INTRODUCTION
Almost every person has heard of cryptocurrency, especially, at the time when the Government of India is planning to propose a Bill to regulate cryptocurrency in India. With the advent of digitalization, digital payment systems like cryptocurrency have become extremely popular and has expanded to a great extent in the past few years.
The blockchain technology used for transacting in cryptocurrency offers tremendous growth opportunity to the players in the market. Blockchain technology has also played an essential role in achieving a decentralised finance mechanism where the reliance on a central entity, often a bank, is eliminated and the potential risk of the entire financial system collapsing is reduced.
The technology, since works on internet, is inherently vulnerable to cybercrimes. Furthermore, with companies proposing to build their own cryptocurrency, the data security and privacy of users become of utmost importance. Many countries are coming up with legal framework- some choosing to ban cryptocurrency, many choosing to regulate it, and others coming up with alternatives.
UNDERSTANDING CRYPTOCURRENCY
Cryptocurrency can be understood as coins held virtually, which has no inherent value of its own, and are used as medium of exchange. It does not exist in any physical form, i.e., it exists only on network and can be exchanged for goods or simply be redeemed.
Contributing to the trend of decentralised finance (DeFi), cryptocurrency offers a decentralised finance mechanism and is not usually regulated by any banks or financial institutions. Subsequently, the supply of cryptocurrency is not decided by a Central Bank and depends on its demand, among other factors. It is pertinent to note that cryptocurrencies are generally highly volatile. Besides, there are variations in the demand and the quantity supplied of cryptocurrency. For example, cryptocurrency such as Bitcoin has a limited stock whereas, cryptocurrency such as Dogecoin has unlimited supply due to unlimited stock.
Cryptocurrency is generated and stored virtually using the blockchain technology. A blockchain is a public ledger displaying all transaction on a peer-to-peer network. The ledger and encrypted hash ensure that there is no counterfeiting. Such ledger keeps record of all the transactions in an encrypted format which can be viewed by any of the users over the cyberspace. Being a peer-to-peer network, the blockchain technology eliminates the need of any intermediary such as banks and offers a completely decentralised system. Apart from currency, users can share contracts, record or any other data on blockchain.
The major cryptocurrency uses public-private key pair to effect transaction. Once the user requests a transaction, the transaction is then sent to computers using peer-to-peer network, which further validates the transaction using algorithms or mining. The verified transaction, together with other transactions, creates a new block and attaches itself to the existing chain. Each block has its unique hash function and can be viewed by anyone. This makes cryptocurrency practically impossible to alter the block and ensures transparency.
DATA PRIVACY CONCERNS ON CRYPTOCURRENCY
While the privacy features of blockchain technology is said to protect the massive bulk of data of the users, it still poses major threat to all the users who are subject to potential risks with regard to technology. Some of the data privacy concerns in blockchain technology are discussed hereunder:
1. Public Ledger
Public ledger is one of the primary aspects of blockchain technology wherein anyone can verify the transaction records available online. Such public platforms can pose to be a risk for blockchains as the same might lead to data breaches or data leaks. The public ledger can become a tool for tracking users, their digital assets, or their spending mechanism. Hence, this can result in breach of user personal information.
2. Territorial Concerns
Blockchain is not bound by jurisdiction- it is boundaryless in nature. Data privacy regulations and laws are usually applicable to either the individual’s location or the Data Processor’s location, or both. In case of blockchain, it is difficult to evaluate jurisdiction and thereafter imposing the applicable laws. In the light of the same, blockchain projects that handle personal data need to ensure compliance with the data privacy laws of the jurisdictions they are functioning in.
3. Cross-Border Transfer of Data
Besides the aforementioned, the distributed nature of blockchain technology poses a challenge regarding the restriction pertaining to cross-border data transfers. For example, the General Data Protection Regulation permits data transfers outside the European Union and the European Economic Area only under strict specific circumstances. Furthermore, such transfer requires particular safeguards even at the end of the recipient in order to maintain the same level of protection.
In case of blockchain technology, it is difficult to trace the transfer of personal data across the border and such transfer can pose to be a potential threat for both the Data Subjects and data Controllers.
4. Processing of Personal data
Data privacy laws around the globe limit the processing of data and requires Data Processors to store, manage and transfer personal data only for legitimate reasons. For example, various laws restrict processing of personal data until and unless due consent has been obtained from the Data Subject. If not complied with, the Data Processors are subject to heavy penalties. In the same way, the blockchain projects should also ensure that as and when it processes the personal data, it should obtain due consent from the Data Subjects or have reasonable reasons to do so.
