Since the spring, there has been a boom in the number of countries looking to capitalize on the blockchain craze. Around the same time, the European Union issued the General Data Privacy Regulations (GDPR), which would place regulations on blockchain technology. However, GDPR does not perfectly encompass blockchain. Nevertheless, these countries are advocating for blockchain and encouraging blockchain companies to relocate through legislation, and they are emphatically responding.
Malta – Blockchain Island
On June 26, 2018, Silvio Schembri, Malta’s Parliamentary Secretary for Digital Economy, Financial Services, and Innovation announced that Malta’s Parliament unanimously passed three bills regarding the regulation of distributed ledger technology (DLT). Malta is the first country to establish a concrete legal framework for DLT.
Bill 43, The Innovative Technology Arrangements and Services Act (ITAS), allows for the registration of Technology Service Providers and the certification of Technology arrangements. These innovative technology arrangements could deliver DLT, smart contracts, or any other innovative technology arrangements later approved.
Bill 44, The Virtual Assets Act (VFAA), establishes the parameters for initial coin offerings (ICOs) and cryptocurrency exchanges. In order to define when DLT assets – like cryptocurrencies – constitute financial instruments, Malta has come up with the Financial Instruments Test. The test classifies cryptocurrencies and tokens as DLT assets and places them into three categories: virtual tokens, financial instruments, and virtual financial assets. A virtual token exists outside of the regulations, as it only contains value within its platform. If the DLT asset is classified as a financial instrument, it will fall under the legislation. Finally, a DLT asset will be regulated under the VFA Act as a virtual financial asset if it is not classed as a financial instrument or virtual token.
Bill 45, The Malta Digital Innovation Authority Act (MDIA), institutes a new authority – the MDIA – to encourage innovative technology in Malta. Stephen McCarthy will head MDIA as its CEO.
These three bills demonstrate Malta’s commitment to staying at the forefront of innovative technology, and it is intended to encourage companies using cryptocurrency or blockchain technology to relocate to the island. In fact, Binance, the world’s largest cryptocurrency exchange company, announced in March that it would be moving to Malta. Binance intends to establish a fiat-crypto exchange and to support fiat deposits/withdrawals. Binance is backing the Malta Stock Exchange’s new program which supports fintech startups. The Prime Minister of Malta, Joseph Muscat, spoke out in strong support of cryptocurrency by stating, “I have no doubt that it will form the base of a new economy in the future.”
Malta is not the only microstate attempting to appeal to blockchain companies; Bermuda, Gibraltar, Liechtenstein, and San Marino have all made similar efforts. Bermuda’s lower house of parliament passed rules to regulate ICO’s, and they also established an agreement with Binance regarding investments in blockchain companies and education for related jobs for the citizens of Bermuda. Gibraltar launched a novel ICO, Fiat Government Issued ERC20 Token – QRG Coins. The creation of the coin is intended to aid in transactions, reduce the costs of the global transfer of payments, and promote transparency.
In March, Liechtenstein’s Prime Minister, Adrian Hasler, announced the Blockchain Act, which will institute regulations and a legal base for blockchain technology in Liechtenstein. San Marino has entered into a partnership with Polybius, a developer of blockchain technology, and San Marino intends to produce legislation regulating blockchain. While this serves as a testament to the increasing interest in bringing in blockchain companies, these microstates, however, do not fall under the jurisdiction of the EU. Spain, on the other hand, is an EU member, and Spain has just introduced some extremely interesting legislation.
Spain Proposes to Implement Blockchain
As of June 21, 2018, 133 deputies of Spain’s ruling party, Partido Popular, introduced a bill to integrate blockchain technology into Spain’s Public Administration. The proposal cites the use of blockchain technology within the financial sector to facilitate trade. Already in Spain, a digital platform, Legaliboo aids in for the creation of smart contracts. Additionally, the proposal discusses the integration of blockchain technology into large banks – like Coinbase and BBVA and Utility Settlement Coin with Santander. One of the broader aims of using blockchain is to boost Spain’s economy by integrating blockchain into the industrial sector.
Additionally, Rafael Hernando, the spokesman of el Partido Popular, advocated for blockchain technology as a means of improving the administration’s internal processes and to increase its efficiency and transparency. Hernando also discussed blockchain’s potential to increase synergy between the administration and sectors like tourism and infrastructure. Lastly, the bill calls for the training of individuals in blockchain technology to assist in the integration of blockchain into the government. The incorporation of blockchain into government operations creates some very interesting questions relating to GDPR, especially concerning the data processed. It seems probable that GDPR and blockchain will need to be reconciled before it would be possible to introduce blockchain technology into the Spanish government.
Blockchain Under the GDPR
As members of the European Union, Spain and Malta remain subject to the GDPR, and at present, GDPR struggles to encompass blockchain in some key aspects. GDPR promotes highly regulated, centralized data, whereas blockchain operates using decentralized data. GDPR requires the establishment of roles, such as Data Controller and Data Processor. The Data Controller determines why and the manner in which personal data is processed by the Data Processor. Blockchain technology, however, presents a challenge in establishing who qualifies as a processor or controller as a result of its decentralized nature.
In considering this problem, there does appear a potential solution: Binding Network Rules. These rules would allow controllers to deal with the blockchain network, provided that the network adheres to certain standards. Currently, the GDPR contains guidance for Binding Corporate Rules (BCRs), which multinational corporations use to make the cross-border transfers of personal data compliant with the GDPR. Article 40 of the GDPR allows for the proposal of new codes of conduct, and the creation of Binding Network Rules, as put forth by the Blockchain Bundesverband, for blockchain could function akin to BCRs.
These Binding Network Rules would contain standard contractual clauses in the network. Everyone participating in Spain or Malta’s blockchain network would have to be compliant with GDPR, and anyone processing data outside of the EU must also adhere to GDPR. Most importantly, the roles of Data Controller and Data Processor would be clearly laid out and potentially modified to better account for blockchain’s decentralized nature.
Also, because blockchain operates using an immutable ledger, it could present problems in complying with the data subject’s right to erasure of their personal data (the “right to be forgotten”) granted under the GDPR. This could also be seen as extremely problematic if a government was using blockchain to store special categories of sensitive data. However, the right to erasure remains contingent on the grounds on which it is requested. The personal data must no longer be necessary for the purposes for which it was obtained.
The inherent nature of blockchain is that all data is necessary for the purpose of creating the chain. Therefore, the right to erasure would never be able to be granted. Instead, the users should be informed of this, so they can make an informed decision as to whether or not they are willing to forfeit this right in order to use blockchain.
The Future for GDPR
With the surge in the number of countries interested in blockchain, the pressure will be on to improve the relationship between GDPR and blockchain. The inability to clearly define the positions of Data Controller and Data Processor and the immutability of blockchain remain two key issues of contention. The potential for changes to the GDPR offers hope for a solution to unite the two into one understanding, which will not only make blockchain fully GDPR compliant, but also a tool to promote compliance. However, as Malta has already passed three bills on innovative technology, it seems likely that it will not be long before Spain and other countries enact their own bills.
Pierson Klein joined TechGDPR’s team as Legal Intern this summer. She is majoring in Law, Jurisprudence, and Social Thought at Amherst College (2020) in the U.S.A.
To stay up to date on how GDPR affects technology, follow TechGDPR on Twitter