How has the suspension of Worldchain activities impacted the blockchain and crypto industry?

The recent suspensions of Worldcoin’s activities in Spain and Portugal by their respective data regulators due to GDPR investigations have shone a light on the privacy capabilities of blockchain-based technologies, and the privacy practices of organisations leveraging those technologies. 

We consider the recommendations issued by French data regulator CNIL in 2018 on blockchain-tech entities compliance with GDPR, outline the concerns raised by Spanish, Portuguese, and UK data regulators about Worldcoin’s compliance with GDPR, and align the concerns identified with CNIL’s warnings and recommendations from 2018. 

We also consider the GDPR, and privacy recommendations issued by other stakeholders, outline what’s next for Worldcoin. 

CNIL’s 2018 Recommendations

The French Data Regulator (CNIL) issued guidance in 2018 on “Blockchain and the GDPR: Solutions for a responsible use of the blockchain in the context of personal data” which distinguishes between the various actors that interact with blockchains as follows:

• “accessors”, who have the right to read and hold a copy of the chain;
• “participants” who have the right to make entries (i.e., make a transaction for which they request validation);
• “miners” who validate a transaction and create blocks by applying blockchain rules for “acceptance” by the community.

The CNIL recognises that no two blockchain platforms are necessarily the same, and each must be viewed separately.  Each protocol must consider how its own architecture and characteristics affect how personal data is stored and processed, and the impact on individual rights, i.e., individuals’ rights to privacy and personal data protection.  They state that “innovation and the protection of individuals’ fundamental rights are not two conflicting goals. In fact, the GDPR does not aim at regulating technologies per se but regulates how actors use these technologies in a context involving personal data.”

They believe that blockchains contain two categories of personal data:

• participants’ and miners’ identifiers: each participant/miner has a public key, ensuring identification of the issuer and receiver of a transaction;
• additional data contained “within” a transaction (e.g.: diploma, property deed). If such data concerns natural persons, possibly other than the participants, who may be directly or indirectly identified, such data is considered personal data.

They stress that blockchain protocols must “concretely assess the real necessity to use blockchain technology in light of the objectives and characteristics of each processing operation. In application of the privacy by design principle, the CNIL therefore calls for stakeholders to question, from a very early stage, the necessity of using blockchain technology, rather than an alternative technology, to carry out their processing operations.”  They highlight GDPR’s rules about international transfers and about sub-contracting as meriting particular attention. 

CNIL’s solutions and recommendations.  The CNIL took the view that the participant, ie, the person deciding to register data on a blockchain, can in many cases be considered the data controller, as they determine the purposes and means of data processing. 

They recommended that:

• protocol developers evaluate technological solutions which allow for the exercise of GDPRs’ rights of erasure, rectification, and objection to processing, as “these solutions enable stakeholders to come closer to the GDPR’s compliance requirements in particular by blocking access to data depending on the format chosen (e.g., commitment, fingerprint generated by a hash function with a key, encryption, etc.).
• generally, personal data should not be stored in cleartext on a blockchain. 
• data security principles remain entirely applicable to blockchains.
• conducting a data protection impact assessment (DPIA) could analyse the necessity and proportionality of the measures considered and identify more suitable solutions. 

Worldcoin’s GDPR infringements as identified by regulators.

• The inability for personal data to be deleted. The right to be forgotten is a fundamental right under the General Data Protection Regulation (GDPR).  Individuals can request the deletion of their personal data, and organisations must comply within 30 days.   Courts and Regulators across the EU have been enforcing GDPR compliance more strictly over the past year, particularly where organisations fail to perform data protection impact assessments (DPIAs) and fall short on their disclosure requirements.   

This right was one of the rights identified by the CNIL in 2018 as requiring the implementation of a technological solution. 

Blockchain and crypto protocols would do well to consider leveraging solutions such as zero knowledge proofs (ZKPs) to prevent uploading any personal data on chain and to allow individuals to exercise their rights regarding erasure, rectification, and objection to processing.

