1 Legal and enforcement framework

1.1 What general regulatory regimes and issues should blockchain developers consider when building the governance framework for the operation of blockchain/distributed ledger technology protocols?

All developers must keep in mind the requirements of the EU General Data Protection Regulation (GDPR). The GDPR applies to any organisation processing personal data of customers and clients resident in the European Union. Developers must consider whether they are data controllers or data processors, and whether the blockchain can comply with the GDPR's principles, as follows:

  • the right to erasure (sometimes known as the ‘right to be forgotten');
  • the data subject's right to correction/alteration of personal data;
  • the data controller's obligation to ensure data accuracy;
  • the data controller's obligation to retain information for a limited amount of necessary time; and
  • the data controller's requirement to provide data subjects with the intended purposes for which personal data will be used.

Pseudonymisation and anonymisation techniques can assist in overcoming the GDPR's requirements.

If the developers are developing a blockchain to be used in a regulated industry, they should consider whether there any relevant regulations. For example, the Financial Conduct Authority (FCA) and the Prudential Regulatory Authority (PRA) do not provide exemptions for certain technologies. Developers should consult with lawyers to determine whether the use of the blockchain technology falls within the scope of the Financial Services and Markets Act 2000. The use of blockchain might be considered "carrying on a regulated activity". If so, developers will need to be authorised by the FCA.

Securities laws will be an important consideration for any initial coin offerings (ICOs) and similar transactional use cases. Regulators are concerned that tokens issued in an ICO are similar to regulated ‘securities' offerings, but start-ups are using unregulated ICOs as a way of evading regulatory frameworks.

Intellectual property rights, such as licensing the blockchain user's right to use the technology, should be considered. This might also include the terms of use of, for example, a cryptocurrency exchange or a peer-to-peer marketplace, which also brings into scope consumer law and distance selling regulations.

Anti-money laundering and know your client (AML/KYC) regimes should further be considered. It may be the case that the AML/KYC regimes apply to the blockchain use case; and even if they do not directly apply now, the developer might consider whether changes in the technology or upcoming changes in law may bring it into scope soon. The Fifth Money Laundering Directive requirements entered into force in 2018. The relevant provisions of the directive now apply to wallet providers and virtual currencies exchange platforms from 10 January 2020.

The EU Electronic Identification of Signature Regulation (910/2014) is relevant with regard to opening bank accounts and accessing or tracing electronic transactions. It provides a legal structure for the mutual recognition of electronic identification schemes and seeks to eliminate any incompatibilities.

1.2 How do the foregoing considerations differ for public and private blockchains?

The essential difference between a public and private blockchain is participant access. Private blockchains, in most cases, are ledgers that allow authorised members to participate in a network that is not open to the public. Private blockchains are sometimes referred to as ‘permissioned blockchains', because the ‘owner' of the blockchain decides who has permission to read, access and write information to the ledger. This means that data is more likely to stay private. Therefore, it might be easier to control the GDPR implications. For example, it might be easier to comply with data subjects' requests for the erasure of their data from the blockchain. In a public blockchain, by contrast, no central authority can make an erasure decision alone.

If the blockchain is being used for a regulated activity, that should not affect how the FCA and PRA treat it and its administration; this also applies to UK securities laws.

If the public blockchain is open source, then users will have open source licensing rights that allow software to be freely used, modified and shared. For private blockchains, licensing will be different and bespoke to the organisation that owns the blockchain.

1.3 What general regulatory issues should users of a blockchain application consider when using a particular blockchain/distributed ledger protocol?

Users should first and foremost be concerned with the security of the blockchain. While it is true that, by nature, blockchains are resistant to attack, they are not immune. Many thefts of cryptocurrencies have been widely reported; and although such thefts are normally due to internal security failures of particular organisations - for example, Mt Gox - the law does not allow easy protection from loss.

In the United Kingdom, if the blockchain is not operating in a regulated space, then the protection normally afforded to those using regulated banking services may not be available. This means that the deposit protection scheme may not be available and recourse to the Financial Services Ombudsman may not be available.

However, a person who has suffered loss should investigate other legal avenues. Fraud is fraud, and if an individual suffers losses due to fraud, the courts may be available to find justice.

1.4 Which administrative bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

The courts have jurisdiction in the case of any unlawful activities.  Anyone that suffers loss due to unlawful activities having to do with blockchain, cryptocurrencies or similar technologies should seek legal advice. Although the space is largely described as ‘unregulated', access to the courts is still available; and if money or other assets are unlawfully appropriated, legal advice should be sought.

The Information Commissioner's Office can assist in the event of breach of the GDPR, but the administrators of the blockchain should be contacted in the first instance.

