Are there any other generally-applicable laws or regulations that may present issues for the use of blockchain technology (such as privacy and data protection law or insolvency law)?
In Australia, the Privacy Act 1988 (Cth) (Privacy Act) regulates the handling of personal information by Government agencies and private sector organisations with an aggregate group revenue of at least AUD 3 million, and which have a jurisdictional link to Australia. In some instances, the Privacy Act will apply to businesses (eg, credit providers and credit reporting bodies) regardless of turnover. The Privacy Act includes 13 Australian Privacy Principles, which impose obligations on the collection, use, disclosure, retention and destruction of personal information. Relevantly, before entities collect personal information, they must disclose the way in which this data will be used, the purposes for which it will be used and third parties to which it is likely to be disclosed. This is the basis on which individuals provide consent for their personal information to be collected, used and disclosed.
Blockchain arrangements can be structured in various ways, from information being readily visible to all participants on a network, to closed networks where information is limited to specific participants in specific instances. Therefore, entities wishing to collect and use personal information through blockchain implementations must ensure that they have gained appropriate consents for the contemplated use and disclosure.
The Notifiable Data Breaches (NDB) scheme was implemented in 2018. The NDB scheme mandates that entities regulated under the Privacy Act are required to notify any affected individuals and the Office of the Australian Information Commissioner in the event of a data breach (ie, unauthorised access to or disclosure of information) which is likely to result in serious harm to those individuals. The NDB scheme applies to agencies and organisations that the Privacy Act requires to take steps to secure certain categories of personal information. Therefore, entities will also need to ensure that any blockchain implementations are sufficiently protected from security issues such as unauthorised access and operational failure, and in the case of a data breach, ensure that they have adequate processes in place to comply with the NDB scheme.
Yes, in particular the GDPR (General Data Protection Regulation) and the French Data Protection Act, as well as cyber-security and AML/CFT regulations.
Currently, there are no specific legislations or regulatory frameworks with regard to the use of Blockchain technologies in Germany.
However, European data protection rules are likely to apply to many blockchain-based transactions. Following the entry into force of the European General Data Protection Regulation (“GDPR”) at the end of May 2018, the European legislator established a general “right to be forgotten” enforceable against any data controller and now being legally anchored in Article 17 GDPR. Given the fact that certain application scenarios inevitably require personal data to be documented in the ledger, it becomes clear that concerned service providers might face severe difficulties to fulfill respective claims of their customers.
At the same time, it is clear from this example that companies engaging in use of Blockchain technology will have to deal with the relevant regulatory framework, including data protection law, at an early stage in the development of any blockchain-based application, and must ensure that its specific technical design meets the requirements set out by the applicable laws. Firms supervised by BaFin may face large fines if they breach data protection regulations.
Blockchains are designed so that the information recorded on them is permanent and immutable. These concepts conflict with some of the core principles of the General Data Protection Regulation (GDPR) (which is directly applicable in Ireland). In particular, blockchain technology raises compliance concerns in relation to the requirement to keep personal data no longer than necessary and rights of data subjects such as the right to be forgotten and the right to rectify inaccurate personal data. These concerns are not specific to Ireland. Nevertheless, Irish companies need to be aware of their data privacy obligations in order to develop compliant blockchain based systems and technology. There is industry awareness of the need to develop, and indeed there has been movement towards developing, blockchain systems that are compatible with both the core principles of the GDPR and protecting data subject rights.
Other regulations that businesses using blockchain technology may need to consider include the:
- European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 (the NIS Regulations) which places security obligations on Operators of Essential Services and Digital Service Providers (as defined therein); and
- European Communities (Directive 2000/31/EC) Regulations 2003 (the E-Commerce Regulations) which places obligations on businesses providing online services when engaging with both consumers and other businesses.
Fundamental privacy issues arise from the usage of blockchain technology. No specific blockchain technology regulations exist under European or Italian data protection law, nor have specific guidelines on this matter been issued by the European or Italian data protection authorities. Nevertheless, the EU Blockchain Observatory Forum has published some reports regarding privacy issues, among other things (the last report was published on 27 September 2019).
According to the reports, two main data protection issues arise from blockchain usage:
- data visibility; and
- data retention and immutability.
