purpose of these transactions.

The Arweave blockchain and the applications that work on the Arweave blockchain are very promising in terms of data protection by their design and the control offered to users. The Akord protocol and application is a good example.

Arweave, Akord, and GDPR compliance

Arweave

Arweave is a new blockchain protocol creating for the first time truly permanent serverless data storage. This technology is still largely reserved for a more tech savvy user that’s comfortable with the various technical processes required to use it.

From a GDPR standpoint, Arweave provides in its technical documentation, a transaction format (ANS-106) the possibility for people to let miners know not to store certain data on grounds of privacy, regulation, copyright, etc. …

Privacy and private data processing are very much at the heart of Arweave’s business. As its CEO, Sam Williams, stated in an interview in 2022: 

It's the node's responsibility, both morally and legally, to abide by the laws of their land, and the network allows them to do that.

~ Sam Williams, speaking at Arweave in Asia 2022

Akord

Akord is a protocol developed by Zero Knowledge Collective. The protocol offers a digital storage space on the Arweave blockchain and a means for its users to publish their digital files to the Permaweb.

One of the main objectives of the Akord application is to democratise the use of the Arweave blockchain, giving back control of the data fully owned by its users. The app offers digital vaults with a simple UX making Arweave accessible to a broad range of users.

This digital vault service can be qualified as automated processing of personal data, insofar as its management is based on computerised operations and the content of this storage space is, by nature, dependent on the case, linked to an identifiable physical person (the user).

In the following sections, we will discuss how Akord meets the various GDPR requirements.

How Akord app moves closer to full GDPR compliance? 

After a brief overview on GDPR as applied to blockchain technology, the following will focus on the Akord protocol. This will provide example on how Akord manages to minimize the risks when processing personal data based on the Arweave blockchain and thus meet the GPDR requirements.

Regarding recipients

Unlike the data stored in public vaults, the documents imported into the encrypted vaults, can only be consulted by the user concerned and the persons he or she has specially authorised and invited into the vault (who are themselves subject to an authentication mechanism).

In practice, the data is encrypted with a key, controlled only by the user, and protected by cryptographic mechanisms making it incomprehensible to unauthorised third parties. The transfer of data on the blockchain is protected by advanced cryptography.

Processed data

In its capacity as provider of the digital vault service, Akord is required to process data enabling users to be identified with certainty and the associated data necessary for the operation of its service.

As soon as Akord defines the means and purposes for the implementation of these two processing operations (cryptographic commitment, encrypted key in particular), it assumes the role of data controller and is therefore subject to the obligations of GDPR.

Access to the encrypted digital vaults is strictly limited to the user, and it is therefore technically impossible for Akord to determine in advance the nature of the documents that a user will decide to store in his or her private space. Furthermore, Akord is not technically capable of accessing the contents of a vault, nor its possible backups.

Data stored by users in their encrypted vaults are in principle excluded from the scope of GDPR (and they are not processed by Akord). The same applies to the automatic retrieval of digital documents, because these documents are not used by Akord but only entered into a digital vault.

Retention period

GDPR imposes, in principle, a maximum retention period for personal data which varies according to the purpose of the data processing.

Akord commonly processes the following two categories of data via its application.

  • Participants' identifiers
    Each participant has an identifier composed of a sequence of alphanumeric characters that appear to be random and that constitute the public key of the participant's account. This public key relates to a private key that only the participant knows.

    The very architecture of a blockchain requires that the identifiers be visible at all times, as they are essential to its proper functioning.

    In this particular case, the CNIL accepts that it is not possible to reduce the retention period further and that their retention periods can be aligned with the life of the blockchain. As the blockchain is a “Permaweb”, we can therefore conclude that the identifiers of the users, i.e, the participants, can be validly kept for the entire duration of the Akord application.

  • Additional data
    In addition to the participants' identifiers, the additional data stored on the blockchain may contain personal data, potentially relating to persons other than the participants.

    In this case, the CNIL recommends that the personal data be recorded in the blockchain in the form of a cryptographic commitment. This technical option has obviously been implemented on the Akord application for encrypted vaults.

Informing individuals

In accordance with GDPR, the persons concerned by the processing of personal data must be informed, in particular, of the identity of the person responsible for the service, the purpose of the processing, the recipients of the data, any transfers of data to a country outside the European Union, as well as the existence of and procedures for exercising the rights of access, rectification and opposition.

