Why are website privacy policies more crucial for blockchain and crypto companies?

October 11, 2023
Ash Costello


View profile

Article written by Ash Costello and Holly Joseph.

Crypto entities, and other organisations leveraging blockchain and distributed ledger technologies, are built on a tech stack that differs fundamentally from the tech stack of traditional industries.  These differences include transparency, immutability and the potential for immediate global publication.  These differences are the features which enable the innovative products, services and operational efficiencies enjoyed in this industry.

Prosaically, an organisation’s tech stack does not excuse compliance with any relevant laws.  Hence, even in the blockchain and crypto industry, financial services licenses must be applied for, taxes must be paid, and privacy must be hard-wired ‘by design and default’ into an organisation’s practices and procedures.   

What are “Website Privacy Policies”?

The UK data protection regime comprises the UK GDPR  (that is, the retained EU law version of the General Data Protection Regulation ((EU) 2016/679)  (UK GDPR)), along with the Data Protection Act 2018  (DPA 2018). 

Any organisation that is subject to the UK GDPR is required to have a privacy policy (also called a privacy notice).

A privacy policy helps organisations comply with the GDPR’s core principles, one of which is transparency, which enables individuals to understand what personal data is being collected, why it is being gathered, and how it will be used.

The UK’s data protection regulator, the Information Commissioner’s Office (the ICO), groups the core principles of the UK GDPR into the ten categories listed in the table below.   

The ICO requires organisations to include certain information in this notice, such as the source of the personal data, the lawful bases relied on to justify the processing, and the categories and locations of recipients of any personal data(for example categories of service providers, business partners or counterparties, as well as their countries). 

Website privacy policies – why are they more crucial for blockchain and crypto entities than for entities using traditional technology?   

To lawfully send personal data outside the UK, organisations must apply appropriate safeguards to ensure that the recipient applies the same standards of data protection as the UK GDPR.  These safeguards include contractually obliging the recipient to protect the data (for example using ‘standard contractual clauses’) or by transferring data only to an ‘approved country’. 

However, blockchain entities cannot usually comply with these requirements.   The immutability and transparency of blockchain, and its potential for immediate global publication, often means that any personal data which has been moved on-chain has been transferred outside the UK, cannot be removed or corrected, and is potentially accessible and visible globally.  Picture a ‘peer to peer’ exchange, or the interactions between nodes on a protocol, or the interactions between wallets: these interactions are made possible by the real-time transmission of data on a decentralised basis.  Requiring each node on a protocol or each counterparty in a peer to peer exchange to complete the vendor due diligence or other privacy compliance safeguards before sending them any data would defeat the beauty of blockchain’s speed and transparency. 

How then can blockchain entities comply with the UK GDPR?   How can they mitigate their risk of regulatory fines or legal actions from individuals? 

Often, such entities tell themselves that any public data is not personal data.  This is incorrect.  Any data which can identify an individual (either alone, or when used with technology or other information) is personal data.  This includes work email addresses, work titles, social media handles, wallet addresses, public keys, IP addresses, telephone numbers, digital identities among other  identifiers.   Whether this data is already publicly available is irrelevant.  There are very few exceptions to compliance with UK GDPR, and ‘public personal data’ is not among them. 

So how can they comply?  There is debate among regulators about whether UK GDPR compliance is in fact possible.  The consensus is that where personal data must be moved onchain and cannot first be anonymised by technologies such as zero knowledge proofs, arming individuals with sufficient information to enable them to give valid and fully informed consent is the best route to compliance.  This requires full disclosure about the use of their personal data, its transmission onchain, and that being onchain means that personal data is being transferred globally (potentially), and will be unable to avail of UK GDPR protections such as the rights to deletion and correction.

What are the penalties for breach? 

Failing to comply with the UK GDPR could attract enforcement by the ICO.  Their powers include assessment notices, warnings, reprimands, enforcement notices, and administrative fines.  Serious breaches of the data protection principles can attract fines of up to £17.5 million or 4% or annual turnover, whichever is higher.  

In October 2022, the ICO issued a fine of £1,350,000 for contravention of one of the core transparency principles by collecting, processing, and using personal and special category data in an unsatisfactory manner. 

Other recent monetary penalties issued by the ICO include a fine of £12.7 million for numerous breaches by TikTok, and a fine of £78,400 against a hospital trust for sending bulk emails to its users. 

To contact Ash, or read more about her practice, click here.