CryptocurrencyData PrivacyImpact of Regulating Cryptocurrency on Data Security Concerns: An International Perspective

INTRODUCTION

A cryptocurrency transaction exchanges a lot of data and in the process, a massive amount of data is collected and stored. According to several prominent crypto exchanges, the data collected from users includes name, email address, address of residence, date of birth, gender, nationality, IP address, password and location of the device, transaction history, etc.

Although awareness about data privacy and protection and the risks associated has been spread to most parts of the world, the implementation of laws for its protection is not ensured everywhere.

INDIA

Presently, in India, there is no law for the regulation of cryptocurrencies and crypto-exchanges. The Parliament is seeking to regulate cryptocurrencies; however, cryptocurrency currently stands unregulated and although cryptocurrencies are not considered as legal tender, people are free to trade cryptocurrencies on crypto-exchanges.

With respect to the protection of data, no dedicated law has been brought in force. However, the Supreme Court in the case of Justice K. S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors. (AIR 2017 SC 4161) broadened the scope of Article 21 of the Constitution of India, which recognizes the Right to Life and Personal Liberty as a fundamental right, to include the Right to Privacy.

After Right to Privacy was recognized as a fundamental right, the Personal Data Protection Bill, 2019 (PDP Bill) was introduced in the Parliament. The PDP Bill is a dedicated law in development for data protection but hasn’t been enacted yet. Although there are no dedicated bodies or authorities responsible for the purpose of enforcing laws for data protection, certain bodies may be instituted under the PDP Bill.

Further, the Information Technology Act, 2000 (IT Act), which is the primary legislation for the purpose of dealing with cybercrime and regulating electronic commerce, imposes civil liability on body corporates engaged in “possessing, dealing or handling any sensitive personal data or information” for “implementing and maintaining reasonable security practices”. The Act also imposes criminal liability for disclosure of information in breach of lawful contract.

In addition to the above, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the Rules) which were issued by the Ministry of Communications and Information Technology in the furtherance of section 43A of the IT Act also provides adequate protection of “sensitive personal data or information” against body corporates (which includes firm, sole proprietorship or other association of individuals).

According to the Rules, sensitive personal data or information also includes “financial information such as Bank account or credit card or debit card or other payment instrument details”. The liabilities of body corporates which collect, deal, handle, etc. information of provider of information include providing a privacy policy, obtaining consent before collection of data, disclosing information to a third party only after having prior permission of the provider of information, etc.

Hence, these general sets of laws are there in place to mandate crypto-exchanges to keep the data of the users safe and secured. In the future, the operation of these exchanges would only depend on the legal status of cryptocurrencies.

JAPAN

Under the laws of Japan, the regulations of different types of blockchain-based assets vary according to certain categories (which are based on the functions of the asset). Cryptocurrencies such as Bitcoin, Ethereum, Tether, etc. are called Crypto Assets and are regulated under the Payment Services Act.

Crypto exchanges are referred to as Crypto Asset Exchange Services Provider (CAESP). CAESPs are required to be registered with the Financial Services Agency (FSA) to be able to operate legally. Further, businesses engaged in the “financial field” are also subjected to “Guidelines on Personal Information Protection in the Financial Industry” which are issued by the FSA. These guidelines ensure that personal data is handled appropriately by such entities.

Additionally, the Act on the Protection of Personal Information (APPI), the primary legislation for the protection of personal data in Japan also establishes principles for data protection. Violation of the provisions of the APPI can attract criminal penalties. The amendment which is going to be implemented in 2022 will enhance the benefits provided to individuals under the APPI.

Crypto exchanges are subjected to the same. These benefits will primarily focus on, inter alia, risks associated with cross-border data distribution. The Personal Information Protection Commission under the APPI, along with certain other ministries time and again issue administrative guidelines applicable to separate industries in this respect. In a nutshell, the data protection regime of Japan is quite exhaustive when it comes to the regulation of crypto exchanges.