Akord complies with all these requirements. All this information can be consulted directly on its website, under the section Privacy policy.

Akord, in its capacity as a provider of access to digital storage spaces, has developed technical solutions enabling it to offer its services without collecting confidential information, with the exception of data relating to the identification and connection of its users.

Users of digital vaults are clearly informed of the type of space available to them (encrypted and public vaults) and their consequences of use. The choice of public vaults can considerably degrade the protection of individuals' data within the meaning of GDPR. Also in the interest of transparency, Akord requires the prior consent of the user as a necessary precondition for creating a public vault.

The right of access and right to data portability

Upon simple request to the dedicated email address, any data subject may request access to the data concerning him/her.

With regard to the right to data portability, Akord will release an app deployed directly on Arweave, Akord explorer, enabling users to independently access and retrieve all data from all digital vaults in a simple manner, regardless of whether the operating company that builds and maintains the application exists or not. This guarantees and facilitates, perpetually, the right of our users to change services if they so wish.

The right to erasure (“right to be forgotten”) or right to object

To date, as far as public blockchains are concerned, it is technically impossible to delete data in clear text, unless miners theoretically decide to remove data from Arweave by applying the ANS-106 option mentioned above.

In order to protect its users' personal data as much as possible, Akord leaves them the choice of how to store their data:

  • The public vault comes into play in the case of data written in clear text or hashed on the Arweave blockchain. As mentioned above, specific information has been put in place to make users aware of the consequences of this choice and the vulnerability of the protection of the data that could be published there.

  • The private vault, which is much more protective since no personal data is written in clear text on the Arweave blockchain, and which also use a cryptographic process.

When a user wishes to delete one of the documents from their vault, this request is immediately taken into account with the "revocation" option offered by the application. As mentioned above, a document cannot be technically and effectively deleted from the Arweave blockchain unless expressly asked under ANS-106 option.

However, the cryptographic processes chosen by Akord make it possible to cut off the accessibility of the evidence recorded on the blockchain, by making it difficult or impossible to recover. Indeed, the mathematical properties of certain cryptographic commitments chosen by Akord can guarantee that once the elements allowing its verification are removed, it will no longer be possible to prove or verify which information was committed. The commitment itself then no longer presents any risk in terms of confidentialitý. Another option for Akord would be that of removing the secret key from the hash function which will have a similar effect.

The right to rectification

As mentioned above, any data entered on a blockchain cannot technically be changed once the block is accepted by the majority of participants.

However, if a user requested a change, the lack of possibility to modify the data entered in a block will most likely lead Akord to enter the updated data in a new block. This is because a subsequent transaction can always cancel the first transaction, even though the first transaction will still appear in the chain. The same solutions as in the case of a request to delete personal data could be applied to the erroneous data if it is to be deleted.

Unlike other blockchains, Arweave standard (Ans-106) provides the ability to users to request non-storage of certain data (for privacy, regulatory, copyright reasons, etc.). This strengthens data rights of our users whom can rely on Akord for technical support needed to follow this path (not provided at this stage unfortunately but working on it!).

Through this article, we hope to have proven Akord's commitment to permanently guarantee the security and protection of its users' data, in accordance with the CNIL recommendations, and to make every effort to ensure its compliance with GDPR in a changing technological context favouring decentralisation.


Footnote

1. The transfer of data outside the EU are not voluntarily addressed in this article and will be the subject of a separate article.

Sources

Blockchain: Solutions for a responsible use of the blockchain in the context of personal data – CNIL- September 2018

Premiers éléments d’analyse de la CNIL – September 2018

LexisNexis N° 4548 – Protéger les données personnelles dans des projets blockchain - smart contracts. RGPD - December 2, 2021 - written by Nicolas Goossaert-Krupka

Délibération n° 2013-270 dated September 13, 2013 CNIL recommandation about « aux services dits de coffre-fort numérique ou électronique destinés aux particuliers »

Blockchain and the General Data Protection Regulation Can distributed ledgers be squared with European data protection law? - EPRS | European Parliamentary Research Service – July 2019

Read more
News

Ambitious tech startup seeks motivated backend developer

June 16, 2023