If a crime has been committed, then the police or the Serious Fraud Office will be available.

Other administrative bodies that might be relevant include:

  • the Office of Fair Trading;
  • the Financial Conduct Authority;
  • the Competition and Markets Authority; and
  • Her Majesty's Revenue and Customs.

1.5 What is the regulators' general approach to blockchain?

UK regulators recognise the power of blockchain technologies and are welcoming of the innovative efforts of those seeking to provide blockchain solutions across the United Kingdom. The European Union is taking an equally open stance. The European Union aims to develop a competitive and innovative financial services sector, and published its Fintech Action Plan on 8 March 2018.

The Fintech Action Plan identifies 19 initiatives. The European Union does not think there is a strong case for a major overhaul of financial services regulation. However, it does want to ensure that there are no regulatory barriers to innovation that might stymie competitive efforts by EU entities. Ensuring adequate consumer protection is part of the plan to stay competitive.

Since Q1 2018, the European Commission has been monitoring cryptoasset developments, including ICOs, to determine whether EU regulatory action is required.

In Q2 2018, the commission was to consider implementing the European Financial Transparency Gateway based on distributed ledger technology (DLT). It also hosted an EU FinTech Lab, where EU and national authorities could engage with technology innovators in a neutral, non-commercial space.

By Q4 2018 the Fintech Action Plan called on European supervisory authorities to identify best practices for fintech companies and, where appropriate, issue guidelines; and for fintech standards to be set in a coordinated way. Major standard-setting bodies such as the European Committee for Standardisation and the Intentional Organisation for Standardisation were to be involved.

By Q1 2019, the European Commission was to present a report on best practices for regulatory sandboxes and set up an expert group to assess any unjustified regulatory obstacles to financial services innovations.

Those in the DLT business were encouraged by the European Union to develop by mid-2019 standardised APIs that are compliant with the Payment Services Directive and the GDPR.

The EU Blockchain Observatory and Forum (EUBOF), together with the European standardisation organisations, will appraise issues relating to scalability, legality and governance. They will do this in the context of standardisation efforts.

A specialist commission has been set up to establish the European Union's approach to blockchain. It has identified some uses of blockchain, especially in the financial services arena; for example, it recognised the following use cases that should not be ignored:

  • automatic execution of insurance contracts;
  • money transfer;
  • peer-to-peer lending; and
  • transfer of securities.

The commission recognises that blockchain has a wider scope than financial services, and that close collaboration between innovators, users and regulatory bodies is beneficial. The EUBOF was established in February 2018 for a two-year period, during which - among other things - it will conduct a feasibility study of an EU public blockchain infrastructure. The EUBOF will propose initiatives, funding measures and even a framework to enable scalability, develop governance and standards, and support interoperability. Twenty-two member states signed a declaration establishing a blockchain partnership as a cooperation vehicle for sharing technical and regulation experience and expertise among member states.

There is also a pilot project for applying blockchain technology to the Prospectus Directive and the Transparency Directive, both of which regulate securities offerings. The pilot project aims to test and explore blockchain capabilities for:

  • sharing financial data within the European Union;
  • promoting cross-border investment; and
  • providing investors with easy access to regulated financial information on companies listed in EU regulated markets.

1.6 Are any industry or trade associations influential in the blockchain space?

The following bodies are influential in the blockchain space:

  • the Capital Markets Union, which assesses the case for EU licensing and passporting;
  • the Financial Stability Board;
  • the European Central Bank;
  • the European Committee for Standardisation and the International Organisation for Standardisation;
  • the EU FinTech Laboratory;
  • the EUBOF;
  • the British Blockchain Association; and
  • the All-Party Parliamentary Group on Blockchain.

2 Blockchain market

2.1 Which blockchain applications and protocols have become most embedded in your jurisdiction?

Bitcoin is still the most embedded application of blockchain technology, but there are many others. In 2016 the UK Department of Work and Pensions tested the use of blockchain-based systems to distribute welfare payments. Also in 2016, the Financial Conduct Authority (FCA) permitted a blockchain start-up called Tramonex to issue its digital currency to UK citizens.

The most popular applications are as follows:

  • crypto-trading;
  • Internet of Things – this is a broad category in which companies that deal in internet-connected devices are providing a variety of blockchain solutions, such as supply chain tracing;
  • marketing and advertising;
  • security;
  • entertainment – primarily gaming;
  • govtech – this encompasses any public sector blockchain use;
  • healthcare;
  • artificial intelligence;
  • fintech; and
  • research and development (R&D) blockchain services – this encompasses research in the blockchain industry and advising companies on how to use and implement blockchain solutions.

2.2 What potential new applications/protocols are most actively being explored?

The UK government is investing in blockchain projects focused on energy distribution, charity contributions, election registration and voting, and clean water initiatives.

