Oulu Business School
OBS staff and students discuss activities in the business school. Welcome!
Recently, the advancement of blockchain technology has enabled asset tokenization (AT) and security token offerings (STOs). In comparison to cryptocurrency (e.g., Bitcoin) and initial coin offerings (ICOs), which could avoid the strict regulatory procedures, both AT and STIs have to fulfill at least one essential requirement: the existence of the asset. That is, it refers to investing a company’s securities (for STOs) or owning a specific portion of a particular asset (for AT). In this sense, both AT and STOs should be more reliable as it is backed with some form of tangible or financial assets on the smart contract.
An important note is that even it is termed as the “smart contract,” eventually, this contract does not have any legal implication as the law does not enforce it. It is just a piece of code stored on the blockchain that will self-execute once deployed. Possibly, consumers will own a tokenized asset (let’s say 30% of a villa in Malta) on a blockchain network, but in reality, there is no existence of the stated villa in Malta. Thus, the interaction of blockchain, smart contract, and the law are essential for AT and STOs.
One critical principle of the law is about enforcing Know Your Customer (KYC) and Anti Money Laundering (AML). Thus, identify the asset owners and the companies are unavoidable. In 2019, The EU Blockchain Observatory and Forum (an initiative of the European Commission) have been actively engaged in different discussions to suggest a direction for policymakers and regulators that can create the basis for thriving new blockchain industry. Importantly, the EU is convinced that blockchain technology can play a crucial role in building Europe’s Single Digital Market, and so drive essential market innovations.
Based on a report published on September 27, 2019, by The EU Blockchain Observatory and Forum, here are eight guiding principles to lawmakers and regulators for the Blockchain Act:
A need for a simple but clear definition for “blockchain” and “smart contract.” Due to young and new technology, these definitions do not need to be overly precise. It only needs to be workable, making it easier for existing laws by being able to reference this common definition, which means that it should be a shared definition for EU and Member State regulators.
Authorities need to make an extra effort to communicate the blockchain to a broader community, such as the regulators of eIDAS (Electronic Identification, Authentication and Trust Services) and the GDPR (General Data Protection Regulation) so that a shared understanding can easily be reached and widely communicated among the regulators.
Three approaches were suggested. (1) Apply existing laws and regulations as regulators stand now to the new case. (2) Amend existing laws to consider what makes the new case special. (3) Craft completely new, ad-hoc rules and regulations for specific blockchain use cases.
Due to heading to the vision of Europe’s Single Digital Market, blockchain and smart contract regulation must be as harmonized as possible throughout the EU to the extent possible sharing common interpretations. With this approach, any EU country (e.g., Finland) can easily share, as well adapt the regulations from other EU countries.
One key challenge of the blockchain technology is a lack of understanding about this technology and implicitly associates with the negative image of Bitcoin (e.g., money laundering, crime, and anonymity). Thus, the best way is to put extra efforts on education, training, hands-on experience and exposure to the technology and the ecosystem to provide regulators the tools policymakers need to make the best decision.
The immutability feature of blockchain technology has resulted in the many questions and doubt of aligning the Blockchain Act with the GDPR. Three key issues should be addressed: (1) It can be challenging to identify data controllers and processors as defined under GDPR and hence enforce the GDPR’s requirements for the data controller. (2) Under the GDPR, the bar for anonymization is set very high, however in the context of blockchain, the hashing of data cannot be an anonymization technique in many circumstances; theoretically, we could perform audit trail to trace back the identity of each transaction due to its immutability features. (3) The data that is recorded on a blockchain can generally not be altered or deleted; thus, blockchains can make it challenging to exercise some data subject rights as defined in the GDPR—the right to be forgotten. Therefore, the report suggested that the priority should be emphasized on bringing clarity between blockchain and the GDPR.
As regulators know all too well, intervening too early in novel use cases can be counterproductive. In less mature blockchain use cases, for example, questions around decentralized autonomous organizations (DAOs), the report suggested that the EU would profit from a wait-and-see approach and only keeping a close eye on developments while the use cases mature.
