The advent of any new technology brings with it the murkiness of how the legal and regulatory systems of various jurisdictions will treat the new technology. Up until a few years ago, the legal validity and enforceability of electronic contracts were being debated. However, now, electronic contracts and digital signatures have found a place in the legislation of almost every state and are recognized by their respective state governments. The legislative process for the regulation of blockchain technology has already started. American states such as Arizona and Tennessee have enacted laws providing that records stored on the blockchain and signatures made over the ledger shall be considered electronic records and electronic signatures, respectively. However, India is in the process of introducing a bill to regularize and formulate the manner of dealing with digital assets and digital currencies through blockchain.
While blockchain has the potential to revolutionize commercial transactions and business operations, it is important to be aware of the challenges of blockchain technology before jumping in with both feet. So, if you are planning to launch your own blockchain start-up, read this article carefully to understand the legal issues surrounding the regulation of blockchain technology.
What is a blockchain?
Blockchain refers to a decentralized public ledger on which data can be stored and digitally distributed across various computer networks that are linked in a peer-to-peer network. What distinguishes it from ordinary methods of electronic storage is its immutability (data can neither be altered nor deleted), transparency, high security, faster settlements, and decentralized nature. These characteristics clarify why businesses want to hop on to this new technology and utilize its benefits.
Legal issues for blockchain companies
Jurisdictional issues: Being a decentralized ledger, the nodes of the blockchain can span a large number of locations across the world. This means that every transaction stored on the blockchain could potentially fall within each and every jurisdiction in which a node of the network is situated, resulting in an overwhelming number of rules and legislation that might apply to the blockchain network. The system would have to be compliant with all applicable legal and regulatory regimes. This also makes it difficult to pinpoint the location of a transaction if that particular transaction turns out to be fraudulent or erroneous in nature.
Governing Law: The laws and regulations of different jurisdictions vary, including the basic principles of contract and rightful title. What constitutes a valid contract in one state might be a void agreement in another state. To avoid this confusion, the law governing the transactions must be pre-determined by an internal governance system. This would enable the users to determine the validity of the contracts and their rights and obligations under them. It would also be useful to specify a mode of dispute resolution that is acceptable to all the parties involved.
Cyber security: While the blockchain itself is considered to be a highly secure and “tamper-proof technology”; this advantage is negated if the information stored on the blockchain is compromised, to begin with! Rather than targeting the ledger itself, cybercriminals attack the data input points, which leads to false or misleading information being stored. A 15-year-old child from the UK proved that these types of attacks are possible when he developed a proof-of-concept code that permitted backdoor access into hardware wallets. This method would allow attackers to alter the payment amounts and wallet destinations and even divert payments to their own accounts in an undetectable manner, making it seem like the amount has reached the destination wallet.
Apart from the above technique, brute force attacks are also a potential threat. In most blockchain systems, the majority of the processing is carried out by a concentrated number of nodes. If the attacker is able to identify these nodes and target them, the ledger would be compromised. Cryptocurrency exchanges are also vulnerable to Eclipse or Sybil attacks and denial of service attacks.
Force Majeure: This provision of contracts typically covers events such as wars, pandemics, natural disasters, fires, or anything that is beyond the control of the common man and the like. However, in the case of a blockchain-based system, there may be other legal issues to consider, such as malfunctioning of a smart contract, issues in transferring cryptocurrencies, a party’s access to the blockchain being compromised, etc. It must be explicitly stated whether such events fall within the sphere of force majeure events and whether parties can rely upon them to avoid or delay the performance of their obligations under the contract. An exception may also be carved out to this provision stating that “parties cannot claim the protection of the force majeure provision for issues resulting from that party’s own default or failure to maintain industry-appropriate protection measures.”