• Users cannot withdraw consent to their personal data being used. Under GDPR, organisations must have a ‘lawful basis’ to process personal data.  One such lawful basis is ‘consent’.  GDPR requires that users must be able to withdraw their consent as easily as they gave consent.  Once consent is withdrawn, the organisation is no longer able to process the relevant personal data lawfully.

Most blockchain-based organisations rely on consent to some degree when processing data. These entities should review their techstack to consider whether any other lawful basis is relevant.  They should also consider how to offer the ability to withdraw consent, and how to stop processing any personal data connected with that consent after a withdrawal.

• Children’s personal data is being captured. The GDPR allows each EU member state to determine the age of majority in their jurisdiction; some countries set the age at 13, others at 18.  GDPR affords extra protection to children’s personal data.

Blockchain organisations should ensure that they have taken steps to prevent minors accessing their platforms, and to apply the extra protection when minors do use their services/platforms.

• Insufficient information is being disclosed to users. GDPR requires significant disclosures of information about personal data including how it is sourced (i.e. from whom, from where, how it was collected, i.e. by cookies, a device, from third parties, from the user directly), how and why it is used, the time period it is held, how and where and to whom it is disclosed, whether the data is transmitted outside the EU, whether it is subject to automatic processing or profiling, the rights GDPR grants to individuals and how individuals can exercise those rights.   Regulators across the EU have been issuing increasingly strict interpretations of GDPR over the past six months, and in particular have been demanding increased disclosures to individuals.

Blockchain organisations should map the data flow within their techstack to ensure they can track the movement of data into, within and outside their organization, and update their website and other notices to ensure they portray a complete and accurate description.

• DPIAs must be performed before starting high risk processing. Where processing carries a high risk to individuals’ privacy rights, organisations must conduct a data protection impact assessment which considers the risks and how the organisation can mitigate or remove those risks.  Where high risks are identified which, the organisation cannot remove, the organisation must consult the relevant data regulator. In the UK, this is the ICO. 

The ICO’s statement about Worldcoin’s activities contained a reminder that processing special category biometric merits a DPIA.  Other forms of sensitive personal data include race, and gender.

The CNIL’s 2018 statement also recommended that DPIAs be conducted by blockchain based organisations.  If they have not already done so, Blockchain organisations should consider whether their processing raises high risks to the privacy rights of individuals, whether a DPIA needs to be performed and consider any mitigating action.

Industry guidance and standards on privacy compliance

Industry stakeholders and standards bodies have been issuing guidance on privacy compliance for the blockchain and crypto industry since shortly after GDPR’s inception. CNIL’s 2018 recommendations discussed above was among the first.  Other stakeholders include Germany’s standards body and the International Standards Organization (the ISO). In October 2018, the European Blockchain Observatory and Forum (EUBOF) published a report on “Blockchain and the GDPR” comprehensively outlining the tensions between GDPR and key blockchain features, and suggesting compliant privacy enhancing technologies such as zero knowledge proofs (ZKPs) and secure multi-party computation (SMPC).

The European Data Protection Board (EDPB) is an over-arching data privacy supervisory body within the EU.  Its 2021-2023 Strategy outlined a plan to publish guidance for the blockchain and crypto industry.  It has been in discussions with the regulators of the EU member states since then, and guidance has been expected for some time.  It remains to be seen whether AEPD’s suspension of Worldcoin was in line with those internal discussions and expected guidance.

What’s next for Worldcoin?

The Bavarian data regulator (BayLDA) has been investigating a complaint against Worldcoin, referred by the French data regulator (CNIL), over the past year.  BayLDA has confirmed that it expects to issue its draft decision to the regulators in other EU countries ‘very soon’.  While the decision by Spain’s AEPD and Portugal’s CNPD apply only to Worldcoin’s activities in their respective jurisdictions, the decision by the BayLDA will apply across the EU under GDPR’s ‘one-stop-shop’ mechanism, as Bavaria is Worldcoin’s home state for GPDR purposes.