2.3 Which industries within your jurisdiction are making material investments within the blockchain space?

The government and the private equity and venture capital industries are making material investments.

Other industries making material investments include:

  • entertainment;
  • healthcare;
  • marketing;
  • Internet of Things;
  • R&D blockchain services;
  • crypto-trading;
  • fintech;
  • security;
  • artificial intelligence; and
  • govtech.

2.4 Are any initiatives or governmental programmes in place to incentivise blockchain development in your jurisdiction?

There are several government programmes. The most notable include the following:

  • a partnership between the National Archives and the University of Surrey on the Archangel project, which aims to preserve digital archives through blockchain technology;
  • the provision of £10 million through Innovate UK and research councils to support blockchain projects in diverse areas such as energy, voting systems and charitable giving;
  • proof of concept projects underway at the Department of Work and Pensions, the Department for Environment, Food and Rural Affairs and the Department for International Development;
  • the establishment of a Cryptoassets Taskforce - comprising the Treasury, the Bank of England and the FCA - to explore the risks and potential benefits of cryptoassets and other applications of distributed ledger technology in financial services, and assess what regulation might be required in response; and
  • an exploration of whether blockchain could allow Her Majesty's Land Registry to provide quicker and simpler services.

3 Cryptocurrencies

3.1 How are cryptocurrencies and/or virtual currencies defined and regulated in your jurisdiction?

Cryptocurrency is not considered money. For now, the Bank of England has ruled out creating a central bank-backed coin.

Definition: As a result of the transposition of the Fifth Money-Laundering Directive into UK law on 10 January 2020, there is now a formal definition of a ‘cryptoasset': "a cryptographically secured digital representation of value or contractual rights that uses a form of distributed ledger technology and can be transferred, stored or traded electronically."

Property: The UK Jurisdiction Taskforce issued a legal statement on 18 November 2019 concluding that cryptoassets have the legal indicia of ‘property' under English law. The Law Commission must now consider whether legislation is required to address these findings. Also see Robertson v Persons Unknown [2019], where Justice Moulder granted an asset preservation order over £1 million worth of Bitcoins appropriated from Alphabit chief executive officer Liam Robertson in a phishing scam.

Regulation: The Financial Conduct Authority (FCA) released its Policy Statement on Cryptoassets (PS19/22) in July 2019, which divides ‘cryptoassets' into three subcategories:

  • unregulated tokens (cryptocurrencies such as Bitcoin, SV and XRP);
  • e-money tokens; and
  • security tokens.

Unregulated tokens: The FCA considers unregulated tokens and their purchase, sale and exchange outside the regulatory perimeter – that is, the Financial Services and Markets Act (Regulated Activities) 2001, the Second Markets in Financial Instruments Directive 2004 (MiFID II) and Electronic Money Regulations 2011 ("EMRs").

E-money tokens: E-money tokens are tokens:

  • with an electronically stored monetary value that represents a claim on the issuer;
  • that are issued on receipt of funds to make transactions;
  • that are accepted by a person other the issuer; and
  • that are not excluded by Regulation 3 of the Electronic Money Regulations 2011.

These meet the definition of ‘electronic money' under the Electronic Money Regulations and fall within regulation. The issuance of e-money is a ‘regulated activity' under the Regulated Activities Order 2001. ‘Stablecoins' can sometimes be considered e-money due to their design and will, therefore, be regulated.

Security tokens: Security tokens provide rights and obligations akin to ‘specified investments' as set out in the Regulated Activities Order (ie, shares or debentures), including those that fit the definition of ‘financial instruments' or ‘transferable securities' under MiFID II and are regulated.

3.2 What anti-money laundering provisions apply to cryptocurrencies?

The Fifth Money-Laundering Directive (5MLD) was transposed into UK law on 10 January 2020. It brings crypto-exchanges and custodian wallet providers under the regulations applied to financial institutions under 4MLD. It introduces tough anti-money laundering/counter-terrorist financing (AML/CTF) requirements which extend to the following activities:

  • exchange services between one cryptoasset and another, or services allowing value transactions within one cryptoasset exchange or peer-to-peer exchange service provider;
  • cryptoasset automatic teller machines;
  • transfer of cryptoassets;
  • issuance of new cryptoassets; and
  • publication of open source software (including non-custodial wallet software and other types of cryptoasset-related software).

The FCA will be the AML/CTF supervisor. UK crypto-businesses engaging in activities within the scope of the Money Laundering Regulations must register with the FCA from 10 January 2020. The regulations have introduced additional powers for the FCA, including increased disclosure powers and powers of direction, allowing it to require or prohibit certain actions.

