2015 was the year in which we finally saw financial regulators around the world sink their teeth into the dealings of digital currency and blockchain. Major developments include state-based initiatives such as the BitLicense in New York, New Jersey's Digital Currency Jobs Creation Act, the European Court of Justice's VAT ruling declaring Bitcoin conversions to be tax-free, and the SEC announcing that certain mining contracts can be categorised as securities. Most of these efforts focused on setting jurisdictional boundaries and ensuring the technologies could not be misappropriated for illicit purposes.
This trend for increased regulatory engagement is set to continue throughout 2016 as we begin to see the impact of these initial measures, and additional jurisdictions and overseers enter the fray. As the sector matures, it will be interesting to see how governments treat blockchain solutions, such as R3CEV, Chain and Digital Asset Holdings, aimed at bringing our trading and settlement industries into the 21st century.
However, despite advocates' faith in Bitcoin and the blockchain, its long-term future is not as a means of payment. There are many reasons to be frustrated with our monetary system – high costs, inefficient infrastructure, exposure to poor government policy (as seen in Venezuela, Brazil and Greece, for example) – but, more often than not, these faults are not enough to compel the everyman to eschew traditional currency.
Therefore, aside from blockchain solutions for our financial markets, the best-case scenarios for blockchain's 'killer app' would be found in consumer applications and back-end corporate systems. However, operators in these categories face entirely different regulatory regimes from those in the financial world, as their businesses are increasingly dependent on the use of personal data. Firms moving to these verticals will need to understand and appreciate these unique challenges and constraints in order to succeed.
Recent years have seen an explosion of personal data. As a result, companies across all industries are increasingly becoming digitised, collecting more information about their clients and employees to optimise their businesses and increase profitability. However, as consumers becomes increasingly aware of just how much companies know about them, they are realising that they are not getting equitable value in return, and are beginning to demand a recalibration of these relationships and additional control over the use of theirdata.
In response to this shift in public opinion, in large part spurred on by the Snowden revelations, a different set of regulators are starting to respond as well from those we typically associate with the crypto ecosystem, ones focused on the terms 'data privacy' and 'data security'.
These are the challenges that keep executives across all industries up at night as they worry about managing relationships with regulators and customers alike. As they dip their toes into the blockchain with a proof of concept or pilot project, they know full well that any large roll-out would be predicated upon clearance from their regulatory team.
This will not be an easy bar to clear.
Key data privacy and data security terms
Data privacy governs how personal data is used, shared and retained. Data security, however, relates to efforts aimed at restricting access to sensitive data and protecting it from being viewed during its collection, storage and transmission.
Data protection regulations typically begin with identifying the data controller and data subject. According to the European Union, the data controller is a natural or legal person, public authority, agency or any other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. The data subject is the person to which a set of personal data applies.
The Foundation of Today's Data Protection Laws
There are no globally administered data protection laws. The closest thing to a set of standards that exists today is the OECD's privacy principles, established in 1980. The guidelines, which have influenced the shape of regulations around the world, put forth eight principles, in sum prescribing that companies collect information necessary for a given purpose; be transparent about data processing; appropriately safeguard information; and allow people to see and correct data that has been obtained from them.
But even within the bounds of these widely accepted tenets, there is room for divergence. For example, the European Union and US – two seemingly similar economic units based on size, free-market values and stage of development – took distinctly different approaches to data-protection regulation.
The EU, home to the first data protection law in the world, is the standard-bearer for the 'comprehensive approach', wherein one law and data-protection authority covers all sectors and data processing within a given economy.
On the other hand, the US has no overarching data-protection law, but instead uses a 'sectoral approach'. Specific regulations and regulators are mandated to safeguard each sector of the economy – healthcare, finance and such – with the goal of customising given requirements based on the unique characteristics of each industry. Differences in approach can cause serious issues for companies that have clients in multiple jurisdictions or who outsource some processing activities, such as HR or payroll, to third parties in different countries.
