GDPR and crypto exchanges: your consumer rights
The EU General Data Protection Regulation (GDPR) landed on 25 May 2018. Its impact on many cryptos will be profound. “Technically, I’d say around 70% of cryptos are non-complaint,” an established crypto investor told OpenLedger in mid-May. “Regulators may say you have three months to be compliant and if you’re not we’ll ban you.”
The good news is that GDPR, an update of the UK Data Protection Act 1998, will unlikely be enforced immediately on small, technical infringements, though the regime will become more urgent in the second half of 2018 – especially for the worst breaches. The headline penalties are up to 4% of an offender’s annual revenue, or €20m maximum.
Many GDPR regulations clash hard against blockchain – it’s the tension of fundamental rights protection and tech innovation (though much of blockchain technology remains an evolution of database technology).
In a nutshell GDPR is:
- The protection against personal data being sold or used without permission – think of the Facebook and Cambridge Analytica scandals in 2017-2018
- A tool to bolster consumer control over how their personal data is used. It allows consumers to be obliterated from previously company data chains – consumers have the right to be forgotten
- Highly specific. Any consent has to be explicit, unambiguous and informed. Personal data ranges across biometric, genetic and physical location information; all platforms will have to follow basic Know Your Customer guidelines
- Old law born anew: GDPR is an update of the Data Protection Act 1998. It is genuinely EU cross-border and covers almost every industry, from advertising to manufacturing to cryptos
Regulations are tighter and more rigorous
GDPR significantly changes the way business uses and holds customer data. “Consent,” said Dr David Haynes, Royal Academy of Engineering Research Fellow at an April press briefing in London, “is one of the legal bases for fair processing of personal data under GDPR.”
“The criteria for consent,” he went on, “is much more rigorous than previous legislation. Consent has to be freely given… It must also be signified by a positive action, rather than inertial inaction.”
Crypto exchanges need to uphold a range of consumer rights. If consumers use a crypto exchange, what permissions do they have to give?
That depends on what the crypto is doing with the data an industry analyst told Open Ledger. If your crypto exchange is doing something else with that data – making use of data that isn’t strictly necessary for performing the basic transactional service they provide – it’s at that stage they should be thinking about getting consent or needing a legitimate interest justification.”
GDPR – how it impacts cryptoassets
Under GDPR the right to erasure, or the right to be forgotten, has been in force since the Google Spain case in 2014. The result was a sizeable shock for many in the internet industry.
At the time, Index on Censorship, a campaigning organisation for the freedom of expression, told the BBC that removing search engines results was “akin to marching into a library and forcing it to pulp books”.
The right to be forgotten is now formalised under GDPR. That means exchange users should continue to expect their data to be kept confidential and compliant with data protection principals such as not seeking more data than needed, ensuring the data is accurate and confidential and not keeping the data any longer than needed.
However there’s a difference between best practice policy and best practice process says Joe Hancock, cyber security specialist at legal services operator Mishcon de Reya.
“What many businesses have currently, is a very good policy,” Hancock told OpenLedger. “They’ve written down exactly what they should and shouldn’t do and how they should respond to a request. They know they should respond within 30 days. But do they actually have a process to deal with someone saying: please delete all my data.”
Will an exchange also actually know where the data is? “The process of these sorts of things is alien to many organisations,” Hancock warns.
Guidance appears sensible and proportionate
What happens if a user ignores exchange requests to use and store their data – meaning they won’t be able to trade and their data will be deleted? There shouldn’t be a need to make additional information requests other than the need to perform the basic contract, a legal source told OpenLedger.
“You don’t need to go and ask them additional permissions. If you already have their consent you don’t need it again.”
What if an exchange holds onto a trader’s data after they quit a trading agreement? The standard legal response is that an exchange should retain the data for as long as it needs to be legally compliant.
Most exchanges make their money by trade commissions – so the exchange has an iron-clad argument to keep all data related to trades for six years which is the standard HMRC requirement for tax purposes.
Some data worries eased – but watch for group actions
What action can consumers take against an exchange that loses or mis-uses their data? The reality is that consumers already have rights of legal action under existing data protection law.
“If you’re talking a crypto exchange it’s likely to be more straightforward because there’s more likelihood of financial harm,” one legal source told OpenLedger. “There are already standard actions. You can sue someone for breach of the Data Protection Act and can continue to do that under GDPR.”
What is significant under GDPR is the possibility of group action in the future. Privacy activist groups should be able to consolidate their lawsuits into one larger lawsuit. “It’s not quite a class action but it’s close enough,” said the analyst.
Austrian lawyer Max Schrems has been a leading figure on this issue; Schrems has campaigned vociferously and successfully against Facebook on privacy breaches; he consequently founded privacy non-profit NGO NOYB (None of your business), which describes itself as the European Centre for Digital Rights.
Schrems’ work may mean it becomes easier for consumers to take on data protection breaches – such moves could become strategic and a major risk for tech companies in the future.
Critics aplenty – is GDPR fit for purpose?
The GDPR move has many critics from the crypto sector. “From a practitioner’s perspective,” said Jutta Steiner, the ex-head of security at the Ethereum Foundation last year, “it sounds to me that it was drafted by trying to implement a certain perspective of how the world should be without taking into account how technology actually works.”
She went on: “The way [public decentralised network] architecture works, means there is no such thing as the deletion of personal data. The issue with information is once it’s out, it’s out.”
Some critics say the new regs have aged prematurely before they’ve been launched: if much of the business world is turning to decentralised technology where do ‘all-powerful’ central intermediaries come in, if at all?
“I suspect there is political will on the supervisory side to find some way to make GDPR and blockchain play nicely together,” one industry analyst said. “Though it’s unclear what that will look like.”
GDPR terms for consumers to consider
- Jurisdictions: if you’re with an exchange based in Gibraltar, for example, but your bank account is in the UK you will need to address security concerns particularly carefully
- Reach and rake: all companies and all organisations wherever they are based are liable if they process the personal data of EU citizens. So organisations and businesses outside the EU/EEA who do business with EU citizens are liable for the GDPR regs
- US versus EU: GDPR ensures consumers have data protection right down the chain to however many companies or entities their data is passed. That is a different approach to a more ‘bottom up’ approach taken in the US where there is more an onus on data breach disclosure