Among other requirements, relevant entities must:

  • perform customer due diligence and submit suspicious activity reports;
  • mitigate ML/TF risks;
  • screen employees; and
  • conduct enhanced due diligence in the case of potentially riskier customers.

3.3 What consumer protection provisions apply to cryptocurrencies?

The FCA is clear: individuals who invest in unregulated cryptoassets will not have recourse to the Financial Ombudsman Service or the Financial Services Compensation Scheme if something goes awry.

Nevertheless, consumer protection is an FCA function. In July 2019 the FCA proposed banning the sale of crypto-derivatives and exchange-traded notes to retail consumers, considering them ill-suited to retail consumers who cannot reliably assess the value and risks.

The Consumer Rights Act 2015 and the Consumer Protection from Unfair Trading Regulations 2008 give consumers possible remedies in relation to the provision of services, the supply of goods and digital content, and restrict the enforcement of certain contractual clauses against consumers. These might apply in the context of cryptocurrency sales and services.

Lastly, the FCA has a ‘ScamSmartWarningList', which helps consumers aged over 55 to avoid falling victim to scams and investment fraud.

3.4 How are cryptocurrencies treated from a tax perspective?

Her Majesty's Revenue and Customs (HMRC) has set out its view on the treatment of unregulated cryptoassets based on tax principles.

Businesses: Transactions involving cryptoassets will be taxed at the corporate rate, applying ordinary principles as to gains and losses. As a result, taxpayers will usually be taxed on crypto-profits either as chargeable gains or as trading profit. Because cryptoassets are not ‘money' in the United Kingdom, the loan relationship rules will not apply to a loan of cryptocurrency from one company to another, unless unregulated tokens are the collateral security for a monetary loan.

HMRC does not think that stamp duty or stamp duty reserve tax applies to the transfer of unregulated tokens because they are not stock, chargeable securities or marketable securities.

HMRC thinks that unregulated tokens are not ordinarily consideration for the purposes of stamp duty, except when they are treated as debt. However, unregulated tokens are treated as consideration for the purposes of stamp duty reserve tax.

Value added tax (VAT) is not generally due on the transfer of unregulated tokens. Of course, VAT is due on the underlying service where goods and services are bought with tokens.

Where cryptoassets are received due to a ‘hard fork', when assessing capital gains tax, HMRC treats the value of the new cryptoassets as derived from the originating cryptoassets, and costs will be split between the original and the new cryptoassets to calculate any gain on disposal. So no tax is payable on receipt of the new cryptoassets.

Individuals: HMRC considers that it will be rare for individuals to buy and sell cryptoassets with such frequency and organisation that the activity amounts to a financial trade giving rise to income tax. Ordinarily, individuals pay capital gains tax when they dispose of cryptoassets.

Cryptoassets are awarded to miners for verifying additions to the blockchain. Whether miners are engaged in a taxable trade depends on the degree of activity, organisation, risk and commerciality. If mining activity does not amount to trade, the monetary value of the award will be taxable as miscellaneous income. The same considerations apply to fees for transaction confirmations.

Where employees receive cryptocurrency as earnings from their employer, the asset's value is subject to income tax and National Insurance contributions. Whether tax charge arises under Pay as You Earn depends on whether the tokens are readily convertible assets in the normal way.

3.5 What regulatory requirements apply to a cryptocurrency trader/exchange?

See questions 3.1 and 3.2.

3.6 How are initial coin offerings and securities token offerings defined and regulated in your jurisdiction?

The 2018 Treasury Select Committee Report on Crypto-Assets described ICOs as a way of raising funds from the public using a cryptoasset. ICO issuers accept a cryptoasset in exchange for a proprietary ‘coin' or ‘token' that relates to a specific firm or project. The digital token issued may represent a share in a firm or a prepayment voucher for future service; or in some cases may offer no discernible value at all. Often, projects funded by ICOs are in a very early stage of development or are entirely fictitious.

Whether an ICO is regulated depends on how it is structured and what the token subsequently represents. For example, when tokens represent a ‘transferable security' under the Regulated Activities Order, such as shares and bonds, the ICO will fall within the regulatory perimeter of the FCA. Issuers will thus be subject to the FCA's Principles and relevant rules. If an ICO falls within the regulatory perimeter, the FCA will also be required to ensure an appropriate degree of protection for ICO investors, as they are considered ‘consumers' by the FCA. However, when tokens represent a claim on prospective services or products, they do not amount to transferable securities or other regulated products and thus fall outside the regulatory perimeter. Issuers are thus not required to follow the FCA's principles and relevant rules, and the FCA is not required to ensure an appropriate degree of protection for investors.

