Blockchain and the Law

Blockchain, Personal Data and the GDPR Right to be Forgotten

The effective date of the EU’s General Data Protection Regulation (GDPR) is fast approaching (May 25, 2018), and its impacts are already being felt across various industries. Specifically, the conflicts between the GDPR and the technical realities of blockchains raise important legal considerations for companies seeking to implement blockchain solutions that involve the personal data of EU data subjects.

One of the key features of blockchain technology is the general immutability of its data, and many applications of the technology thus far are built on publicly available data trails. Among other data, a blockchain can house the information of those who have engaged in transactions along the life of the blockchain, whether it is their name or social security number or, more often, simply a code which could make an individual identifiable. Personal data in an immutable data trail is problematic when considered against the new requirements of the GDPR.

One issue that will have to be considered is the GDPR’s “erasure” right.  Article 17 of the GDPR demands that companies erase the personal data of individuals when they request to be “forgotten”. The GDPR does not define what “erasure of data” means, which suggests that, to comply with this requirement, actual physical and logical deletion (a literal reading of the word “erase”) is required. As simply conducting a blockchain transaction to make personal information inaccessible does not erase any data, it is not clear whether and how one can store personal data on a blockchain and comply with a literal reading of this GDPR obligation. Further complicating the matter is the fact that Article 4 of the GDPR defines “personal data” very broadly as any information relating to an identified or identifiable natural person, with “identifiable natural person” being defined to mean an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Some practitioners and scholars believe that even an individual’s publicly available cryptocurrency wallet address would be considered personal data under the GDPR.

One potential solution to this conundrum might be to store all personal data off of the blockchain in separate “off-chain” databases, but to do so would sacrifice many of the benefits of using a blockchain in the first place.

Until we have some clarification on the interpretation of the obligation to “erase” data, or until the GDPR is amended to account for the unique technical structure of blockchains, companies should be aware of the risk in developing blockchains that will include personal data of EU based individuals. While clearly an issue, as with much of the GDPR, a practical approach to compliance is recommended, and this is not likely to be the issue that is immediately put into play by complainants under the GDPR.

For general insights on the GDPR’s various privacy and data security implications, please visit our Privacy Law Blog.

A Proposed Statutory Framework for State Regulation of Virtual Currency Businesses: The Uniform Law Commission’s “Uniform Regulation of Virtual-Currency Businesses Act”

Last July, the Uniform Law Commission completed a uniform model state law, known as the Uniform Regulation of Virtual-Currency Businesses Act (“URVCBA” or the “Act”) (Steve Weise participated in the preparation of the Act).  Currently, state regulation in the virtual currency space is carried out under a patchwork of laws that typically do not directly contemplate virtual currency and blockchain technology. Attempting to bring clarity as to which types of entities require state licensure and also to encourage responsible innovation in this emerging area, the URVCBA provides a statutory framework for the regulation of companies engaging in “virtual-currency business activity.”  After carefully defining which activities fall under the Act’s purview, the uniform law requires covered entities to make the typical financial and business disclosures in its application, and also contains numerous user and consumer protections, including certain enforcement powers by the relevant state authority.

The mission of the Uniform Law Commission is to draft state laws on topics where standardized regulation across state lines is practical (e.g., the Uniform Commercial Code (the “UCC”)). Gaining final approval in 2017, the Act has so far been introduced in Connecticut, Hawaii, and NebraskaContinue Reading

When Filing Taxes, Don’t Forget Virtual Currency Income

In a March 23 news release, the IRS reminded taxpayers that income from virtual currency transactions must be reported on income tax returns, and that certain virtual currency transactions are taxable like any other property transactions. Taxpayers should note that despite the pseudo-anonymity of virtual currencies, the IRS has been able to successfully subpoena a major exchange for the accounts and information of thousands of holders.

As the IRS news release highlighted, the consequences for non-compliance are significant. Taxpayers who do not report income from virtual currency transactions can be audited for those transactions and potentially liable for penalties and interest. More egregious violations could subject taxpayers to criminal prosecution for charges including tax evasion and filing a false tax return. Convictions for tax evasion and filing a false tax return could lead to a prison term of up to three to five years, respectively, and monetary fines of up to $250,000.

The release also directed taxpayers to IRS Notice 2014-21 (which provides guidance on how existing general tax principles apply to certain virtual currency transactions) and noted that, among other things:

  • payments made using virtual currency are subject to information reporting to the same extent as any other payment made in property;
  • virtual currency payments to independent contractors and other service providers are taxable, and normally the payer must issue Form 1099-MISC;
  • wages paid to employees using virtual currency are taxable to the employee and must be reported on a Form W-2 by the employer;
  • certain third parties who settled virtual currency payments on behalf of merchants that accept virtual currency from customers must report payments to those merchants on Form 1099-K, Payment Card and Third Party Network Transactions; and
  • the character of gain or loss from the sale or exchange of virtual currency depends on whether the virtual currency is a capital asset in the hands of the taxpayer.

The release makes it clear that income from virtual currency transactions must be reported on income tax returns. However, the guidance in the March 23 release and IRS Notice 2014-21 does not apply to all virtual currencies and it is unclear how income from virtual currency transactions not covered by this guidance should be treated and reported for tax purposes. Furthermore, the application of this guidance to any specific taxpayer depends on the taxpayer’s particular situation. Taxation of virtual currencies is complex and there remains a great deal of uncertainty regarding the application of the tax law and a taxpayer’s compliance obligations. We will continue to follow developments in this area.