Regulators need to get involved in helping monitor and regulate the industry (direct method), instead of merely attending to education, seminar, discussion, and forum (indirect method). That is, regulators are advised to “getting their hands dirty” now with blockchain technology, such as making use (at least testing) of blockchain as a regulatory tool in the security exchange area, such as in Thailand. In this regard, regulators could plug themselves into new blockchain-based platforms as they come online, unleashing new opportunities to improve the efficacy but also the efficiency of their operations.
Ideally, we believe that if blockchain-enabled markets are to mature, policymakers and businesses must create the rules of engagement together. Regulators should provide guiding principles to attract private-sector investors, ensure consumer protection and citizens’ rights, and provide safeguards against anti-competitive practices. Now, we will have a deeper understanding of five topics that should be considered while including the law with blockchain technology. I excluded the discussion of the sixth topic, “risk to fair competition,” to avoid confusion. The reason given is that a blockchain network (a decentralization and transparency platform) should lead to the enhancement of efficiencies and could lower boundaries for new competitors to enter old markets.
Legal value of blockchain as registries:
To legalize a transaction, it requires legal recognition of blockchain-based signatures (who did the transaction), timestamps (when it was carried out), validations (who validated the transactions) and “documents” (that is, the data associated with a transaction or contract). In Europe, such issues are handled under the eIDAS (electronic IDentification, Authentication and Trust Services regulation). The situation is more complicated when it comes to eSignatures and eSeals (signatures of a legal entity as opposed to a natural person). eIDAS recognizes three different levels of eSignatures: (1) simple, (2) advanced, and (3) qualified. Blockchains would appear to meet the technical criteria for (1) simple and (2) advanced. However, to be legally binding, blockchain needs to meet the highest standard (i.e., (3) qualified) that requires using the services of a recognized Trust Service Provider (TSP) or undergoing the arduous process of becoming a recognized TSP yourself. For this reason, from an eIDAS perspective, blockchain transactions do not have legal authority by themselves.
The nature of blockchains may render it difficult to determine in what country damage occurs as a result of conduct on blockchains. For this reason, we might need to revisit aspects of European private international law. To achieve certainty as to the precise nature and scope of legal relationships on blockchains, a potential approach could be to develop existing legal tools further. This makes cross-jurisdictional harmonization important. That, in turn, requires regulators and lawmakers to collaborate across national borders to harmonize legal and regulatory regimes, while managing potential risks, including issues of monopolies and market manipulation. Addressing these would require significant legal and organizational changes and a mechanism for collaboration to ensure alignment.
Again, the primary concern of blockchain is always surrounding anonymity. However, the report provided a clear explanation that blockchain could be anonymous in real-time during the transaction, but it is not entirely non-detectable. It is not an issue for enterprise blockchain solutions (i.e., permissioned blockchain) because it is mainly designed for identifiable and accountable actors to engage in the network. As for permissionless blockchain, it is not true that users who violate the law on a blockchain are not identifiable or traceable. This is because the entries in the ledgers are immutable, providing an audit trail and evidence of wrongdoing. While not always identifiable real-time of the transaction, given enough time and effort, many parties to a transaction can be unmasked. Therefore, at this point, there is no question of total impunity for blockchain actors. It is important to note that the most popular platforms do not support anonymity completely: Bitcoin and Ethereum. Importantly, consumers typically purchase and trade their cryptocurrency on the crypto exchanges (e.g., Coinbase and Binance), where such crypto intermediaries require users to provide real identity during the registration process to adhere to AML and other regulations. In this sense, the intermediaries can be handy regulatory access points, as with any regulatory intervention.
Two aspects of liability should be addressed: (1) liability of core software developers and (2) liability of network participants generally. Based on the report, it suggested that it does not seem appropriate to charge core software developers with responsibility for any unlawful use of an open-source program merely because they are the creators of the tool. Blockchain open-source software, similar to all other products, can be used to achieve good and evil goals. It is important to note that imposing extended responsibilities on core software developers may drive some of them to escape into anonymity or discourage them from trying to innovate. Although it is possible to identify the actors in the permissionless blockchain network, this does require time and effort and is therefore not always practical. This can, in turn, be an obstacle in enforcing liability (compensation) on actors in blockchain-based networks generally. As such, by creating an insurance system in the permissionless blockchain network (as a party to liable to injured party) would make the whole system more expensive during the audit trail process.
