Quick view: Understanding data privacy compliance challenges in blockchain and cryptocurrency (USA)

Introduction

This Quick view will assist compliance personnel, in-house counsel, and private practice lawyers to understand the challenges of maintaining data privacy compliance when using blockchain technology and cryptocurrency. There is a tension between the decentralized nature of blockchain and cryptocurrency, and the assumption of traditional data privacy regimes that there are centralized controls over data. The challenge for legal and compliance professionals is to balance compliance with data protection requirements while still being able to take advantage of the commercial convenience and expedience of cryptocurrency.

This Quick view covers:

Blockchain technology and cryptocurrency
The legal regime governing blockchain technology and cryptocurrency
Challenges of cryptocurrency, blockchain and data privacy compliance

This Quick view can be used in conjunction with the following How-to guides: How to determine and apply relevant US privacy laws to your organization, How to develop, implement and maintain a US information and data security compliance program, How to manage your organization’s data privacy and security risks; and Checklists: Understanding privacy laws in the US and Drafting internal privacy policies and procedures.

Section 1 – Blockchain technology and cryptocurrency

1.1 What is cryptocurrency?

Cryptocurrency is a digital currency used for payment as an alternative to traditional currency issued by a government treasury or a central bank. There is no central authority to back-up transactions or to establish or maintain the value: the value is determined by the users and supply and demand – where higher demand commands higher prices.

1.2 Cryptocurrency and blockchain technology

Cryptocurrency (such as Bitcoin and Ethereum) is built on blockchain technology and is created using consensus algorithms. These algorithms require a defined majority of participants to agree on each new ledger transaction request. In the context of cryptocurrency and blockchains, proof-of-work and proof-of-stake are two of the most common models used.

Cryptocurrency functions both as a currency and as a virtual accounting system. Users of cryptocurrencies will need a cryptocurrency wallet. These wallets can be software that is a cloud-based service or is stored on a computer or mobile device. The wallets store encryption keys that confirm the owner’s identity. Wallets contain a public key (the wallet address) and the owner’s private keys that are necessary to sign cryptocurrency transactions. The keys in the wallet allow the owner to access their cryptocurrency. Anyone who knows the owner’s private key can control the currency associated with that address. Exposing wallet information to others could also create problems in terms of data privacy and access to sensitive information like the credit balance, addresses, and previous transactions.

The network is public and permissionless, which allows anyone in the world to participate subject to registration and downloading the relevant software. Generally, all participants on a public blockchain can see all the data on the ledger equally and in real time. While blockchain technology is associated with anonymity, the blockchain applications still collect and store user-related data and data related to others, and this could potentially create data privacy issues where personal information is held and stored.

For more information, see Quick view: Introduction to cryptocurrency and how it works.

Section 2 – The legal regime governing blockchain technology and cryptocurrency

The expansion of cryptocurrency and blockchain technology creates a tension under US federal and state privacy laws, as well as under international privacy laws, particularly in relation to Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR). While there are laws and regulations relating to specific financial transactions that apply to cryptocurrency as well as to traditional currencies, these are not considered in detail in this Quick view. For more information, see Quick view: Cryptocurrency regulation and enforcement.

2.1 Data privacy law in the US

There is no single data privacy framework regulating personal data collection and use in the US. Instead, privacy is protected by several federal and state laws, many of which are sector-specific, and which cover both privacy and information security. US privacy law is a complex mix of state and federal statutes and regulations. Compliance with privacy laws is an area of increased regulatory scrutiny and understanding the type of data and the parties subject to regulation is critical. Non-compliance can lead to significant fines, civil and criminal liability and carries the risk of reputational damage.

2.1.1 Federal laws

At the federal level, laws tend to be sector-specific, for example, the Gramm-Leach-Bliley Act (GLBA) applies to financial institutions. The GLBA does not explicitly apply to cryptocurrency; however, there is nothing in the Act that would exempt cryptocurrency transactions, or those who engage in them, from the application of that law. The definition in the Act of the term ‘financial institutions’ is broad enough to lead to the conclusion that cryptocurrency transactions, and businesses that engage in them, are within the ambit of the law.

Other federal laws follow the same pattern. While not stating that a law applies to cryptocurrency or cryptocurrency transactions, there is nothing that expressly excludes them.