Intellectual Property: The ledger will inevitably contain value and ownership of that intellectual property (“IP”) as an important consideration. Customers may insist on ownership of such IP, or they may choose to license it for the term of the agreement or agree to a perpetual license if it is not exclusive to that particular blockchain network, or they may restrict the ability of the vendor to use the IP on the basis of time, recipients or method of usage.
The majority of the blockchain and virtual currency projects are developed under open-source licenses. Such licenses are typically non-commercial, royalty-free, and impose certain restrictions on the users. Thus, it is important for companies to understand the limitations of the open-source license granted to them and to shield off any potential liabilities that may arise due to a violation of the license conditions.
Further, any new software developments (such as mining, encryption methods, payment modes, etc.) must be patented so that the company owns the IP to the new technology. Blockchain-based start-ups must actively file patent applications to safeguard the critical components of their technology.
Accountability and Decentralised Autonomous Organizations: A key question for regulators when it comes to decentralized systems is who should be held accountable for a breach of the law. Decentralized Autonomous Organizations (“DAOs”) are entities that are autonomous in nature and are run by the implementation of pre-coded rules. As such, they require little to no human interference and are used for executing smart contracts which are then recorded on the blockchain. This gives rise to numerous legal issues for blockchain companies. Firstly, what would be the legal status accorded to such entities? Are they merely automated legal contracts, software, or a legal entity like a corporation? Do they possess the powers given to ‘traditional companies’ such as the power to sue and be sued? Who would be liable in case of violation of any law(s)? This dilemma is analogous to the time when it was difficult to determine who should be held liable for the acts of violation committed by a company. The issue was resolved by introducing the doctrine of piercing the corporate veil. Do we need to develop similar legal principles for determining the liability of DAOs or their creators? Only time will tell. Regulatory bodies and courts will find it difficult to decide such disputes and may even advocate against the wholesale adoption of such technology for which there are no rules in place.
Databases as Property: While companies usually do not have IP rights over the separate pieces of information provided to them, a compilation of data, i.e., a database falls within the scope of intellectual property rights in various jurisdictions. In India, databases are protected as a form of literary work under the Indian Copyright Act, of 1957. Companies often transfer such data to other bodies, such as their data processors, marketing agencies, and other service providers, for either store the data or to provide better services. If the person or entity to whom the database is transferred wishes to make use of the information for a different purpose, they would have to obtain consent from the concerned individuals to comply with the data protection regulations prevailing in most jurisdictions.
Privacy of data: While immutability is one of the key characteristics that make blockchain useful, it acts as a double-edged sword. Since data once stored on the ledger can neither be deleted nor altered (at least, not easily), the blockchain is automatically rendered non-compliant with data protection laws. The General Data Protection Regulation of the European Union provides for the “right to be forgotten” while the California Consumer Protection Act also gives consumers the right to request for their data to be altered or deleted.
Further, cryptocurrency transactions are said to be “pseudonymous” in nature, which means that although the data points are not directly connected with a particular person, multiple appearances and separate data points of that person can be linked together. Once the data is attributed to a person, his entire lifetime’s pseudonymous transactions are at risk of being exposed. This risk is bound to increase over time due to the permanence of transaction history on the blockchain.
Smart contracts: Smart contracts are prewritten computer codes. The terms of the contract are defined on an “if” and “else” basis. When the specified criteria are met, these blockchain-based contracts are automatically executed, without the need of any intermediary party to confirm the transaction. This raises questions about the legal enforceability of such contracts. Since everything is automated, there is little scope for negotiation. The elements of the offer, valid acceptance, meeting of minds, consideration, etc. may also have to be considered.
It is also possible that software developers could be held responsible for poorly written pieces of code that result in a loss(es) to customers. This can be a result of the code malfunctioning or operating in a manner not intended by the parties to the transaction. Further, DAO public blockchains can be hacked. In 2016, there was one such attack where the hacker targeted the smart contracts run on the blockchain and transferred almost $50 million in funds to a sub-contract controlled by the hacker. The code developer or the DAO can be held liable for such attacks.