Apart from anonymity concern, as explained before, other considerations are worth to examine. For instance, the data provider’s right to control the data on the blockchain network can be problematic, including rights to the rectification of personal data, to know if one’s data is being processed and—an issue with smart contracts—the right to be protected from decisions made only on the basis of automated data processing. Inspire of these challenges, the findings of the report remain a positive view on solving these thorny issues in the near future.
According to the report, a smart contract could represent a digital asset (i.e., payment, investment, and utility tokens) or an organization (i.e., DAOs), and act as an autonomous agent (e.g., a smart contract with AI features). However, when it comes to the legality of smart contracts, here are some of the issues that arise:
Perhaps in a given jurisdiction, a contract needs to be on paper or be notarized, or maybe not. As an example, Swedish law normally accepts oral agreements as valid, but only paper contracts when it comes to real estate. At the same time, unlike other countries, Swedish law does not require the use of notaries. Similarly, there may be requirements that a contract is in a language that both parties can understand (although English is universally accepted, we cannot assume that all non-English speakers can understand English perfectly). Can computer code be considered such a language? And if so, would we then require “translations” of this language into others, like ordinary human language, and thereby also need rules for what constitutes a legally binding translation of a smart contract to say Finnish, German, French or Italian?
Another question affecting whether a smart contract is legally binding has to do with who “signed” it, and how this signature has been carried out. To be legally valid in Europe under the eIDAS, digital signatures on a blockchain must be verified by a trusted service provider. An automated smart legal contract requiring such digital signatures will need to be able to ascertain if the signature is valid, if it refers to the correct person and, if so, if that person has the authority to sign. In commercial settings, this could mean being able to access company databases or some other reliable oracle. These, in turn, would need some legal standing.
The more “automated” a smart contract is, the trickier the legal issues can become. The advantage is that they will execute as written no matter what—holding, in theory, the parties to their commitments through the inexorable might of code. Yet in such cases, what happens from a legal perspective if off-chain conditions change? There might be changes in the law, applicable regulations, in the business environment, or other relevant spheres that would necessitate a change in the smart contract. What legal recourse would the parties have if the smart contract they have deployed cannot be accessed and modified? If appropriate functionality is not included in the code to allow for the adoption of the changes in the legal contract, the smart contract could perform non-valid legal actions.
A smart contract might execute as written and yet still behave in ways not foreseen by its writers. For this reason, smart contract “audits”—often complex, highly technical processes to check for the validity and viability of smart contract code become important. That raises the question of whether such audits have to become requirements, or also need legal recognition of some kind to make a smart contract valid? This has yet to be decided.
The act of transacting, even if devoid of requiring any element of trust, must result in an enforceable change over rights attaching to or deriving from the asset concerned, whether this is a token or is represented by a token. For the assets transacted on blockchains to exist in the real world, they should be vested with rights in rem.
At least, the EU has put a lot of effort into the process of understanding how to legalize the blockchain technology recently, which included the understanding of the intersection of blockchain, smart contract, and the law. Importantly, the report has suggested eight guiding principles to the policymakers and regulators for the Blockchain Act. In conclusion, the advancement of the current blockchain technology becomes more widely used in support of new types of decentralized applications and platforms, lawmakers and regulators should increasingly find themselves faced with challenging questions. However, these challenges are healthy and will be welcomed as part of the natural processes of change in society for the betterment.
Text: Teck Ming "Terence" Tan
Reports of the EU Blockchain Observatory & Forum: https://www.eublockchainforum.eu/reports
Thai Stock Exchange Building Digital Assets Platform for 2020 Launch: https://www.coindesk.com/thai-stock-exchange-building-digital-assets-platform-for-2020-launch
All views expressed on OBS Blog are my own and do not represent the opinions of any entity whatsoever with which I have been, am now, or will be affiliated (e.g., Oulu Business School, Finland). This content is intended to be used and must be used for informational purpose only. The information contained herein is not intended to be a source of advice or analysis with respect to the material presented, and the information and/or documents contained in this blog do not constitute advice.