The EU Blockchain Observatory Forum provided no possible solutions to the reported issues, but in its last report did stress that: 'policy makers, the courts and regulators will address the most outstanding issues and provide increasing clarity.'
The issue above concerns blockchain governance.
Regarding data visibility, this is quite a difficult issue to resolve in a public blockchain, but in a private blockchain the need-to-know principle can be guaranteed through governance provisions.
Regarding data retention, the data immutability on a blockchain technology, is once again a much bigger problem in a public blockchain, as it is essentially impossible to erase data; in a private blockchain, data subjects’ rights and compliance with privacy rules (especially in terms of the obligation to erase or anonymise data at the end of the process) can be guaranteed using governance tools (e.g., automatic mechanisms on expiry of the retention periods, and “forced” consent of all the nodes).
Business operators using blockchain technology may be subject to the APPI if they handle the personal information of their users.
In addition, considering that a public blockchain involves the sharing of a database among unspecified participants, where information on the blockchain will not in principle be deleted or retracted once recorded on the blockchain, the use of blockchain technology may trigger the application of the APPI. For example, Article 19 of the APPI requires business operators who handle personal information to delete unnecessary personal information once the purpose for which such personal information is required has been achieved. However, a business operator that records the personal information of its users on a blockchain may have difficulty deleting such information, and this could result in a violation of the APPI.
All pre-existing capital markets, banking & finance, corporate and civil laws (e.g. consumer protections laws) and other laws are still applicable provided that the project falls into an area subject to regulation. This includes compliance with different regulations and nationally implemented directives, such as the GDPR and MiFID II. That being said, it depends on a project by project analysis, and certain projects may be subject to pre-existing regulations, while others may not.
Dutch legislation is technology-neutral as matter of principle. Consequently, depending on the sector, different laws and regulations are applicable.
Compliance with the European Union's General Data Protection Regulation (GDPR) can be challenging for companies operating blockchains. The GDPR applies to organisations that process personal data. Processing is broadly defined, and it includes collecting, storing and destroying data. The GDPR poses several challenges for blockchain solutions, most notably assigning the obligations of data controllers and processors to particular actors in blockchain systems and compliance with the individuals’ rights to have personal data deleted or corrected. These GDPR requirements are at odds with a decentralised blockchain-based data governance model and the concept of immutability of data stored on a blockchain.
Minimising the risks of collision with the GDPR
If no personal data is processed on a blockchain, the GDPR does not pose a problem for its operator. However, personal data is a broad term that, under certain circumstances, can even include the colour of a car or the public key to a crypto wallet. To minimise GDPR compliance risks, blockchain operators should apply robust anonymisation techniques (for example, by storing an encrypted anonymous hash of the personal data on-chain – with the underlying and identifiable personal data being kept off-chain). Although the application of such technical solutions may not exclude the applicability of the GDPR altogether, it may substantially enhance the blockchain operator’s means to meet the GDPR requirements. In practice, complete anonymisation is very difficult to achieve, especially in a public, permission-less blockchain, because the operator may not be able to control all data uploaded by the users of the blockchain.
Stay in control
The use of private, permissioned blockchains increases the chances of GDPR compliance, because the operator can impose and enforce a governance framework for users via contracts that set out each actor's rights and obligations.
It is worth noting that ensuring GDPR compliance is specific to a particular use of blockchain, not to the technology itself. Therefore, obtaining legal advice tailored to a particular use of blockchain is recommended, because the consequences of a GDPR violation can be severe – with fines of up to 4% of annual worldwide turnover or EUR 20 million (whichever is greater), criminal liability, and damage claims by individuals or via class actions.
Blockchain applications in general -- and especially those involving cryptos and smart contracts – introduce all kinds of practical issues for curators in case of bankruptcy. As an example, a smart contract which includes a payment or transfer of title in case certain requirements are met, would not typically cancel or hold that payment or transfer of title if insolvency law requires so – unless, of course, legal requirements are included in the smart contract code, with the insolvency register as oracle.
The primary law in the sphere of personal data protection is the Federal Law dated July 27, 2006 No. 152-FZ “On personal data” (hereinafter – Personal Data Law). Blockchain project activities may contradict to a certain extent the provisions of this Law.