Product Acceptance: In most smart contracts, the buyer first makes the payment, which is held in a secure place until the seller releases the goods/cryptocurrency. Once the goods or virtual assets are released, the payment is automatically made to the seller. This raises the question of product acceptance. Traditional contracts often contain provisions regarding the standard and quality of the goods and the buyer is not deemed to have accepted the goods until he has had a reasonable opportunity to examine whether they are in conformity with the contract. Most traditional contracts dealing in the international sale of goods are governed by legislation such as the UN Convention on Contracts for the International Sale of Goods 1980 (CISG) which contains provisions regarding the buyer’s acceptance of the products. The smart contract must clearly specify which laws are applicable, whether there is any scope for denying the goods, and at what stage the product acceptance occurs.
Compliance with financial and tax laws and regulations: This is a complex and ambiguous area since different jurisdictions have varying financial laws and regulations. Most financial laws are applicable to the agent or custodian of financial products. However, Defi systems (Decentralized Finance) have a non-custodial structure which creates an ambiguity about whether these laws apply to such systems.
The application of current tax frameworks to a digital economy has also proved to be a challenge. There may be separate rules for the taxation of cryptocurrencies, utility tokens, supply chain management platforms, etc. In many states, crypto exchange platforms are required to regularly conduct risk assessments and implement anti-money laundering programs. In the US, the Bank Secrecy Act regulates money service businesses including virtual currency platforms. Under this law, Americans are prohibited from carrying on any business with foreign nationals who are on the blocked entities or specially designated nationals list.
Due diligence requirements: The traditional methods of due diligence need to be adapted. Transactional lawyers conducting due diligence on investments in blockchain-based start-ups must have knowledge of the new technology and the unique issues associated with it, such as ownership of data, intellectual property, limitations of open-source blockchain platforms, etc. These factors must be evaluated from the perspective of competitive barriers to entry and business value proposition.
Antitrust considerations: In the case of collaboration or joint ventures between competitors over a blockchain platform, there is a risk of the exchange of sensitive information between competitors, which can result in anti-competitive trade practices. Businesses must have safeguards in place to avoid the exchange of confidential data, such as setting permissions that only allow the intended recipients to access the information contained in a block of data. Aggregating or anonymizing the sensitive data stored on the blockchain may also be helpful in preventing competitors from taking advantage of it.
Confidentiality: In the case of multi-party blockchains, it must be explicitly stated whether the addition of confidential information to the blockchain by the receiving party is considered to be a breach or a permitted disclosure by the disclosing party. Keeping in mind the immutability of blockchains, the provisions pertaining to the return and/or removal of confidential information upon the expiry of the term of an agreement must also be considered and adopted.
Virtual assets (crypto and NFTs): If the blockchain system makes use of virtual assets in its operation, a new host of complications arise. The status of cryptocurrencies varies across jurisdictions. Many states have declared an outright ban on virtual currencies, while some have warned against their volatile and unregulated nature, while a few states such as El Salvador have embraced virtual currencies and accepted them as legal tender. The taxation imposed on these assets must also be taken into consideration. In India, the Union Budget 2022 has introduced a 30% tax on the income generated from virtual assets.
Conclusion: It is evident from the above discussion that there are a number of pertinent risk management challenges for any company intending to adopt blockchain technology. However, we have witnessed such challenges before, during the adoption of the internet, the introduction of e-commerce, and electronic records. The key is to identify the risks and legal issues accurately, and adequately mitigate them where possible. Blockchain companies may also opt for insurance to manage these legal risks. Since cryptocurrencies are considered equivalent to traditional assets like ‘securities and ‘money’, traditional insurance may cover some of these risks. Many leading insurers have also launched specialized insurance products to cater to the crypto and blockchain market. The advantages of blockchain technology far outweigh the potential risks associated with it, and companies who take advantage of this technology now may reap its benefits in the future.