How cryptocurrency exchanges must comply with GDPR
A cryptocurrency exchange is an online service provider. There are client accounts which contain data. Some of this data will be financial and some of it will not.
In other words, crypto exchanges are like any other online financial service provider. This requires them to establish a lawful basis for processing services. All the necessary exchange disclosures must be clearly and unambiguously stated.
The latest set of rules come in the shape of the EU General Data Protection Regulation (GDPR). This is basically a requirement to protect the data and privacy of all individuals within the European Union (EU) and the European Economic Area.
Joe Hancock, cyber security specialist at legal services operator Mishcon de Reya, told OpenLedger that GDPR compliance sits next to money laundering, fraud and other issues for financial services players.
There may be a need for a data impact assessment, so it may be prudent for exchanges to appoint a data protection officer (DPO). Crypto exchanges may deploy some tracking technology which may also need careful discussion – those are established tick-box items for most financial service compliance.
But Hancock fear GDPR might be a distraction: “My worry sometimes is that when everyone is worried about complying with one regulation then compliance may go up but security may go down. If someone spends 5% of their revenue a year on security, where is the funding for compliance?”
Crypto exchanges and permissions
A crypto exchange must – and a DPO would be extremely helpful here – look closely at their permissions to use and store data. “It depend on what you’re using it for,” said one industry analyst.
“If you’re using analytics in the back end and are building profiles of your users then you may have a problem. If you are simply executing trades from your users without trying to push things in front of them then you don’t need permissions. You are doing this on the basis of the contract and the terms of the service – the contract which a client clicked on when they signed up.”
What about keeping the data secure and password protected? “The GDPR is fairly general on security requirements and measures. It talks about appropriate technical and organisational measures but doesn’t go into the detail that security professionals specialise in,” said the analyst.
However, Joe Hancock thinks that not enough crypto exchanges fully understand the immense day-to-day security risks to which they are exposed. “As an exchange, what is really going to put you out of business is a Mount Gox-type problem [a bitcoin exchange in Japan that became insolvent in 2014 due to a large bitcoin theft].”
He goes on: “If you’re an exchange with the risk of losing people’s data – and you’ll have a lot of personal data – and you’re doing Know Your Customer (KYC) and anti-money laundering (AML) compliance, you’ll be secure in all that. But the predominant risk is still probably securing the funds.”
At the end of the day, customers will probably be angrier that an exchange has lost their money than their data.
Consent is sensible but narrow
There are several ways to process data in a legal way. You can get consent, which must be an “unambiguous… clear affirmative action”. Or you can show legitimate interest – harder than it sounds – which is likely open to legal challenge.
Executing trades can be done on a different basis: legitimate interest. “You are just executing those trades and things associated with keeping their account secure and up-to-date,” said one source. “Anything that isn’t part of the service you provide them will need your user’s permission.”
What fines might crypto exchanges face?
Figures of up to €20m are bandied about. Some infractions carry a maximum fine of €10m while it’s €20m for others. But the longer-term litigation concerns, such as class action legal cases for significant breaches of GDPR rules, look more worrying. It is difficult at time of writing, late May 2018, to know how this could evolve.
The Information Commissioner’s Office (ICO) is the UK’s independent body and is designed to uphold and enforce information rights. “But the ICO has traditionally not been keen on fining people into the ground. It thinks itself fairly pragmatic and is pretty proportionate about fines,” the analyst went on.
The European Court of Justice has traditionally been more sympathetic to privacy claims than many regulators. It has taken on the likes of Google and Facebook, the names most observers believe are the real targets of the new regulations.
Exactly how enforcement of GDPR will pan out remains to be seen. But cryptocurrency exchanges cannot be complacent.