Updated: Feb 15
It is well known that some of blockchain’s key traits present challenges to the current legal and regulatory framework. By its nature, distributed ledger technology permits transactions and data to be recorded and shared across a distributed network without the need for a trusted intermediary. Practically all legal systems expect centralized businesses or structures with a singular ground of control and accountability. Deviating from this architecture presents a challenge from a legal and regulatory standpoint and raises enforcement problems.
It can be said that the need for a coherent regulatory framework was propelled by the concern over the use of crypto assets for illegal projects as well as the need to protect professional and enterprise users of platforms providing services analogous to financial services. As blockchain is above all a new medium of trust, it is essential to take legal aspects into account in order to maintain this trust. Doubtlessly, private blockchain networks, which are protected by access controls and different reading and writing privileges, are a better way to ensure regulatory compliance than are public blockchain networks, whose participants are neither identified nor verified.
An overview of the regulatory framework
Before the introduction of additional regulatory frameworks this year, EU countries only had to issue individual regulatory requirements for crypto-assets in accordance with some general guidelines. Member states took different approaches to regulate crypto-assets but, visibly, most countries did the bare minimum. This gap in European regulation implies that several crypto-assets even fall outside of regulatory protections. Since digital markets are inherently cross-border, the EU’s new regulatory proposal, “Markets in Crypto-Assets'' (MiCA), will push all market participants to comply with the same framework. Before identifying how MiCA will change the crypto scene in Europe, we shall look at the underlying legal issues in Blockchain technology in order to see if they are properly addressed by the proposed regulations.
Blockchain’s main legal issues
Compliance with data protection and privacy laws
Although blockchain has several advantages relative to traditional methods of data transfer and storage, since it presents a lower risk of data tampering and data interception, it poses several privacy issues. Blockchain implementations that explicitly record blocks of personal data are inevitably subject to data privacy laws.
I. GDPR and “the right to be forgotten”
Recent amendments in data privacy laws sought to enforce individuals’ rights to control their personal data and prevent their personal data from being exploited without their consent. Although blockchain technology does provide unique possibilities to improve privacy by providing individuals with clear records of personal data usage across distributed systems, several academic commentators have posited that blockchain technology is incompatible with the EU General Data Protection Regulation (GDPR) implemented in 2018. In a blockchain system, once data is stored it cannot be altered. This clearly has implications for data privacy, particularly where the relevant personal data or metadata is sufficient to reveal someone’s personal details.
The rights of data removal, rectification, and portability, as well as data access, which are all enforced in the GDPR, appear incompatible with the immutable nature of blockchain technology. Article 17 appears to pose a particular challenge since it requires the processors of personal data to erase an individuals’ data if the person withdraws consent for its processing. Whether blockchain technology radically conflicts with the right to be forgotten depends on how strictly authorities interpret “erasure”. A rigorous deletion of data, in the blockchain’s current architecture, would require a backward deconstruction of the blockchain up to and including the targeted record as well as a reconstruction of the blockchain from the point of the deleted data forward. Doubtlessly, this operation would conflict with blockchain’s basic “immutability” principle, consume significant processing resources from participants and require consent from a certain threshold of participants. It would be infeasible to implement this type of operation every time individuals seek to exercise their GDPR rights. Some academics have suggested that in order to comply with data privacy requirements, only a hash of the personal data could be stored on the blockchain while the actual data could be stored on a private encrypted database. Nevertheless, this approach would prevent data from being distributed, which is one of the key advantages of blockchain technology. Alternatively, programmers could write smart contracts to allow for the revocation of access rights or erasure of data on the blockchain or the data contained in the blocks could be encrypted and the encryption keys could be erased in order to make the data inaccessible.
The GDPR could be compliant with a private blockchain governance model with a central operator. Indeed, since permissioned blockchain systems involve known and trusted parties, historical entries can be amended provided the required number of parties agree to an erasure. Moreover, these systems may be designed to allow personal data to be deleted if a sufficient majority of parties to the system agree.