Before a ‘transferable security' is offered (including being listed on an exchange), an FCA prospectus is required, unless an exemption applies. Furthermore, the FSMA prohibits, in the course of business, invitations or inducements to engage in investment activity, unless the person authorised or an authorised person approves the communication's content.

4 Smart contracts

4.1 Can a smart contract satisfy the legal requirements of a legal contract under the laws of your jurisdiction? What will be considered when making this determination?

The constituent elements of a legal contract in England and Wales are as follows:

  • There must be offer and acceptance;
  • There must be valid consideration;
  • There must be an intention to create legal relations; and
  • There must be sufficient certainty.

If a smart contract satisfies all of the elements above, then it will very likely have legal effect.

Smart contracts are capable of satisfying the requirements of English law contract formation principles and can therefore be interpreted and enforced using ordinary and long-established legal principles. Such contracts can also be enforced by the courts.

A statutory signature requirement is capable of being met by private key encryption methodologies.

4.2 Are there any regulatory or governmental guidelines or policies within your jurisdiction which provide guidance on regulating/defining smart contracts?

On 18 November 2019 the chancellor of the High Court, Sir Geoffrey Vos, in his capacity as chair of the UK Jurisdiction Taskforce, set out certain conclusions in a document entitled "Legal statement on cryptoassets and smart contracts". The paper concluded that smart contracts are capable of being legally binding in the normal way. The paper was designed to bring some measure of legal certainty to the matter.

4.3 What parts of traditional contract might smart contracts be able to replace?

Most of the use cases for blockchain envisage smart contracts as a potential benefit - the idea being that performance can be affected by the parties automatically and indisputably.

The number of use cases for smart contracts is endless and the following examples are illustrative:

  • to pay for goods or services upon delivery;
  • to pay royalties - for example, in the music industry;
  • to order stock automatically when supply levels dip below a certain threshold, with immediate payment;
  • to pay insurance moneys automatically upon the occurrence of an insurable event, such as a flood;
  • to pay money out of escrow upon a defined trigger event, such as a property lease coming to an end; and
  • to levy customs duties automatically when goods arrive at a certain port of entry.

4.4 What parts of traditional contracts might smart contracts be unable to replace?

Sometimes computer code fails and this should be anticipated with failsafe measures. For example, the programmer can include code demanding human intervention if there is some sort of failure. For example, if some required input is not forthcoming on or before a certain date, the code can demand it from a human.

Just as there is an endless number of use cases for smart contracts, there is an endless number of situations in which smart contracts are not practical. For example, contracts often use terms that are ambiguous, such as ‘sufficient cause', ‘reasonable efforts' or ‘best efforts.' One party might believe that the ‘reasonable efforts' threshold is met, while the counterparty disputes that idea. A smart contract is not reliably capable of this type of determination.

Contractual interpretation can be a minefield and has always needed humans or the courts to determine meaning.

The addition of the word ‘smart' in the term ‘smart contracts' implies some sort of intelligence on the part of the code. This is a misnomer, because smart contracts are actually pretty dumb. The smart contract code simply checks certain conditions and parameters, and then follows the code to self-execute. A truly ‘smart' contract would take into account all of the surrounding contextual circumstances, sense the spirit of the contract and make determinations that are fair and contemplated even in murky circumstances.

4.5 What issues might present themselves in your jurisdiction with regard to judicial enforcement of smart contracts?

One of the requirements for the formation of a contract is offer and acceptance. An offer can be broadcast on the blockchain quite easily; but for acceptance to be valid, the ‘acceptor' must understand the terms of the offer. In practice, this will mean that the acceptor must have access to a written contract and normally it will be necessary to demonstrate that the acceptor has understood the terms. If the acceptor cannot understand the code language, then the code must be interpreted into something that he or she can understand, such as his or her own language. Because no translation is perfect, issues are predictable.

Traditionally, contractual interpretation has included an element of the parties' intention. For example, a judge can adduce evidence of a party's intention to create legal relations through its pre-contractual or post-contractual behaviour. Although some might argue that it is impossible to breach a smart contact because the code is self-executing and immutable, this argument will not withstand judicial scrutiny. The court will very likely entertain that a smart contract has been breached if intention is absent, even if it self-executed.

There is a myriad of potential jurisdictional issues with the judicial enforcement of smart contracts. For example, the nature of blockchain, as a distributed ledger, presents a jurisdictional challenge to the court. For example, if a certain house is located in England and Wales, the court can quite easily establish jurisdiction and solve the dispute. But with a smart contract on a distributed ledger, the court might meet challenges establishing jurisdiction over the related assets. The court might even have difficulty establishing jurisdiction over the parties to the contract or the blockchain platform.