5. Ownership of Data
Once the data stored on blockchain is further transferred, it blurs the ownership of such data. Therefore, who owns the data, whether the user has the privacy rights over such data, whether the data can be transferred furthermore, all these issues remain unanswered. As the blockchain functions differently, it is difficult to understand the ownership rights over the data.
6. Blockchain Storage
Blockchain technology works on ‘create-retrieve-append-burn’ methodology wherein once a transaction is incorporated into the blockchain, it cannot be deleted or cancelled, i.e., the data remains unaltered. In such circumstances, it means that if the cryptocurrencies are hacked or transferred illegally, it is not possible to undo such an action. In addition to this, it becomes extremely difficult to track such illegal transfer of data or cybertheft.
More than to investors, the cryptocurrency is attractive to cybercriminals. The world is not unknown to the Cambridge Analytica scandal wherein the personal data of millions of Facebook users was compromised. The cybercriminals may infiltrate into the database and steal user’s personal as well as financial information to indulge in activities of phishing and hacking. Using the sensitive information, such cybercriminals may ask the user for profit, ransom, hack the user’s wallet or simply hack or steal the cryptocurrency from user’s wallet.
In blockchain technology, the users are represented through string of addresses. Therefore, if someone manages to link user’s identity with their address, they will be able to track all the transactions by that user since the ledger is public. Ensuring data privacy and security, maintaining confidentiality of user transactions and at the same time, tracing the user for the purposes of law enforcement is a task that any company proposing its own cryptocurrency needs to undertake.
RECENT DEVELOPMENTS
Companies such as Facebook, Mitsubishi UFJ Financial Group, Air Asia, Walmart, Amazon are developing their own cryptocurrencies. While cryptocurrency offers fast and efficient mode of transaction which can be carried out across border on the Internet, it raises serious privacy and security concerns.
For instance, Facebook along with its subsidiary, Calibra, proposes to launch its own cryptocurrency, Libra. For this, the company will be required to store user data. Though Facebook stores data of users using its social media platforms, what is different this time is that Facebook will additionally be storing user’s financial credentials. Likewise, the other companies will also be storing user’s personal and financial information.
J.P. Morgan Chase has become the first bank to launch its cryptocurrency JPMorgan Coins on its blockchain network ‘Liink’. While Facebook faced severe backlash from regulators for privacy threat, J.P. Morgan did not see such backlash. Instead, its network is joined by banks across countries, including in India. Blockchain technology provides a fast and efficient means to make transactions across borders which were often cancelled due to some error in information in the traditional banking system.
The company claims that its blockchain is built on the technology that the address of person transacting does not become public, his/her anonymity is maintained and only the person who has been given access can view the information of the person, ensuring that the person becomes traceable when required by law enforcement agencies.
AMLEGALS REMARKS
The success of a cryptocurrency depends on its blockchain technology. While blockchain offers a solution to existing problems by providing a system for decentralised finance, facilitating cross-border transaction, and providing a fast and tamer-proof method of transaction, the inherent vulnerability to cybercrimes makes users reluctant to adopt such technology.
In the digital era, safeguarding such online payment systems and finance mechanisms are of utmost importance. With the rise of cryptocurrency around the globe and the border-less nature of the Internet, it is necessary to secure the sensitive personal information of the users which includes personal details, financial information, passwords, PINs, etc.
In the recent past, India has witnessed a number of data breach incidents wherein multinational conglomerates fell prey to data breach and hacking. In the backdrop of the same, it is imperative for the users to be cautious about sharing their personal and sensitive personal information over the cyberspace as the Personal Data Protection Bill, 2019 is yet to be enacted.
The companies proposing to launch their cryptocurrency also have to ensure that anonymity and confidentiality of a transaction and user’s data is maintained and consequently, the same becomes traceable when required for enforcement of law. Also, since many states are seeking to regulate cryptocurrency by having a legal framework, such companies will have to mandatorily comply with the regulations of the jurisdiction they propose to launch their cryptocurrency in.
– Team AMLEGALS assisted by Ms. Tanish Gupta (Intern)
For any query or feedback, please feel free to get in touch with aditi.tiwari@amlegals.com or mridusha.guha@amlegals.com.
Leave a Reply