With government agencies getting more savvy at tracing blockchain transactions, laws like the EU’s GDPR may play a role.
Anti-establishment and counter-government sentiments fuelled the early days of crypto. More than a decade later, crypto is slowly moving away from its wild-west early days and into a more organized system that traditional financial institutions are reluctantly adopting.
Crypto has also managed to attract the no less reluctant attention of various regulators. With reactions ranging from a complete ban on crypto transactions to making authorities question the overall role of regulation, cryptocurrencies have wreaked havoc on policymaking everywhere.
So far, regulators have mostly focused their attention on positioning digital assets within existing financial regulations. However, experts in other areas of law have started developing interest in both cryptocurrencies and the technology behind them. Concepts such as decentralized digital identities and securely storing data on the chain have served as an introduction to blockchain technology for many lawyers.
An introduction that has brought with it yet another promise is that of private transactions on a blockchain. As highlighted in the Bitcoin white paper, privacy was of great importance to Satoshi’s vision of a purely peer-to-peer electronic currency.
This promise influenced both Bitcoin’s use as a seemingly untraceable payment method and the emergence of many blockchain projects. It has, however, proved to not just be greatly exaggerated but simply untrue, leaving regulators and authorities alike in the uncomfortable position of having to figure out what to do about it.
The fallacy of private crypto transactions
The solution put forward in the Bitcoin white paper was that by anonymizing public keys, transactions will still be visible, but without identifying the parties. This promise of anonymity has led to a certain level of comfort among people transacting on the chain.
This sense of security culminated in the broader adoption of Bitcoin for transactions on the dark web. The practice eventually led to some high-profile arrests and sentences, such as that of the founder of Silk Road. As police got more involved, the crypto community started seeing the cracks in crypto’s “anonymity.”
The concept of anonymity is under a greater threat amid the continuous improvement of blockchain analytics tools. The compliance software market keeps getting bigger, and the products more elaborate. Even so-called privacy coins haven’t been spared by the increasingly sophisticated analytics capabilities of services such as Chainalysis. Nonetheless, some crypto users still consider their transactions untraceable and their actions on the chain private.
Data protection outside the chain
Cryptocurrency users weren’t the only people with privacy and data protection on their minds. With more or less the same incentives — protecting people’s privacy in an increasingly digital world — policymakers around the globe had started working on data protection regulations. The vision was to cover both the risks of most activities moving online and the increasing concern of private actor interference and state surveillance. No other place was as determined to provide all-encompassing privacy legislation as the European Union.
After years of discussions and negotiations, the General Data Protection Regulation, or GDPR, was born (i.e., EU-wide legislation with a direct effect on citizens in all member states). Since its full adoption in 2018, the GDPR has been central to numerous privacy-related investigations and court cases. The most recent and, arguably, the most important has been the European Court of Justice’s so-called Schrems II judgement against Facebook.
One court decision with significant consequences
In a nutshell, the Schrems II decision revolved around determining the legitimacy of Facebook’s EU data transfers to the United States. The court not only decided that some cases of transferring EU citizens’ data to the U.S. were illegal but also invalidated the legal mechanism many companies were using for EU–U.S. data transfers — the Privacy Shield. The reason the ECJ gave was that ongoing surveillance practices by the American government weren’t compatible with EU data protection regulations.
Data protection doesn’t work on the chain
Even before Schrems II, blockchain infrastructures were not considered very privacy-friendly due to the dispersion of the entered information across all blocks. This dispersion makes important data protection rules, such as the right to erasure and the right to be forgotten, which are practically impossible on the chain, as they require all reference to specific personal data to be removed.
Another reason why privacy isn’t necessarily compatible with hash-based, indelible infrastructures is that data protection isn’t technology agnostic. Both its protection and violations depend heavily on the technological tools at hand. And technological tools tend to improve exponentially with time — if encryption is to serve as an example, what was once a state-of-the-art encryption mechanism can now be broken without much effort.
The ability to identify a specific person also depends on a combination of technical tools available and information accessible. This means that even if a person is using a privacy coin, such as Zcash or Monero, their wallet address can potentially be found if there’s additional information available; for example, previous transactions from the same wallet address that are traceable.