Firstly, it is not clear who is the operator of personal data in the public blockchain, because the registry data is accessible to all participants and can be stored, and therefore processed by such participants. The current legislation is designed for centralized information systems with a certain operator who can be held responsible for failure to fulfill his obligations.
Secondly, blockchain does not allow the use of traditional mechanisms for controlling the distribution of personal data. The Personal Data Law provides for the possibility of clarifying, blocking or destruction of personal data if the information is incomplete, obsolete, inaccurate or illegally obtained. These rights can not be exercised in the public blockchain. Even though blockchain is a safe way to store information, including personal data, it is impossible to change or selectively delete information, because the transactions are irreversible.
Finally, blockchain is of a cross-border nature, according to the abovementioned Law the storage of personal data of citizens of the Russian Federation can be carried out only on the territory of Russia.
The mentioned problems demonstrate once again that the current legislation sometimes does not keep pace with the technologies.
Due to blockchain technology’s decentralized handling of data, it is unclear how Korea’s existing data and privacy laws will address specific uses of blockchain technology in Korea with personal information.
Under Korea’s Personal Information Protection Act (“PIPA”), personal information is defined as information pertaining to a living individual (e.g., name, address and images) that can be used to identify that individual either on its own or when easily combined with other information. All forms of data that fall under this definition, including those on the blockchain, are covered by the PIPA regardless of the format (e.g., encrypted, pseudonomized, etc.).
As such, the data stored on blockchains and its participants would be subject to compliance with the PIPA. In respect of any personal information being processed in the blockchains, the participants in the blockchain could be characterised as data controllers and data processors under the PIPA. Also, if an entity/person receives, process, stores, or transfers any personal information to a third party, the PIPA will require that such a person first seek and obtain consent from data subject. As blockchain technologies require all data to be spread across and stored in multiple locations, any new participant to a blockchain would be granted with access to all data previously stored in the blockchain, which might include personal information. In such a case, sharing personal information with a new participant to the blockchain could trigger the abovementioned consent requirement under the PIPA.
Finally, any person who has collected personal information is required to destroy that personal information once it has been used for the purpose which prompted its collection or after the lapse of any agreed upon holding period. However, blockchain technology is designed to secure the integrity and irreversibility of any data stored in the blockchain. As such, this makes it almost impossible to make any data alterations or deletions.
Forms of contract prescribed by law may limit the use of smart contracts and blockchain technology for certain types of contracts, such as purchase agreements relating to real estate.
Furthermore, the Swedish Enforcement Code requires an original negotiable promissory note to be handed in to the Enforcement Authority, as proof of the claimant being the rightful beneficiary, in order for the authority to collect the debt represented by the promissory note in question. There is currently no established practice in place which allows for this to be done with electronic documents, and the Enforcement Authority has previously stated that it will not accept or collect debts on electronic negotiable promissory notes (as identifying which electronic file is the original would not be possible, in the authority’s view). Thus, the Enforcement Code does present issues in this regard. However, a Swedish Supreme Court ruling from 2017 has, obiter dicta, stated that this may be resolved through new technological means. It may therefore be that a robust blockchain solution (which demonstrates the ownership chain of the promissory note) could prove to be acceptable to the Enforcement Authority. However, this is yet to be seen.
Swiss data protection law is set forth in the Federal Act on Data Protection (DPA) and its implementing ordinance. As a general concept, blockchain business can become subject to the DPA if they process personal data in Switzerland (the mere storage of personal data on a server in Switzerland is sufficient). Deviating from most foreign data protection laws, the DPA also treats information referring to legal entities as personal data.
Swiss insolvency law in the Federal Act on Debt Collection and Bankruptcy (DEBA) currently does not provide for specific provisions regarding the segregation of crypto currencies or other digital assets in the bankruptcy of a third party custodian. However, the draft DLT legislative proposal of the Federal Council dated 22 March 2019 proposes an additional provision to be added to the DEBA stipulating an explicit right for a third party to request segregation of crypto-based assets, and data in general, from the bankruptcy estate of the bankrupt debtor in certain cases. The new provision is modelled on the existing rules regarding an owner's claim for segregation of physical objects.