Since the GDPR takes an extraterritorial perspective by protecting EU citizens from more lenient data protection standards in other regions, the lack of geographical barriers of blockchain technology could become a hurdle under the GDPR. Indeed, Article 44 to 49 of the GDPR stresses that personal data transfers may only occur if the other country presents a similar level of protection as the EU’s data requirements. But how can one determine in which country the other participant is? How can one ensure that transfers only occur in countries with similar data protection standards?
II. Anonymity, pseudonymity and privacy law applicability
Anonymity and pseudonymity conflict with the core of privacy laws, which require the data controller to safeguard the security and privacy of the personal data on behalf of the “data subject”. On a permissionless blockchain, most data transactions are signed by encrypted public blockchain addresses with no direct reference to the underlying owner’s name or other directly identifiable personal information.
In many cases, data that relates to an individual who is not identified will not be within the scope of data protection laws. Yet, many jurisdictions consider that anonymous and pseudonymous data are still treated as personal data since they can be subject to re-identification processes (albeit via a key). This means that applying pseudonymization techniques does lower risks but does not remove regulatory obligations. Some academics claim that regulators should mandate identification disclosure requirements for certain types of blockchain applications so that they can adequately monitor illegal activity and enforce the law.
Accountability and Decentralized Autonomous Organizations
Whilst in a private blockchain, regulators might expect those running the system to be responsible for data processing, in a public blockchain system there is no single point of accountability. Decentralized Autonomous Organizations (DAOs) are a new form of legal structure in which ownership, management and control are automated and human mediation is narrow. Hence, they are controlled by numerous, pseudonymous validators that vote on whether to adopt the protocols that are suggested by developers and which then define decision-making on the blockchain. The big questions asked are “Who or what is claimed against in the case of a legal dispute? Can DAOs be held accountable?”. Since a DAO is a self-governing entity, legal systems would have to elect who is accountable if there is a breach of law. There are concerns that the lack of a single point of responsibility in a blockchain platform makes that platform an unincorporated joint venture in which all participants are jointly and severally liable for outcomes. The anonymity of the wallet holders accentuates the issue of accountability and could foster practically risk-free ways of laundering money originating from criminal activities.
Conceivably, to comply with upcoming regulatory requirements, an accountable intermediary, acting as a securities settlement system, will be required. This option may defeat the entire purpose of using a decentralized blockchain system, as it effectively centralizes the platform and requires users to trust that the provider is acting honestly. A partially decentralized model could include a consortium of private sector providers who share accountability.
In a private blockchain system, where there is clear ownership and responsibility, regulators might expect those running the system to be held accountable for data added to the system by all the network users. It would be the owner’s responsibility to protect the distribution of data through the blockchain, despite not publishing the personal data itself. The owner would likely have to put in place a set of operating conditions on the private blockchain that comply with regulations, which all users would in turn agree to comply with.
Territorial and jurisdictional implications
As with ICOs, the question of the territory in which the offer is made arises for STOs insofar as the offer to the public is made to all internet users as soon as it is accessible on a website. As the nodes of a public blockchain system can span multiple locations around the world, it is often difficult to define the potential recipients of the offer and hence, decide which laws and risk management approaches apply. Transactions executed by an organization could fall under every jurisdiction in which a node in the public blockchain network is located, leading to a staggering number of legal regimes to which the blockchain should be compliant to. Providing an illegal transaction is made, defining its location within the blockchain could be problematic and could lead to jurisdictional disarray. What is more, since each jurisdiction regulates data processing differently, striving to manage the plethora of privacy laws, some of which may conflict with others, is likely to be impossible. Nevertheless, this is not a new concern for digital networks and the question of which laws apply to global online activity has been a central matter for the last 20 years.
In a private blockchain network, it would be easier to apply an internal governance system that would prescribe the legal and regulatory regime that would apply to transactions. Yet, this approach could once again conflict with a decentralized ledger’s basic principles and hence, in the case of a public blockchain, this concern must be addressed differently. To reduce such complications, there are more and more legal and regulatory regimes that have extraterritorial effects, such as the European Union’s GDPR. Even if blockchain participants and nodes are situated around the world, local laws may still apply where there is considered to be an adequate nexus to that jurisdiction. The EU’s data protection regime attempts to limit the transfer of personal data to countries where data protection laws are deemed lacking. Since the EU views the underlying US privacy laws as inadequate, the EU has often conveyed concerns on the transfer of personal data from EU data subjects to the US.