The court might further struggle with jurisdiction over the relevant subject matter of the dispute and need to consider whether judicial intervention is compatible with the nature of the smart contact, including concepts such as immutability of distributed ledgers and public policy.

The court might be asked to decide a case involving a smart contract made up partly in code and partly in the traditional written form. One could envisage a situation whereby the court may need to decide, in the case of conflict, whether the code or written translation will take precedence.

4.6 What are some practical considerations that parties should consider when drafting a smart contract?

Issues may arise where a trusted source of information is designated as the trigger for the contract's performance. The information source could unexpectedly cease to be available or a party could tamper with it. In conventional contracts, there are ways of addressing this problem, such as:

  • the inclusion of fall-back provisions; or
  • the inclusion of force majeure provisions that review performance, allowing for termination if an unexpected event occurs.

However, smart contracts are designed to execute automatically based on the inputs. If they are not coded to recognise that a fall-back or termination condition has been triggered, or to respond to manual intervention, then the contract could fail to execute according to the parties' intent.

Parties should test their smart contracts, engaging testing services, of which there are now many. After all, smart contract code is written by humans; it is not unforeseeable the code may contain bugs or errors.

Soon, smart contracts will be a common tool in both domestic and international commerce. Businesses should to upskill their employees and develop in-house capabilities for coding smart contracts in anticipation of this imminent development.

4.7 How will the foregoing considerations differ when smart contracts are running on a private versus public blockchain?

Smart contracts on private blockchains can afford participants significantly greater privacy and information control. Essentially, participants' identities are kept secret and unauthorised parties cannot see the contracts themselves.

EY recently released ‘Nightfall', which facilitates transactions with near-complete privacy. Nightfall leverages "zero knowledge proofs", allowing parties to transact while sharing only the bare minimum of information. This important development in smart contracts will no doubt attract corporations and institutional players seeking greater security and privacy in smart contracts. Nightfall is still being actively developed.

5 Data and privacy

5.1 What specific challenges or concerns does blockchain present from a data protection/privacy perspective?

Immutability: Blockchain's immutability might be incompatible with users' right to erasure under the EU General Data Protection Regulation (GDPR). This is because a user's data is immutably written onto a blockchain unless a majority of nodes cooperate to remove it. The removal of data could therefore generate unwanted attention for users wishing to be forgotten.

Public/private keys: On a blockchain, participants execute transactions by signing them with their private keys and broadcasting the transaction to all other network participants. The other participants only see the public key representing the participant making the transaction, which they are unable to read without the private key. However, if users make multiple transactions with the same key, they might become identifiable. Their public key will then fall under the GDPR definition of ‘personal data' and will be subject to GDPR guidelines.

Personal data: Transactions on a blockchain may include personal data such as an identification number. Blockchains assign data with a code known as a hash. The hash function takes input data, which may include personal data, and turns it into output data of a fixed length. A cryptographic hash function works only one way, meaning that the output cannot subsequently be reversed. The Article 29 Working Party (an EU advisory body) considers such personal data to be pseudonymised rather than anonymised. Accordingly, this type of data should remain subject to the GDPR.

5.2 What potential advantages can blockchain offer in the data protection/privacy context?

The decentralised nature of blockchain ensures that no data loss will occur if a computer or node is compromised - in other words, there is no single point of failure. This is achieved by breaking data into small fragments and distributing them across a network of nodes, creating a digital ledger of transactions with no central control point.

Furthermore, activities and data on the blockchain are encrypted and it is possible to prove that data has not been tampered with. Users can assess file signatures on every ledger on every node to verify that changes have not been made.

6 Cybersecurity

6.1 What specific challenges or concerns does blockchain present from a cybersecurity perspective?

Countless attacks have been made against several crypto exchanges which, in aggregate, have cost people over $1.7 billion. These attacks were usually perpetrated against exchanges' cyber-apparatus. For example, hackers target exchanges' ‘hot wallets' (internet-connected applications used to store customers' private keys). For hackers, these touchpoints between blockchains and real-life utility are chinks in the armour of blockchain.

Hackers have also targeted smart contracts encoded onto blockchains. In 2016, hackers stole around 3.6 million Ether, exploiting an overlooked vulnerability in a smart contract on the Ethereum blockchain. Ethereum's software engineers ‘reclaimed' the stolen Ether by rewriting the blockchain so that the Ether was never stolen. In other words, they ‘hard forked' - a controversial move, to say the least.

Poorly designed blockchains might also be vulnerable to ‘Sybil attacks'. If a network relies on a numerical majority of nodes, it can be overpowered by an attacker using spoof nodes such that they outvote the honest nodes. The attackers can decline to transmit or receive blocks, stopping others from participating in the network.