State surveillance ruins it all
Apart from blockchain-specific privacy concerns, there is also the issue of where the data ends up — not only in terms of where it is stored but also who can access it. The GDPR is quite specific that the rights of EU “data subjects” — which is legalese for people who can be identified by this information — follow the data, meaning that no matter where this data ends up, it must be protected with the same high standard as it would be in Europe.
The U.S. is by no means the only perpetrator of mass surveillance. The practice is so common that the European Commission has published a very short list of trusted third countries, whose level of data protection is deemed “adequate.” What Schrems II succeeds at doing, however, is highlighting an ongoing concern shared by the EU policymakers and judicial authorities: States’ spying capabilities significantly increase when tech companies in their jurisdictions already have the data.
Can we future-proof crypto transfers?
It’s, therefore, relatively easy to foresee that, once more accustomed to crypto regulations in general, the EU would have a problem with specific aspects of transferring crypto assets, especially as they end up including more data than previously acknowledged — and even more so when “inadequate” countries are directly involved with the transfers.
Two scenarios come to mind as especially problematic. The first one concerns global stablecoins and retail central bank digital cryptocurrencies that are transferred to and from European citizens. Stablecoins would be particularly challenging due to their potential widespread use as payment methods, combined with governments’ increased incentive to regulate them. For example, with Facebook’s heavy involvement in the Libra Association, some data protection actions from EU institutions seem almost inevitable, especially as European data authorities show consistency in making any EU–U.S. data transfers impossible.
The other scenario revolves around any state-level adoption of rules about crypto transfers and mandatory collection of specific data. The Financial Action Task Force’s travel rule, for example, requires that crypto exchanges gather and transmit the name of the sender, account number (or wallet address), location information, as well as the name of the recipient and their account number.
Nonetheless, regulation such as the travel rule is needed, as it serves a specific purpose — preventing money laundering and terrorism financing through the gathering of enough data about the transactions. Laws like these have also been widely adopted in the traditional financial sector, with some having significant effects on crypto as well. The travel rule’s closest traditional finance alternative — the SWIFT system used by the banking sector — has supposedly managed to be GDPR-compliant through a combination of technical and organizational factors.
Can privacy outrun surveillance?
However, when talking about crypto transaction data, privacy by design doesn’t exist. It’s nice to remember Satoshi’s vision of private, peer-to-peer transactions occasionally, but in reality, very few crypto transactions are actually untraceable. And even transactions that depend on privacy-enhancing tricks are subject to constant threats coming from different parties and organizations.
At the same time, previous illegal activities, made possible through the use of crypto, highlight why we need some level of transparency and even state control over who’s transacting with whom. This has, in turn, led to blockchain analytics tools being widely used by governments. The culprits behind the recent Twitter hack, for example, were discovered with the help of Chainalisys.
The end of unsurveilled transactions
This collaboration means the end of not only private transactions but of unsurveilled transactions as well. With the proposed and somewhat inevitable wider adoption of digital currencies, it is quite likely that more and more transaction data will be generated and easily accessible worldwide. Simultaneously, with the exponential improvement of blockchain analytics tools and compliance software, a rapidly decreasing amount of information will be required for the identification of a specific person.
And all this data will be easily accessible by governments. In this scenario, the problem wouldn’t be the breach of any specific data protection regulation and particularly the GDPR. It would be that financial data privacy might simply stop existing as a possibility for everyone. And this is where privacy regulation can actually help.
Privacy regulation as the answer
The usual sentiment among crypto users might be that regulators’ excessive interference with technology and innovation has a profound negative effect, especially to the broader adoption of digital currencies. However, it is likely that the original idea of peer-to-peer electronic cash will only be possible with the right laws in place.
Privacy regulations might prove to be the no man’s land where regulators and blockchain and crypto users can achieve a mutual understanding because they have a common enemy — governments with extensive surveillance practices.
The GDPR has led to changes that complement the ethos of crypto’s early days, as it has proved crucial for fighting the questionable data handling practices of public and private sector players alike. It has also done wonders to nurture a privacy culture even among people with no prior interest in protecting their information.
Regulators and blockchain and crypto users also have a common goal: to ensure that both cryptocurrencies and the technologies underlying them are used in a way that’s not deceptive in its promise. Which might just be what the long-awaited, wider adoption of digital currencies needs.