The EU’s MiCA
Given that the EU aims to become a digital pioneer in the years to come, the European Commission’s discussion of blockchain technology’s legal and regulatory uncertainty is rather reassuring. On November 24th 2021, the European Council introduced the MiCA framework in order to harmonise the regulatory framework across member states as well as establish further licensing requirements that are passport-able. By providing legal clarity and financial stability, MiCA is meant to foster innovation whilst ensuring consumer and investor protection. Nevertheless, the strict rules and compliance costs might adversely impact on the EU’s competitiveness regarding blockchain technology.
It is important to note that, at this stage, MiCA is just a series of proposals and needs to go through the EU legislative process, which typically takes 18 to 24 months, before being implemented.
Classification of tokens
This regulation does not comprise crypto-assets that are already covered by other EU financial laws. The MiCA framework defines three subcategories of crypto assets.
1. Asset-referenced tokens are defined as stablecoins backed by a basket of currencies andutilized as a means of exchange. Issuers of these tokens will be bound to ensure the security, integrity and confidentiality of data.
2. E-money tokens are defined as stablecoins pegged to the value of fiat currencies, such asthe U.S dollar, and
also used to facilitate payments.
3. Utility tokens are defined as crypto-assets intended to provide the holder the right toaccess future goods and services offered by the issuer
Before making a public offering in the EU, all asset-referenced and e-money token issuers will have to prepare and release an investment prospectus and a roadmap, also known as a white paper. Prior to its emission, this paper must be sent and approved by the issuers’ national regulatory authority. After obtaining this license, firms providing crypto-related services benefit from “passporting” which allows them to expand operations to all other EU countries without additional restrictions.
Nevertheless, this system would cost issuers between $4500 to $87000  per white paper contingent on the amount of legal advice required. These high compliance costs for entrepreneurs and crypto issuers could drive businesses initially intending to set up in Europe to set up elsewhere.
Effects of the MiCA framework
I. Increase in barriers to entry
Traditionally, the crypto market has been considered more egalitarian than the stock market since it didn’t suffer from such high entry barriers. Indeed, it has been rather easy for any citizen to invest in cryptocurrencies without being subject to the stock market’s certified investor standards which give wealthy investors privileged access to IPOs. Crypto market platforms offer low-budget and small-scale projects with a high potential that don’t compel legal and financial requirements. It is the responsibility of an investor to “do their own research” (DYOR) before deciding to invest.
With MiCA’s new regulations comes a legal obligation for crypto projects to issue a white paper to be submitted to regulatory authorities. This creates a legal hurdle for the launch of crypto projects in the EU since it requires them to be established as a legal entity in one of the member states. These higher entry barriers, fostered by the higher compliance costs and the legal requirements, could deter third-country issuers and smaller players from entering the EU. To mitigate the effects of high entry costs, the regulation has already made SMEs exempt from the whitepaper regulation as long as their offering of crypto assets is valued at less than a million euros. Nonetheless, this exemption is only symbolic since very few players fall under this category. It is safe to say that these requirements would hinder the development of companies of all sizes, rather than bolster it. Moreover, the released cryptocurrencies will be subject to investor standards which means that wealthier individuals will be able to acquire cryptocurrencies earlier than ordinary investors.
II. Loss of financial autonomy
In order to guarantee that tokens are primarily used as a means of exchange rather than as a store of value, MiCA prohibits issuers of asset-referenced and e-money tokens from granting interests to users of such tokens. Since most jurisdictions allow such interests, the ban on interest payment could undermine the competitiveness of crypto-asset issuers located in the EU. This could even lead to an outflow of capital from the EU to neighboring countries with more attractive regulatory frameworks, such as the United Kingdom and Switzerland. What is more, prohibiting interests will deprive European citizens of a fruitful investment option, namely considering that fiscal stimulus instruments endorsed to mitigate the financial burden of lockdowns are expected to generate historically high inflation rates.
