Q: I am building my application now – what should I be considering?

Seek advice in relevant jurisdictions and conduct risk assessment in advance

To understand the regulatory landscape, determine the territorial operations of your business and to avoid future compliance issues, a prior multi-jurisdictional analysis on applicable regulations as well as a risk assessment on data protection should ideally be conducted at the planning stage when building the application.

Limit personal data stored on blockchains and obtain consent

A legal basis for processing, such as consent from an individual, is generally required for the collection or use of their personal data. Even if personal data is encrypted or anonymised, such data may be considered to be personal data that is disclosed if it is published on a permissionless blockchain. Aside from obtaining express consent from individuals, you may want to consider exceptions such as those relating to business improvement, legitimate interests or deemed consent by contractual necessity. Similar exceptions exist under the laws of many jurisdictions and they allow an organisation to collect, use and disclose personal data without the need for consent from individuals.

Use permissioned blockchains to support governance models

Operating on a permissioned blockchain generally facilitates a participant’s ability to comply with data protection obligations; for example, the operator can implement accountability obligations on participants in the network. The following are some recommended measures:

• Only provide access to personal data to participants that have a business purpose to use such data.
• Enforce legally binding consortium agreements or contracts, with clear data controller or data intermediary obligations, on all participants to ensure compliance with the law. Stipulated requirements can include restricting the kind of data that can be written on the network; providing decryption keys and identity matching tables through off-chain channels; and restricting certain behaviour (e.g., prohibiting attempts to decrypt ciphertext).
• Limit participants to those who are able to ensure adequate protection of the data, for example, participants from jurisdictions with comparable standards of protection.
• Implement technical measures to meet protection/security obligations, such as by encrypting and anonymising personal data on-chain using industry-standard algorithms or practices; managing and protecting keys with proper policies; and allowing only authorised participants to access data with decryption keys.
• Enable data correction through insertion of new entries with encrypted corrected data.
• Mandate secure disposal of decryption keys of unneeded or erroneous data, rendering such data indecipherable.
• Have personal data stored in an off-chain database or data repository where traditional access control mechanisms can be instituted. Only a hash of the personal data or a hash of the link to the off-chain database should be written on-chain.

Consider cross-border transfer limitations

• Data protection laws may require personal data transferred overseas to be protected to a comparable standard. If an organisation commits personal data on a blockchain with nodes that span multiple jurisdictions, it may need to ensure these jurisdictions have comparable protections.
• Given the potential for an unlimited number of jurisdictions to be implicated, it may be advisable to use permissioned blockchains to delineate the jurisdictions of participants, or in the case of permissionless blockchains to consider models that limit personal data stored on the blockchain, as discussed below.

For permissionless blockchains, consider alternative models

• Use hybrid blockchain approaches that combine a public permissionless chain with a private permissioned blockchain component to process transactions safely without exposure to the public blockchain.
• Use solutions that process data and transactions on a private network layer built on top of a public permissionless chain, while only storing the proof or hash of data on the public permissionless layer. These solutions include, for example, nested blockchains, state channels and zero-knowledge proofs.

Q: Is it a good approach to simply aim not to collect any personal data?

As discussed above, given the expansive definition of personal data, it may in many operating models be difficult to avoid collecting, using or processing personal data entirely.

In addition, depending on relevant regulations such as those relating to anti-money laundering and countering the financing of terrorism (AML/CFT) or KYC, it may not be possible to operate without collecting personal data.

In October 2022, the Organisation for Economic Co-operation and Development published the Crypto-Asset Reporting Framework (CARF), which is a new global tax transparency framework on the development of automatic information exchange with respect to crypto-assets, as well as changes to the existing Common Reporting Standard (CRS). Under the CARF, entities that as a business provide services effectuating exchange transactions in crypto-assets (Crypto-Asset Service Providers) would be required to apply due-diligence procedures to identify their customers and to report annually customers’ aggregate exchanges and transfers to their respective tax authorities. Crypto-Asset Service Providers that are expected to be regulated include exchanges, brokers and dealers.

Reportable information includes the value of transactions, wallet address, name, address, jurisdiction of residence, tax identification number and date of birth of individual crypto-asset users or controlling persons of institutional crypto-asset users. Such data would generally be considered personal data.

Key changes to the CRS relate to the expanded definition of ‘financial assets’ to ensure that derivatives that reference crypto-assets and that are held in custodial accounts are subject to CRS reporting. The definition of ‘investment entity’ is also expanded to include the activity of investing in crypto-assets.

Like the CRS, the CARF contains model rules that can be enacted as domestic legislation. The scope of regulation, such as the precise reportable information, would thus depend on the domestic law of the relevant jurisdiction.

Conclusion

As blockchain use cases continue to evolve, we expect there will be an increasing awareness of data protection compliance in the sector. We also expect regulatory scrutiny in this area to be heightened in time to come.

For most participants, it would pay off to consider data protection implications at the outset, such as by incorporating design features that facilitate ease of compliance with data protection regulations. Given the increasing regulation of the blockchain sector including decentralised applications for AML/CFT purposes, it may be unfeasible to adopt an operating model that seeks to avoid collecting or using personal data entirely, in light of requirements relating to customer due diligence and international reporting.

Our team at Reed Smith would be happy to assist you from the start with navigating the regulatory landscape in relation to data protection and related regimes, with the aim of designing a legally robust, compliant and future-proof blockchain application.

Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.

In-depth 2022-365