Elizabeth Jacobs is an attorney with the Securities and Exchange Commission
Distributed ledger technology (DLT) has become something of a trope. It has been proposed as a currency, as a tool for “smart contracts,” for cheaper clearing and settlement, and as a governance mechanism for everything from data identifiers to actual human voting. Michele Finck’s new book, Blockchain Regulation and Governance in Europe, sits in good company with other recent academic explorations of DLT, including Primavera De Filippi’s and Aaron Wright’s Blockchain and the Law and Kevin Werbach’s The Blockchain and the New Architecture of Trust.
In this increasingly crowded field, Finck’s book compares well to others in scope. It includes background on the history of permissionless DLTs and cryptocurrencies. It contains insightful descriptions of the different DLT ”layers” (the protocol layer; the network layer; and the data layer), how the layers’ operations are governed, and the importance of their interoperability. Finck, too, wrestles with the philosophical and practical implications of viewing “code as law,” developed in 1999 by Lawrence Lessig. And, similar to the other books, Finck’s book concludes with a suggested framework for providing policy direction to DLT’s development.
But the book is unique due to Finck’s delivery of a deeply insightful European perspective. Finck is a Senior Research Fellow at the Max Planck Institute for Innovation and Competition in Germany, and is also a lecturer in EU law at Oxford. Recent credits include her contributions to the Cambridge Center for Alternative Finance’s primer on Distributed Ledger Technology Systems, her input into the European Union’s Blockchain Observatory and Forum’s 2018 thematic report on “Blockchain and the GDPR [General Data Protection Regulation].” Finck has also done work on the law of the sharing economy. There is some European street cred at play here.
Data privacy and fintech practitioners will find Finck’s distillation of whether use of a DLT is GDPR compliant interesting and informative. She provides detailed analysis of how a technological development whose originators were deeply dedicated to creating a decentralized network is affected by a data privacy regime where compliance provisions require centralization. For example, the GDPR regime includes the concept of a ‘data controller’ – where, ‘data subjects’ turn to exercise the rights of ‘rectification’, ‘to be forgotten’ and ‘data minization.’ Questions raised include what should be a ‘data controllers’ responsibilities among the different layers on a blockchain? Should ‘nodes’ have any data controller responsibilities? What about protocol developers? Network users submitting personal data to conduct business? Finck walks readers through the European authorities perspective on whether hashing can provide sufficient anonymity to escape the application of GDPR, how off-chain solutions could emerge.
The GDPR just came into effect in 2018, and was being drafted before the DLT wave landed. Finck admits her analysis “…has revealed an undisputable lack of certainty when it comes to the application of the European Union’s data protection framework to blockchains and other forms of distributed ledger technology…Only time will reveal how regulators and judges will approach the tension between the GDPR and DLT.” This is cold comfort for those wrestling with the new data regimes based on the GDPR (Brazil, India policy proposals – even California) – or those dealing with thorny issues regarding cross border application.
Finck’s book builds on the GDPR examples for a broader survey about the economic importance of non-personal data, and whether legal reforms are needed to ‘unlock it’ for broader sharing and use. Finck cites the advent of Payment Services Directive 2 as a sector specific approach to this issue; and also examines property rights in data and the questions of data portability. Finck notes the European Commission’s acknowledgement that there is no comprehensive legislative framework on what rights can be exercised with respect to data created by computer processes or collected by sensors processing information…or in respect to the conditions under which such rights can be exercised.
Finck’s concluding text addresses the self-posed question of what regulatory technique is best suited to fulfil the objective of molding DLT while it is still malleable, but yet provide enough legal certainty to allow DLT based innovations to flourish. If DLT is going to be utilized, arguably structures built on it will need to comply with established norms and controls, such as preventing money laundering. Seeing up close, for example, the current struggles of balancing privacy rights while promoting innovation, Finck supports a technology enabled ‘polycentric co-regulatory’ approach. This approach sounds quite aspirational; where public authorities, the private sector, and the DLT community would approach rules of the road, implementation and enforcement in something perhaps akin to a ‘peer to peer’ mechanism – a realization of the EU’s Better Regulation Agenda from 2015. In Finck’s view, this approach could marshal technology itself – that is, have the ‘law’ be imbedded in code – to achieve its objectives.
In arriving at this approach, Finck rummages through a well worn tool kit; i) a “wait & see” approach, citing EU decisions regarding whether Uber could be regulated as having led to a case–by-case analysis because of delays in reaching an approach based on general principles; ii) application of existing frameworks, citing to both EU and US tax authorities with respect to cryptocurrencies, as well as the US Securities and Exchange Commission’s approach to ICOs; iii) the use of sandboxes, and iv) self-regulatory approaches, citing examples from Korea regarding cryptocurrencies.
Finck finishes the book with a somewhat European flair. To forestall the potential for inaction or fragmentation, she suggests that this ‘polycentric co-regulation’ framework for DLT sustainability be an example of a so- called “28thRegime.” Such a regime, originally described by Mario Monti, would create in the EU an “an optional supranational regime that exists alongside national rules and gives rise for to an option for parties to choose the former.” In closing, Finck briefly analyzes how this ‘28thRegime’ might work with respect to utility tokens. The discussion is not very extensive. Ironically, this may be for the best; it appears that more details will now follow from ESMA’s January 2019 adviceto the European Parliament, the Council and the Commission EU legislators on regulation of crypto assets and ICOs. It remains to be seen whether/how the political sector reacts, and what, if any opportunities there are for Finck’s vision to be realized.
Key takeaways: The book is competitive within its genre for its explanation of DLT basics (with a focus on permissionless DLT). The book provides a frank assessment of the legal uncertainties surrounding whether DLT technology can be viewed as GDPR compliant, and is a rich resource for identifying issues where forthcoming European rulings could have cross border impacts. Finck’s suggested policy approaches for flexibly addressing technological change concludes with the possibility of a European “28th Regime”. The author’s recommendations should be evaluated alongside recent developments.
The Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This article expresses the author’s views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.