Blockchain technology may not be a good fit for small-scale systems designed to use little processing power, since an uneconomical amount of processing power might be expended in making it secure. This potentially precludes a significant chunk of the Internet of Things from exploiting blockchain technology's cybersecurity features.

On a related note, the findings of De Nederlandsche Bank's recent experiments with blockchain technology could indicate that blockchain is not yet fully capable of responding to the needs of financial markets infrastructure. It found that the most significant limitations are inadequate capacity and excessive energy consumption. Nevertheless, the findings did indicate that financial markets infrastructure would be less exposed to cyber-attacks through the integration of blockchain technology.

6.2 What potential advantages can blockchain offer in the cybersecurity context?

Despite the enthusiasm, blockchain is not a panacea for all cybersecurity risks; but its unique features will undoubtedly enhance cybersecurity for some large-scale networks. This question calls for a ‘back-to-basics' look at some of the elements of the original Bitcoin protocol.

Bitcoin utilises a peer-to-peer network to authorise transactions made with the currency. To initiate a transaction, a payer cryptographically signs a transaction to transfer the bitcoins from him or her to the payee, then sends the signed transaction to some nodes in the network. Those nodes share the transaction with their neighbours. A node receiving the transaction verifies that the payer signed it and that he or she is the owner of the bitcoins that he or she attempts to use. The node then authorises the transaction by solving a difficult mathematical problem and, in so doing, creates ‘proof' in the form of a hash. Additional information that is included in the block is the hash of the previously authorised block. These blocks create a chain and every block identifies the immediately preceding block. Upon successfully authorising a transaction, a node sends the ‘proof' to all its neighbours. They then send the information to their neighbours and so on. Finally, the nodes in the network ‘agree' that the payer's bitcoins have been transferred to the payee.

The Bitcoin protocol makes certain that if a majority of processing power - not just a majority of identities - follows the protocol, the blockchain cannot be interfered with. As mentioned in question 6.1, using a majority of identities leaves the blockchain open to Sybil attacks because it is easy to create fake identities.

Ultimately, we are left with a ledger of shared information that stores the history of the blockchain using complex hashing and encryption. And when new information is presented, to be added to the blockchain, it must be accepted by a robust consensus mechanism. This template attracts public institutions and private businesses or people wishing to enhance the security of their everyday operations. Certainly, blockchain's application is much broader than just in the cryptocurrency sphere.

Most cybersecurity systems use a trusted, centralised authority to verify data; but, as explained, blockchains are decentralised and do not need the trust or authorisation of any one member, because every member has a copy of the history of the chain and information is added only via consensus. There is no single point of failure – the cryptographic security of each block is verified by the network, rendering it difficult to hack. Centralised cybersecurity systems are at higher risk because hackers can concentrate their efforts on the one rather than the many.

Recently, blockchain technology was trialled in the administration of benefit payments. Perhaps more exciting is the trialling of the integration of blockchain in the UK Land Registry. Its research team completed a dummy transfer and found that blockchain could enable higher levels of cybersecurity.

Furthermore, blockchain-based cybersecurity services are being considered for critical UK infrastructure, such as nuclear power systems, electricity distribution grids and flood defence systems.

6.3 What tools and measures could be implemented to mitigate cybersecurity risk?

Best practice protocols must be put in place to ensure that proper and indeed sufficient information is collected from onboarded members. Related to this is the need to ensure that the right members have the right degree of access to the network data.

It will also be necessary for regular and rigorous vulnerability scanning, to expose potential threats and give insight into risks and remedy procedures. Inadequate incident response has been a particular failure of compromised blockchains in the recent past.

It is imperative that a hardware security module is kept in order to safeguard and manage the identity keys of members.

New tools and protocols are being developed every day to prepare for and counter the different types of attacks and anticipate future vulnerabilities - especially with regard to those touchpoints between real-life utility and blockchain. There is a clear need for improvement when it comes to developing tools to access and use blockchain, especially in the cryptocurrency context.

7 Intellectual property

7.1 What specific challenges or concerns does blockchain present from an IP perspective?

Because several different parties can make a blockchain application, it can be difficult to ascertain who owns the IP rights. If an application uses a public chain network or a third-party platform, the owner(s) of the intellectual property in the underlying technology could assert their rights over such technology through the relevant terms and conditions covering that technology's usage.

It is much harder to obtain blockchain patents because each invention based upon it needs to show a novel use of the technology.

7.2 What type of IP protection can blockchain developers obtain?

Creative works such as computer code are under copyright by default. When it comes to open-source blockchain development and copyright, there are several different types of licences - such as MIT, Apache 2.0 and GPLv3 - available to developers. These manage how open source code is modified and shared. Some licences are more permissive than others. There are also licences which permit only non-commercial redistribution or modification of the source code for personal use.