2.1.2 State laws

While many states are actively considering proposed privacy legislation, only a handful currently have comprehensive privacy laws, including California, Colorado, Connecticut, Iowa, Utah, and Virginia. In California, the California Consumer Privacy Act (CCPA) and the new California Privacy Rights Act (CPRA) provide greater rights to California residents regarding how their personal information is held by a business (with some exceptions), including a right to request where information is being shared by third parties, a right to request deletion of personal information, and a right to direct businesses not to sell or share personal information. Personal information includes anything that identifies or can reasonably link to an individual or household (eg, name, postal address, or email address) and the term is defined broadly.

The CCPA provides consumers with certain protections and rights, including a right to notice when a business is collecting personal information and a right to disclosure when a business is selling their personal information to third parties. Consumers have a right to opt out of these third-party sales. Given the lack of centralized third-party control and regulatory guidance, organizations should undertake a privacy impact assessment to address gaps in data privacy compliance when implementing new systems involving blockchain technology.

The underlying premise of the CCPA is that data is collected and stored centrally and that users have a right to request that personal information be deleted. This is at odds with how cryptocurrency transactions on a blockchain ledger are recorded and the presumption of the immutability of data (ie, data cannot be deleted).

For additional information, see Q&A: US data protection and privacy (state-by-state).

For an overview of privacy laws and regulations applicable to businesses operating in the United States, see How-to guides: How to manage third party supply chain data privacy, security risks, and liability, How to determine and apply relevant US privacy laws to your organization, How to manage your organization’s data privacy and security risks, and How to implement privacy by design within your organization; and Checklists: Completing a data privacy risk assessment, Understanding privacy laws in the US, Privacy and data security law training, and Drafting internal privacy policies and procedures.

2.2 Cross-border compliance

2.2.1 GDPR

The GDPR imposes strict and harmonized obligations on organizations concerning how they process EU citizens’ personal data. It is broad in terms of the definitions used and the geographic scope covered. For example, companies that process data related to the offering of goods and services to data subjects in the EU are covered, regardless of where the companies are located. This is an important consideration given that blockchain systems operate cross-border and determining whether the GDPR applies may need to be assessed on a case-by-case basis.

The GDPR establishes rigorous enforcement procedures with high potential fines for non-compliance of up to €20 million or 4 percent of the worldwide turnover of a company.

For more information, see How-to guide: How to ensure compliance with the GDPR and Checklists: GDPR compliance self-assessment audit and Lawful processing of personal data under the GDPR.

Section 3 – Challenges of cryptocurrency, blockchain and data privacy compliance

Data privacy frameworks, cryptocurrency, and blockchain technology have developed largely independently from one another and the legal and regulatory environments are not fully aligned. The direction that the law will take is uncertain – it is a ’known unknown.’

This uncertainty renders strategic decision-making and risk assessment difficult. Planning in the face of such uncertainty requires flexibility, to adapt to rapidly changing conditions, but also an ability to track information about potential new regulatory developments. In the absence of clear guidance on applications on standards when it comes to cryptocurrency, blockchain technology, and data protection, some of the compliance challenges are considered in more detail below.

3.1 Particular areas of conflict or tension

3.1.1 Oversight

Blockchains are essential elements of cryptocurrencies and decentralization and data permanence are vital aspects of blockchains. These aspects are hard to reconcile with the requirements of data privacy laws that assume that central data controllers are integral to compliance. This is at odds with the traditional ‘centralized controller-based data processing’ as set out in the GDPR and CCPA.

In data protection compliance, the first step is to consider the roles of the parties in the transaction namely:

the data controller (ie, the person who controls the procedures – the ‘why and how’ processing of data should take place with responsibility for data protection compliance); and
the ‘data processor’ (ie, someone who processes personal data under the instruction of the data controller).

The absence of consistent definitions across US data privacy laws, and the inherent decentralization of blockchain technology, pose significant challenges in identifying data controllers and processors and assigning responsibility for data handling. A primary focus must be on whether personal data is being processed, which would bring data privacy regulations into play. Understanding the ’why’ and ’how’ of data processing will require a detailed examination of the blockchain's technical architecture, the involvement of third-party actors, and the lifecycle of personal data within the system.

Decentralization also implicates a very basic question to be assessed against any regulatory regime: who is responsible, or, more practically, who is going to be the target of an enforcement action? Cryptocurrency is attractive to many users because of its capacity for anonymity. If the transaction is completed between parties who prefer to remain anonymous, finding the party responsible in the event of a breach of regulatory requirements becomes a difficult if not impossible, task.