UNITED STATES OF AMERICA

The USA does not have a settled and exhaustive legislative framework for the regulation of cryptocurrencies. Registration of virtual currencies which fit the definition of ‘security’ is required to register with the Securities and Exchange Commission (SEC), which is an agency of the Government focused on keeping the markets free from manipulation. Hence the SEC treats cryptocurrencies as securities.

The legislation that is applicable to Crypto exchanges in the United States is the Bank Secrecy Act. According to the Act, financial institutions need to submit certain reports. However, the primary purpose of this Act is to prevent money laundering and financing of terrorism.

The privacy legislation which deals with data collection by financial institutions is the Gramm-Leach-Bliley Act (GLBA) enacted in 1999. Crypto-exchanges are, hence, subjected to the provisions of the GLBA. The GLBA specifically focuses on protection of “non-public personal information”, which is understood as the data which regards an individual’s finances that is not available otherwise publicly.

To achieve this goal, the GLBA mandates financial institutions to increase the secrecy and safety of the information that they collect by incorporating certain measures. It also restricts certain types of data from being collected and limits certain ways it can be used. However, this law is not exhaustive as it has certain loopholes e.g. consumers cannot restrict sharing of their non-public personal information when it comes to third parties that are affiliated with the insurance or bank subjected to this law.

CHINA

China is one of those jurisdictions that has chosen to ban all the transactions of crypto-currencies as it believes that cryptocurrencies “seriously endangers the safety of people’s assets”. Although, trade of cryptocurrencies was banned 2 years ago, additional safety measures were introduced in 2021 to prevent online trade that was taking place through foreign crypto exchanges.

China imposed a ban on banks and financial entities and prohibited them from providing services related to transactions of crypto currency. Following these changes, crypto exchanges have stopped hosting user accounts from China, started retiring accounts from China, and/or  blocking new registrations from China.

SOUTH KOREA

South Korea has taken a slightly strict approach. Though it has allowed exchanges to operate, it has not regarded cryptocurrencies as legal tender. Crypto exchanges, known as “Virtual Asset Service Providers (VASP)” are supervised by and subjected to the regulations of the South Korean Financial Supervisory Service (FSC). VASPs are required to register themselves with a division of FSC called as the Korea Financial Intelligence Unit.

The laws applicable to cryptocurrency exchanges, inter alia, mandate them to have bank account and offer their users with real-name accounts with the same bank. Most obligations under the law are focused on prevent money laundering and terrorism financing.

When it comes to privacy laws in Korea, the Credit Information Use and Protection Act is the relevant law (specifically applicable to financial transactions). It regulates and protects the processing of financial data which includes “personal credit information” and “personal credit information”. Besides, general privacy legislation is also in force, i.e., the Personal Information Protection Act.

AMLEGALS REMARKS

While certain jurisdictions have specific laws pertaining to cryptocurrency, in addition to general privacy protection laws designed to obligate providers of financial services (including crypto exchanges) to protect the data of its users and take measures accordingly, certain countries such as India do not even have general privacy legislation. However, this does not mean that there is no remedy available to its users. In common law jurisdictions, if the Right to Privacy is recognized, users of crypto exchanges can get their right enforced in the courts of law.

However, this is not enough. It goes without saying, “prevention is better than cure”. When the Right to Privacy is violated, in certain circumstances, the damage of disclosure of information may become irreversible. Hence, a robust data protection mechanism needs to be in place so as to affix specific liabilities and restrict entities from disclosing or using users’ information in any manner not preferred by the user.

Moreover, given that cryptocurrencies are not limited by political boundaries, the international institutions should work together on developing a comprehensive set of rules applicable to every jurisdiction so as to better harmonize the system and ensure cooperation which will not only help in protecting data but curb the damage of potential data loss but also help to control illegal activities associated with cryptocurrencies such as money laundering and terrorism financing.

– Team AMLEGALS assisted by Mr. Atharva Khubalkar (Intern)