Out-Law / Your Daily Need-To-Know

French GDPR blockchain guidance useful for UK businesses

Out-Law News | 13 May 2020 | 2:11 pm | 1 min. read

Blockchain users in the UK can refer to "well written and useful" guidance developed in France to help them comply with data protection laws, the UK's data protection authority has told Out-Law by Pinsent Masons.

The Information Commissioner's Office (ICO) said that while it does not formally endorse "other regulators’ guidance", it has no plans to publish guidance of its own specific to the use of blockchain and data protection law "in the near future", and described the guidance developed by CNIL, the French data protection authority, as "useful to people working in this field".

The CNL guidance, which seeks to ensure the use of blockchain technology complies with the General Data Protection Regulation (GDPR), has been translated into English by the French authority.

Data protection law expert Rif Kapadi of Pinsent Masons, the law firm behind Out-Law, said: "While the ICO has not formally endorsed the CNIL's blockchain guidance, it is clear that it is an authoritative document and resource that many different organisations exploring how to use blockchain technology will find useful for addressing issues of data protection compliance. The guidance provides a welcome steer and analysis of how central GDPR requirements apply to blockchain development, including in respect of core compliance governance questions. It also flags the main pitfalls facing businesses using blockchain where personal data is involved."

Annabelle Richard and Pauline Binelli of Pinsent Masons in Paris previously explained that the CNIL's guidance on blockchain had been prompted by requests from a number of organisations, including health bodies and financial institutions.

While not all blockchain projects will involve the processing of personal data, for blockchain projects that do involve personal data the CNIL has advocated the principle of 'privacy by design' to help address data protection risks.

Businesses using blockchain must identify who is data controller, provide for the various rights of data subjects, establish appropriate safeguards around processing and meet their obligations on data security, the CNIL said, warning that the implementation of GDPR obligations related to sub-contracting and the rules governing international transfers of personal data require particular vigilance, particularly in cases where a public blockchain is in use.