Uncertainty regarding the compatibility of blockchain technology and the European Union’s General Data Protection Regulation (GDPR) has often been highlighted as a potential obstacle to the development and widespread implementation of blockchain systems involving personal data.

To address tensions between blockchain technology and the GDPR, Commission Nationale de l’Informatique et des Libertés (CNIL), the French data protection regulator, published an initial report analyzing certain fundamental questions regarding the interaction between blockchain technology and the GDPR’s requirements (the “Report”). The Report was the first guidance issued by a European data protection regulator on this topic.

CNIL’s Approach to Identifying Blockchain Data Controllers and Data Processors

The Report highlights the challenges of identifying data controllers and data processors in the blockchain context – an important distinction that determines which set of regulatory obligations applies.

In discussing the likely classification of the various types of persons and entities involved in a blockchain, the CNIL primarily distinguished between (i) participants (i.e., those who transact on the blockchain) that have the ability to determine what data will be entered into a blockchain or have permission to write on it or cause data to be written to it, and (ii) miners or other validators (i.e., those who do not transact and instead validate transactions submitted by participants). The CNIL also provided an analysis as to how to classify smart contract developers and natural persons who enter personal data in a blockchain, distinguishing, with respect to the latter, between those engaging in personal or household activities and those engaging in professional or commercial activities.

While there has been a great deal of attention being paid lately to the use of blockchain for the issuance and investment (or speculation) in cryptocurrencies, other enterprise-based applications of blockchain continue to be deployed with increasing frequency but less fanfare.

One of the more recent deployments of blockchain – viewed as a milestone in the world of supply chain logistics – is based on Easy Trading Connect (“ETC”), a blockchain-based system developed by a consortium of companies led by Dutch financial institution ING. The system was initially designed to manage commodity trading funds transactions. The most recent transaction, involving a shipment of soybean cargo, is believed to be the first agricultural commodity sale processed completely “on chain” (e.g., on a blockchain-based system). The ETC was used to process all steps of the transaction, and reportedly no paper contracts, certificates or other similar documents changed hands. According to ING, the system reduced what is traditionally a process of 11-14 days to only four days.

This is not the first deployment of ETC – in 2017, it was used to handle the sale of an oil consignment. The shipment at issue was resold three times through the system before it actually left its departure point. The banks involved reportedly reduced the cost typically associated with these types of transactions by thirty percent.

The Colorado Senate is considering a bill to utilize blockchain or other distributed ledger technology for a variety of purposes, including to improve the state government’s operations and cybersecurity.

Senate Bill 18-086 (which was introduced on January 16, 2018) focuses on exploring a number of “transformative improvements” that distributed ledger technologies can offer to state governments, including reducing fraud in state-controlled programs, mitigating risk through improved risk evaluation and quantification, and enhancing cybersecurity and protection of personal information.