The difficulty in reconciling the decentralized nature of blockchain with the privacy requirements of the laws and regulations means that an organization considering adopting blockchain technology in its cryptocurrency operations needs to be especially aware of privacy. Depending on the business and the nature of the transactions to be carried out, it may be advisable to limit the amount or type of personal data that is used to the bare minimum necessary to accomplish the transaction.

At the implementation stage when working with a blockchain developer, it is important to verify that they understand the privacy issues, assess the risks, and have concrete ideas in place to mitigate these risks. Some of these measures may include making the chain private and permissioned, or under restricted access or storing data off-chain. Careful and thorough staff training, as well as continuous monitoring and oversight, are essential. The area is constantly evolving, and it may be useful to have someone within the organization responsible for monitoring legal and regulatory compliance.

For further information, see How-to guide: How to implement privacy by design within your organization.

3.1.2 Data chain immutability

The blockchain technology used by cryptocurrencies retains a record of transactions as a part of the chain. Data privacy laws, such as the CCPA and other state laws (Virginia, Colorado, Utah, and Connecticut), and the GDPR in Europe, grant the subjects of data the right to control the use of their personal data (eg, the right to be forgotten or to have their personal information deleted). The immutable nature of blockchain records (where records published cannot be deleted) sets up a very clear conflict between the right to have information removed (or the individual’s right to be forgotten, as provided by the GDPR), and the operation of the technology.

Cryptocurrency systems typically address data updates (eg, new owners of a coin) by recording additional transactions. However, these later transactions do not delete data that was previously stored. A complete erasure of the data would be very difficult to implement on a routine basis, would conflict with basic blockchain design principles, and would also require the consent of some or all of the participants in the chain, depending on the rules of the cryptocurrency scheme.

Such a complete deletion would normally be regarded as an extreme or unusual measure, given the technical difficulties and the steps required. However, data privacy laws make deletion an absolute right of the subject of the data: there is no exception to the deletion requirement for extreme difficulty. There is likewise no exception for data that bears little risk of being identified with its subject. While it is possible to close or delete a blockchain account, the data remains on the chain. There are discussions of, and proposals for, the deletion of data, but any solution to the problem remains a theoretical one.

3.1.3 Cross-border compliance

That decentralized networks may span multiple jurisdictions which adds to increasing complexity as the application of data privacy laws can be impacted by the location of the individual and/or where the data is being processed.

Regulatory guidance on reconciling this is currently limited. France’s data protection authority directly addressed blockchains and privacy requirements in 2018 with the publication of the CNIL guidelines and called for attention to the matter at EU level, but this level of attention has yet to transpire in the US. That said, the California Blockchain Executive Order and the Executive Order on Ensuring Responsible Development of Digital Assets (issued by the White House) highlight that regulators are aware they need to fill this void. President Biden’s Order more explicitly mentions privacy concerns, but also outlines the first government approach to addressing the risks and harnessing the benefits of digital assets besides privacy. That said, the regulatory approach to digital assets also varies between administrations.

The Senate repealed a Biden-era Internal Revenue Service (IRS) rule requiring cryptocurrency platforms to report customer transactions, citing concerns about overregulation and that the IRS rule ‘puts at risk the privacy and security’ of millions of Americans trading digital assets. The 70-27 bipartisan vote, with some Democrats joining Republicans, overturns a measure aimed at improving tax compliance and leveling the playing field with traditional brokerages. Crypto industry proponents, like Senator Ted Cruz, celebrated the repeal as a victory, arguing the rule imposed excessive burdens, especially on peer-to-peer exchanges. Critics, however, warn that repealing the rule could result in significant lost tax revenue, estimated at $3.9 billion over a decade, and hinder efforts to combat illicit financial activities.

Calls for government regulation or oversight of cryptocurrency have increased (see here) particularly in light of the collapse of the FTX exchange, the exposure of that chain as a Ponzi scheme, and the criminal trial of FTX’s ex-CEO Sam Bankman-Fried (see United States v Samuel Bankman-Fried, a/k/a ‘SBF,’ 22 Cr.673 (LAK)). It is not yet clear how any new regulatory or legal oversight will affect data privacy concerns. The focus, at least in the short term, is likely to be on the transparency of networks to enable customers to understand data privacy practices. There is no federal data protection agency to address these challenges and reporting of alleged violations and therefore enforcement mechanisms are as set out in the relevant statute.