III. Overregulation of stablecoins
Almost a third of MiCA addresses directly stablecoins and e-money tokens. All stablecoin issuers are obliged to retain capital funds equal to either 350 000 euros or 2% of their reserve assets  , whichever is the larger sum. The framework justifies its restrictions on stablecoin issuance by highlighting the potential concerns they could raise regarding monetary policy, financial stability and sovereignty. At the same time, it is admitted that these constraints could hinder innovation in the financial sector hence going against the EU’s objectives.
Depending on their impact, crypto assets may be further classified as “significant asset-referenced tokens” or “significant e-money tokens”. The European Banking Authority will be conferred the role of determining whether these crypto-assets are significant. Any issuer that passes a number of thresholds, such as a market capitalization of more than a billion euros or more than 500 000 transactions per day, will be considered a “significant” asset and will be subject to additional requirements . Given that practically all leading stablecoins would easily surpass those limits, the thresholds for whether an asset is considered significant are unrealistic and would impair EU competitiveness.
An overall analysis of MiCA
Additional legal certainty provided by MiCA will likely attract institutional investment but overregulation could crowd out innovation. Whilst consumer protection standards adopted in the regulation are desirable, some elements of the regulation regarding stablecoins constitute an unwarranted intrusion into financial autonomy. With the interest ban, it seems that EU legislators are aiming to disincentive investments in stablecoins in order to protect the interests of the European Banking Sector. This ban also shields the interests of national tax authorities who will find it considerably easier to control crypto profits if they are turned into fiat money rather than held in stablecoins.
Since under MiCA only legal entities can issue crypto-assets, it is unclear whether tokens generated via a decentralized finance business model can be construed. Indeed, it seems that MiCA barely addresses the key legal issues of permissionless blockchain technology, such as the ones analysed above. While a permissioned blockchain network can employ a governance structure with a select number of approved participants, all of which can follow strict consensus practices for data privacy, this is contrary to the nature of a permissionless blockchain. What is more, centralized control over the blockchain implementation could allow for the allocation of data processing responsibility and accountability but this is, once again, in conflict with the goals of public blockchains. MiCA does not sufficiently address nor propose ways to resolve the legal uncertainty around public blockchain networks.
In order to better exploit the opportunities of blockchain technology, the EU should provide a friendly policy environment and flexible business ecosystem. Regulators everywhere are picking up on the subject and if, at the European level, regulation deters innovation and financial freedom, firms will choose other regions to develop blockchain models.
With its new policy proposal, MiCA, the EU sought to ensure fair competition, establish financial stability and instill appropriate levels of consumer and investor protection in order to become home to significant platforms and companies. Moreover, by supporting a pan-European framework, it attempted to avoid legal and regulatory fragmentation hence providing legal certainty. If it passes the legislative process, MiCA will surely have a significant impact on the crypto-asset market. It is likely that crypto-assets covered by the regulation would be viewed as safer investments and this increased credibility conferred on crypto-assets would likely push banks and other financial institutions to move into the market. Nevertheless, the proposal would certainly favour incumbent credit institutions over Fintech start-ups, who may believe the proposal creates new barriers to entry.
It is also important to note that MiCA does not comprehensively address the legal uncertainty around blockchain technology. Indeed, accountability, decentralization, territorial implications and data privacy are barely addressed, especially when considering a permissionless blockchain network. Although public blockchains echo the technology’s original characteristics and benefits of permitting any individual access and submit transactions with limited data governance, it seems that in order to comply with current and future regulations, organizations should implement a blockchain architecture that lies closer to the private end of the spectrum. Meanwhile, the EU must clarify how a more decentralized blockchain network can adapt itself to EU regulations.
Written by: Celeste Vilde
https://www2.deloitte.com/content/dam/Deloitte/za/Documents/legal/za_legal_implicatio ns_of_blockchain_14052019.pdf https://www.jdsupra.com/legalnews/legal-implications-of-blockchain-in-7648010/ https://www.lawsociety.org.uk/topics/research/blockchain https://link.springer.com/content/pdf/10.1007/s12027-020-00617-7.pdf