Blockchain Digital Assets in Virtual Reality, Video Games and eSports – Ready Lawyer One?

Virtual worlds similar to the OASIS in Steven Spielberg’s upcoming film Ready Player One may be closer than we think – and provably scarce, blockchain-based digital assets could provide the leap forward that gets us there. Already, developers are testing early implementations.

Since CryptoKitties launched at the end of 2017, promptly causing a traffic jam on the Ethereum network and proving that crypto-collectible “games” leveraging blockchains can be a hot commodity, a number of copycats have sprung up.

While interesting, this first generation of blockchain games has been a relatively simple series of experiments. Meanwhile, developers have taken note of the potential synergies between blockchain-based digital assets and the mass-market video game and virtual/augmented reality space. As they explore potential ways of using blockchain technology to make virtual worlds and interactions more immersive and to build better bridges between in-game and real-world commerce, there are a number of legal issues to consider. Continue Reading

Federal Court Grants Preliminary Injunction, Affirms CFTC Jurisdiction over Virtual Currencies

Earlier this month, Judge Jack B. Weinstein of the U.S. District Court for the Eastern District of New York entered a preliminary injunction order against Patrick McDonnell and his company, CabbageTech, Corp. (together, the “Defendants”). In a landmark ruling, the order upheld the CFTC’s position that “virtual currencies” are commodities subject to CFTC jurisdiction under the Commodities Exchange Act.

The preliminary injunction was issued in response to a CFTC complaint from late-January (discussed here),which alleged that the Defendants defrauded and misappropriated funds from customers in connection with the purported provision of virtual currency investment and trading services involving Bitcoin and Litecoin. According to the CFTC, the Defendants promised as much as 300% return on an investment in less than a week, then shut down all communications once they received funds from numerous customers.

While the CFTC has brought several actions against allegedly fraudulent cryptocurrency-based schemes, their authority to do so had never been ruled upon by a federal court— until now.

In ordering the preliminary injunction, Judge Weinstein found that, “[u]ntil Congress clarifies the matter, the CFTC has concurrent authority, along with other state and federal administrative agencies, and civil and criminal courts, over dealings in virtual currency.” Furthermore, Judge Weinstein affirmed that the CFTC’s jurisdiction over virtual currencies extends beyond transactions involving futures or derivatives thereon; and that, as in the case of CabbageTech, the CFTC possesses anti-fraud and anti-manipulation enforcement authority over interstate contracts of sale for virtual currency itself.

SEC and CFTC Chairmen Testify before Senate on Cryptoasset Regulation

Last month, SEC chairman Jay Clayton and CFTC chairman Christopher Giancarlo testified before the Senate Banking Committee on their agencies’ regulatory efforts with respect to cryptoassets and ICOs. The written testimonies of chairmen Clayton and Giancarlo, as well as their verbal statements at the hearing itself, shed light on various issues including:  how tokens might be categorized; the desirability of targeted legislative action to address jurisdictional gaps in the cryptoasset marketplace; coordination among regulators; forthcoming enforcement actions; and the general long-term prospects of cryptoassets and blockchain technology.

Below, we highlight some essential takeaways and remaining open questions. Continue Reading

First Securities Lending Transaction Using Blockchain Technology Completed

It was reported this month that ING Groep NV and a major international bank recently completed the first live securities lending transaction settled using distributed ledger technology (“DLT”). The transaction involved the banks swapping baskets of government securities through a collateral lending application from financial technology company HQLAx built using bank consortium R3’s Corda DLT. Securities lending transactions involve the temporary exchange of securities (including legal title), usually for other securities or cash of an equivalent value, with an obligation to redeliver a like quantity of the same securities at a future date.

Currently, securities lending transactions require the transfer of underlying securities between party accounts. For this transaction, the banks agreed to transfer legal title to baskets of government securities on the DLT platform by transferring ownership of HQLAx Digital Collateral Records (“DCRs”), while the underlying securities were held at a third-party custodian. According to HQLAx, DCRs created using Corda allow market participants to exchange legal title ownership of and/or pledge baskets of securities in real-time using standardized legal documentation and “haircuts”. Each DCR is intended to be backed by pre-defined baskets of eligible collateral which are stored for safekeeping in a segregated custody account at a trusted third-party custodian. The creator of each DCR has an obligation to maintain securities in the DCR custody account equal to or greater than the notional value of the DCR.

The lynchpin of the transaction is reliance on DCRs to effect legal title transfer of the underlying securities that comprise the DCRs, thereby facilitating liquidity transfers without the requirement to actually move the underlying securities through the custodian infrastructure. The importance of the transfer of legal title is twofold. First, it allows the borrower to deliver the securities onward, for example to settle a short trade. Second, it means that the lender generally receives value in exchange for the disposition of legal title (whether in cash or securities), which ensures that the loan is collateralized.

While HQLAx noted that this was only a pilot transaction, it represents an important milestone and HQLAx is targeting the end of 2018 for rollout of a production-ready securities lending platform.