After the United Kingdom’s withdrawal from the EU, all EU laws were transposed to UK law including GDPR. Therefore careful consideration of GDPR regulations should be read alongside the Data Protection Act 2018. Pseudonymisation and anonymisation techniques can assist in overcoming the GDPR’s requirements, but it’s vital that other key regimes and issues are discussed and considered.
All developers must keep in mind the requirements of the EU General Data Protection Regulation (GDPR). The GDPR applies to any organisation processing personal data of customers and clients residing in the European Union and the UK. Developers must consider whether they are data controllers or data processors, and whether the blockchain can comply with the GDPR’s principles, as follows:
the right to erasure (sometimes known as the ‘right to be forgotten’);
the data subject’s right to correction/alteration of personal data;
the data controller’s obligation to ensure data accuracy;
the data controller’s obligation to retain information for a limited amount of necessary time; and
the data controller’s requirement to provide data subjects with the intended purposes for which personal data will be used.
FCA & PRA - Financial Services and Markets Act
If the developers are developing a blockchain to be used in a regulated industry, they should consider whether there are any relevant regulations. For example, the Financial Conduct Authority (FCA) and the Prudential Regulatory Authority (PRA) do not provide exemptions for certain technologies. Developers should consult with lawyers to determine whether the use of the blockchain technology falls within the scope of the Financial Services and Markets Act 2000. How a token is used in blockchain might be considered “carrying on a regulated activity”. If so, developers will need to be authorised by the FCA.
Currently, the buying and selling of exchange tokens however are currently not regulated by the FCA as they typically do not grant the holder any of the rights associated with specified investments. The FCA has concluded that activities which facilitate the transactions of Bitcoin or other exchange tokens between participants is not a regulated activity.
Securities laws will be an important consideration for any initial coin offerings (ICOs) and similar transactional use cases. Regulators are concerned that tokens issued in an ICO are similar to regulated ‘securities’ offerings, but start-ups are using unregulated ICOs as a way of evading regulatory frameworks.
AML & KYC - The Fifth Money Laundering Directive
Anti-money laundering and know your client (AML/KYC) regimes should further be considered. It may be the case that the AML/KYC regimes apply to the blockchain use case; and even if they do not directly apply now, the developer might consider whether changes in the technology or upcoming changes in law may bring it into scope soon. The Fifth Money Laundering Directive requirements entered into force in 2018. The relevant provisions of the directive now apply to wallet providers and virtual currencies exchange platforms from 10 January 2020.
The EU Electronic Identification of Signature Regulation (910/2014) is relevant with regard to opening bank accounts and accessing or tracing electronic transactions. It provides a legal structure for the mutual recognition of electronic identification schemes and seeks to eliminate any incompatibilities.
This blog was written by Derek Stinson.
For all questions regarding the topics raised in this blog, please contact a member of our team of digital asset legal experts.