In the absence of governmental regulation, rules for data privacy in the cryptocurrency and blockchain context may be developed through private litigation. Individuals and groups of individuals or agents could seek redress in this way. Standards for privacy may come into being on a case-by-case basis, as these standards are created through a combination of executive orders, enforcement actions and further to court decisions. This is a fast-evolving area of law and regulation and a continued focus of both federal and state governments and heightened regulatory scrutiny.

Apart from any legal and regulatory concerns, careful attention to privacy issues will help build trust with customers. The nature of many data storage platforms has made consumers especially concerned about the privacy of their data. Showing that an organization shares this concern will make customers more inclined to have faith in the business practice of the organization.

3.2 Mitigating data privacy risks

Data privacy law and blockchain have developed independently. While some features of blockchain, such as encryption help to enhance privacy, as noted at section 3.1 the decentralized nature of blockchain creates its own inherent privacy risks.

3.2.1 Is the use of blockchain necessary?

The foundational question for protecting privacy is whether adopting blockchain is necessary, or even wise, for an organization. The temptation to adopt the latest technology is always present, but before a technology like blockchain is adopted, an organization should ask why it wants to use it. Organizations need to assess what advantages are to be gained beyond the novelty of ‘trying something new’ and weigh up the risks and resources required to mitigate them.

3.2.2 Audits

An audit of the blockchain system should be conducted as the system is being adopted. The audit will consider the privacy and security protections in place and assess vulnerabilities that can be corrected before full-scale adoption. The audit will involve a direct ‘human’ review of the code used to create the blockchain system. While this audit may be slow and could be costly, it is the most effective way of catching privacy flaws before they become an issue.

3.2.3 Governance framework

Although blockchain is a decentralized means of sharing data, an individual chain may be set up with a governance structure designed to protect data privacy. For example, the number of participants with permission to participate in the chain may be limited, and qualifications can be set up to limit the users with permission to those who meet certain criteria determined by the administrators of the chain.

The chain may be designed to limit access to a few users on a ‘need to use’ basis. Private chains also tend to use encryption. Private chains are centralized and do not offer the anonymity of a public chain since the identities of users are known.

Policies and procedures should also be in place to understand and limit what data is being processed, and to establish permitted flows of personal data as a condition of receiving permission to access the chain. Personal data collected should be limited to the minimum amount necessary to accomplish the purpose of the collection. The policies and procedures should also delineate how data will be collected, distributed and stored.

3.2.4 Privacy by design

Privacy by design makes privacy concerns an integral part of an organization’s operations. Systems and processes are designed to reduce the risk of privacy breaches and the legal liability and reputational damage that follows such breaches. Privacy by design, in the context of blockchain, can include several components.

Training

Staff training of all personnel, not just those who handle data is an essential component of privacy by design. The importance of privacy must be made clear as a part of the organization onboarding process and reinforced on an ongoing basis. Staff members who handle and process personal data should be given more extensive training to meet the specific needs of their job and to ensure they fully understand their responsibilities. In particular, those who handle or process data should be made aware of the legal and regulatory obligations concerning data protection and privacy, and encouraged to report vulnerabilities and suggest improvements to workflow processes (eg, by offering incentives like a bonus or gift voucher for workable suggestions).

Off-chain data storage

Data is stored off the chain by conventional data storage methods when it is too large for the chain to handle, or, more importantly, when the data may need to be changed or deleted. Off-chain data may not always be accessible even to authorized users and this method can offer greater anonymity as there is no public record stored on the blockchain and sensitive information such as the sender and recipient’s name is completely private.

Monitoring and oversight

A blockchain system should not be left to run itself. It should be assumed that continuing monitoring of the system will be necessary. The system should also be changed or modified, to address previously undiscovered vulnerabilities, and to meet new data privacy issues as they arise.

For further information, see How-to guide: How to implement privacy by design within your organization.

Additional resources

Gustavo Alza, Jr, Blockchain and CCPA
Amir Lazarovich, Invisible Ink: Blockchain for Data Privacy
Weizheng Wang, et al, Blockchain for the Metaverse: A Review
World Economic Forum, Personal Data Handling