Furthermore, some significant blockchain developments are patentable. When developers solve technical problems related to malicious threats, verification, validation or authentication, the solutions can often be patented. However, as outlined in question 7.1, the patentability bar is high.

7.3 What are the best open-source platforms that could be used to protect developers' innovations?

This depends on what sort of copyright licence the developer chooses, not on the platforms.

7.4 What potential advantages can blockchain offer in the IP context?

The following are some advantages that blockchain can offer in the IP context:

  • Due to its immutability, auditability and transparency, and because it reduces the number of intermediaries, blockchain helps in providing evidence of rights, record keeping, the tracking and distribution of rights and the establishment of IP contracts.
  • Smart contracts have the potential to protect copyright and automate the sale of creative works online, minimising the risk of piracy.

A final point: there are hundreds of different patent registries around the world. Blockchain's distributed nature provides a revolutionary solution to patent offices.

8 Trends and predictions

8.1 How do you think the regulatory landscape in your jurisdiction will evolve in the blockchain space over the next two years? Are any pending changes currently being considered?

From a regulatory standpoint, the UK approach to blockchain has been both balanced and accommodative. For example, the Innovation Division set up by the Financial Conduct Authority (FCA) in November 2018 aims to promote innovation in fintech and includes the FCA's regulatory sandbox, which lets businesses test innovative financial services propositions with real customers. Furthermore, the government established the All-Party Parliamentary Group on Blockchain in January 2018 to ensure that industry and society at large can maximise blockchain's benefits.

UK blockchain policy is still very much in its developmental stages. However, as the regulators' approaches begin to take shape, businesses, public bodies and financial institutions will start to engage with blockchain in a more meaningful way.

On the other hand, regulators are cognisant of their duty to protect consumers against the risk of financial loss. In this regard, the FCA will have to address the regulatory lacuna that exists in respect of cryptocurrency regulation more fully and soon.

8.2 What regulatory changes would you like your jurisdiction to implement to further advance the blockchain industry?

To speak of regulatory changes is perhaps inapposite. The UK regulators tend to take a ‘wait-and-see' approach to novel challenges such as blockchain, minimising the risk of legislation that has a chilling effect on innovation and entrepreneurship.

Blockchain is still young and wide-reaching regulation risks unforeseen consequences. Of course, there is a need for regulatory certainty; but the government's continued programme of research, engagement and facilitation of innovation in these circumstances is the best approach at this point in time.

There is a need for collaboration with industry participants and coordination among the various regulatory bodies responding to blockchain and cryptocurrency. Such collaboration and coordination will hopefully avoid a hodgepodge of confusing policies that would undermine certainty and hamper innovation.

8.3 What is the largest impediment within your jurisdiction to the adoption of blockchain technology?

A 2018 report by PwC on the state of blockchain today, in which 41 UK executives were polled, found that the most significant barriers to wider business adoption were ‘regulatory uncertainty' and ‘trust'. A market research paper by Digital Catapult released in November 2018 similarly found that 74% of companies identified regulatory uncertainty as their most pressing challenge, while 45% stated that they could do with more legal advice.

Concerning regulatory uncertainty, the UK government is taking a measured approach to the introduction of blockchain regulation. It considers it to be within everyone's interests to exploit a potentially revolutionary technology if and where possible. Frankly, the last thing businesses and individuals need is rushed, ill-considered regulation.

Today, cryptocurrency is by far the most widely used blockchain application in the United Kingdom. It is no secret that cryptocurrency has garnered some notoriety and it would be reasonable to conclude that this has affected the adoption of blockchain indirectly due to blockchain's close association with cryptocurrency, even though blockchain has far broader utility.

9 Tips and traps

9.1 What are your top tips for effective use of blockchain technologies in your jurisdiction and what potential sticking points would you highlight?

Consumer protections: Keep your ear to the ground if your UK business uses, accepts, deals in or is in any way involved in cryptoassets. Regulators are concerned about the lack of consumer protections that apply to the cryptoassets market. It is highly unlikely that nothing will be done to respond to this issue. As mentioned above, the Financial Conduct Authority (FCA) has already proposed a ban on the sale of derivatives and exchange-traded notes referencing types of cryptoassets.

Fifth Money Laundering Directive: The Fifth Money Laundering Directive has introduced onerous requirements for cryptoassets businesses. The FCA will be hawkeyed in its role as supervisor and companies must be prepared.

Final point: The Internet is teaming with blockchain zealots preaching the gospel that "Blockchain is the answer, but what's the question?" There is an extensive choice of blockchain uses, but blockchain is not suited to everything. For example, blockchain is unnecessary when there is no business network: having a business network is the mandatory test for a blockchain use case.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.