Uganda has an Insolvency Act, 2011 but the law is not suited to deal with insolvency issues that may arise in the blockchain context, such as the resolution of decentralized autonomous organizations, crypto based online lending entities, or decentralized exchanges and similar products.
The Data Protection and Privacy Act of 2019 came into force earlier in the year and has far reaching implications on the management of data and related rights. The legislation does not at all make reference to blockchain or crypto or other virtual assets but has far reaching implications on the storage and management of data generally. It is noteworthy that the legislation, though a very progressive step, still falls below the standards set by the General Data Protection Regulations (GDPR) in Europe.
Anti-Money laundering and Know Your Customer and consumer protectio requirements as are set out in the traditional legislation, regulations and guidelines governing the banking industry do apply to any companies or other juridical persons dealing in cryptocurrency or other blockchain products. These legislations include: The Financial Institutions Act of 2004 and the attendant regulations under it; the Anti-money laundering Act of 2013 as amended; the Consumer Protection Guidelines of 2012 (written and enforced by the central bank).
Capital markets regulation remains traditional in its nature. At the time of Binance Exchange’s establishment of its Uganda subsidiary in 2018, the Capital Markets Authority specifically stipulated that the current legal framework does not cover crypto assets as they are not securities, and that the Authority was yet to put in place an appropriate governance framework. The provisions of the Capital Markets Act that provide for Self Regulatory Organizations provide a unique opportunity for blockchain based entities to come together under a self-governance mechanism and obtain licensing as such. Such an approach can be pursued either through the Blockchain Association of Uganda or by entities that are building a self-contained ecosystem, such as CryptoSavannah which owns an exchange, a stable token and has intentions of providing credit facilities.
The Anti – Terrorism Amendment Act of 2015 is of particular interest as it was enacted under threat of Uganda being included on the sanction list by the Financial Action Task Force. The main intention of the amendment was to address Counter terrorism funding concerns, which is (perhaps falsely) perceived in the Ugandan context as one of the threats posed by the use of cryptocurrency. The Amendment introduced a very broad definition of the term “funds” to include assets of every kind, whether tangible or intangible, movable or immovable, however acquired, legal documents or instruments in any form including electronic or digital, evidencing title to, or interests in such assets. This definition can be purposively interpreted to cover the ownership or movement of blockchain backed virtual assets.
The Electronic Signatures Act and Electronic Transaction Act have been noted above – these laws are technology specific and this will expire when the technology expires. The relevance and enforceability of these laws to blockchain related matters is hinged on the understanding of the technology prevalent at the time. As has been noted before, while the current law recognizes cryptographic signatures and allows for digital signatures to be included within this framework, blockchain technology by its nature renders some of the central tenets of the Electronic Signatures Act irrelevant. The current law is designed around a centralized system and yet blockchain by its nature promotes decentralization. Any law in this space needs to be more technologically agnostic. Dependency on this is enshrined in the law. What is required is public key infrastructure framework.
All the foregoing notwithstanding, it suffices to add that there are no express prohibitions to the use of blockchain technology or the resultant technologies. The threats and concerns expressed by certain government offices relate more to human nature – such as indulgence in crime and fraud – than to the attributes of blockchain technology. To this end, the traditional criminal, commercial and civil law protections and prohibitions under the Penal Code Act, Capital Markets Authority Act, Financial Institutions Act, and the general body of precedent apply.
As noted above in question 3, the UK has not legislated specifically in relation to blockchain, DLT or cryptoassets but a number of areas of law may be engaged by a blockchain application.
A notable issue for all UK or EU blockchain applications is compliance with the EU General Data Protection Regulation, (“GDPR”). The GDPR, which will be retained in the UK statute book after Brexit, imposes strict obligations on the gathering and processing of personal data, as well as conferring a right on data subjects (i.e. natural persons) to have their data corrected or deleted. Currently, the only certain means of ensuring compliance is to keep personal data off the blockchain, although with permissioned or private blockchains which confer a right on a node to alter the content of the blockchain retrospectively there may be alternative means of compliance. Please see [Chapter 1 of this publication] for further details, or our paper March of the Blocks, available on our website.
Please see question 3 above for details of how the UK AML framework applies to blockchain.
Another source of uncertainty is how to treat cryptoassets for the purposes of insolvency proceedings. Difficult questions in this context may also include how to trace cryptoassets in cases where the debtor does not disclose their existence and how to dispose of them.
Due to blockchain’s applicability across a range of industries, a vast range of laws are triggered by its use, including insolvency, where issues related to whether cryptocurrency of a debtor constitutes part of the debtor’s estate are still undecided. With the spread of blockchain applications come the additional layers of regulatory hurdles, such as the development of blockchain in the healthcare sphere, and the data privacy requirements of the Health Insurance Portability and Accountability Act of 1996. There remains great uncertainty as to whether blockchain should trigger its own regulation and the scope of applicability and transferability of the current legal regime.
The main legislation governing privacy and data protection in Singapore is the Personal Data Protection Act 2012 (No. 26 of 2012) (“PDPA”). Under Singapore laws, companies have an obligation to protect personal data in their possession under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. The regulatory body responsible for the administration and enforcement of the PDPA is the Personal Data Protection Commission (“PDPC”). PDPC has offered guidance that the term “personal data” is not intended to be “narrowly construed”. Such personal data may cover different types of data about an individual, including data from which an individual could be identified, even if such data was false and regardless of the form in which such data is stored. Hence, the storage, collection, provision of access to or otherwise control of, personal data belonging to natural persons, whether through the use of blockchain technology or otherwise, could attract obligations to comply with the PDPA; and the reasonableness of security arrangements on an objective basis, which would include people and processes factors, could be relevant in assessing compliance with PDPA.
Furthermore, the recent judgment in the B2C2 Case recognising cryptocurrencies as property has opened up a myriad of legal issues in areas such as insolvency where cryptocurrencies could now fall to be part of an insolvent’s or bankrupt’s estate in the event of an insolvency under the laws of Singapore.
As described in the response question 3 above, the HKMA's Second DLT Whitepaper, published on 25 October 2017, identified 7 broad legal issues arising from the use of DLT, namely: (i) legal basis (validity and enforceability); (ii) data protection and privacy (accessibility, immutability and cross-border considerations); (iii) cross-border and localisation issues (cross-border data flow, legal enforceability and localisation law); (iv) smart contracts (legal basis and effects); (v) liability (governance model and liability of participants); (vi) competition / anti-trust laws (fair competition and anti-trust practice); and (vii) legal issues in specific applications (asset management, mortgages / e-conveyancing, trade finance and digital ID management).
On privacy and data protection, the Second DLT Whitepaper explains that the three key characteristics of DLT that need addressing under the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) are, first, the accessibility of some DLT platforms, in which all nodes have equal access to all stored personal data regardless of whether they need to see it; second, the immutability of stored data, whereby data cannot be amended or erased; and third, the often cross-border nature of DLT, meaning that personal data may be stored outside Hong Kong. The Second DLT Whitepaper concludes that the simplest way to address privacy concerns would seem to be to avoid storing personal data in the ledger, but rather only keep the hashes of personal data in it. Storing personal data off the ledger in more conventional databases while keeping hashes in the ledger could continue to ensure data integrity while controlling and limiting access to personal data.
In addition to the legal issues referred to in the Second DLT Whitepaper, the use of blockchain technology, in particular cryptocurrencies and other virtual assets, raises obvious anti-money laundering (AML) and money laundering and counter-terrorist financing (CTF) concerns given the unregulated nature of many parts of this industry. As noted by the HKMA’s Chief Executive, Norman T.L. Chan, in the HKMA Cryptoasset Keynote Speech on 21 September 2018, because many cryptoassets are so designed that anonymous email accounts can be used for trading and transfers without a central clearing agent, they effectively bypass the existing regime in combatting money laundering, terrorist financing and other illicit activities. The ease with which cryptoassets can be transferred across national borders had made it even more attractive to criminals in laundering their proceeds and income, Mr Chan remarked, with the result that for the banks and other regulated financial institutions, it was proving difficult, if not impossible, for them to comply with the statutory or supervisory requirements in respect of know-your-customer (KYC) or ascertaining the source of funds.
Cryptocurrencies and other virtual assets also present potential problems in the context of insolvency law, in particular with respect to asset tracing.