Additionally, if this was not challenging enough, these regulatory environments are in the midst of their most dynamic period in history.
Just last month, EU regulators finally agreed on a text for a new data-protection law, entitled the General Data Protection Regulation, which has been in discussion since 2012. Crucially, if passed, this law would impose many new conditions on companies that handle personal data, such as increased consent requirements from data subjects, a broader 'right to be forgotten', a 72-hour company-breach notification requirement, data-portability requirements and, most critically, higher fines up to 4% of global turnover.
In the US, the Federal Trade Commission (FTC) is taking on an increasing role of policing the data-driven activities of companies under Section 5 of the Federal Trade Commission Act (FTC Act) (15 USC 45), which prohibits ''unfair or deceptive acts or practices in or affecting commerce'. In application, the FTC uses its authority under this article to protect consumers from being taken advantage of by data-driven companies. As a recent example, the FTC is making cyber-security a major priority, pursuing companies that did not have adequate security tools and procedures in place. In fact, in late 2015, FTC commissioner Edith Ramirez reiterated to startups and small and medium-sized businesses the importance of cyber-security integration within their businesses at the outset, despite admitting that the economic incentives may not always be in alignment.
The bottom line
At this point in time, companies are entering a period of unprecedented regulatory scrutiny and penalties. Across all sectors, enterprises are now required to have a much greater awareness of their data inventory, be transparent with how they collect and use it, and include additional consumer protections throughout their operations.
This is where the blockchain, smart data and smart contracts come in.
This confluence of regulatory attention and changing customer preferences creates a perfect storm for the growth of a blockchain-based economy. Blockchains, smart contracts and intelligent data can all be used to add granularity to personal data, encode permissions, conditions and regulatory restrictions. In short, they can build accountability into a firm's data-management procedures. In addition, the technology offers a signature advantage from a security point, in that it eliminates the threat of a 'single point of failure'. Additionally, the threat of an insider attack is similarly lessened through the implementation of 'multi-sig' technology. Further, company information can be hashed on to the blockchain in order to create immutable and time-stamped records for your company information, assisting with auditing or business continuity procedures.
Questions and uncertainty remain
Regulators are studying blockchain technology for its merits but have yet to devote a level of focus on par with other major platforms, such as search engines and social media. This is easy to understand, given the technology's moderate stature to date, and they are trying to handle the Googles and Facebooks of the world. Until adequate attention is afforded to the sector, operators in this space would be operating under a cloud of uncertainty for the foreseeable future.
Fortunately, this lag presents an opportunity for key players in the space to establish and promote industry-specific best practices for safe, transparent, ethical and, most importantly, equitable business operations. The intent is to avoid creating a situation that would catch the attention of regulators, which could challenge widespread adoption. Governments are overstretched, so they will certainly appreciate someone making their lives easier. Additionally, this type of work will make company conversations easier with regulators once the time comes, since they can show their efforts to be proactive responsible corporate citizens.
This process, known as 'technological regulation', would see responsible trade groups come together and create sets of standards and principles to which they pledge to adhere, and possibly establish mechanisms for self-oversight. TRUSTe and the International Advertising Bureau offer a proven model for success on this front.
From advocacy groups such as Coin Center and the Chamber of Digital Commerce to the Wall Street Blockchain Alliance and Digital Asset Transfer Authority, there are already groups taking on leadership positions. Additionally, new initiatives and offerings, such as IBM's Open Ledger Project and Microsoft's Azure Blockchain-as-a-Service, present other interesting initiatives. It would be a good move for these organisations to begin focusing on these issues as they interact with regulators and develop new products.
At the end of the day, each company and individual will have to identify solutions that work best for them and conduct rigorous due diligence based on their specific business operations and jurisdictions. Additionally, the optimal solution continues to be a moving target as regulations change. However, these steps are worth it because blockchain-based applications and systems offer an intriguing way for companies to create a more equitable relationship with clients, lower their risk profile and grow a business with confidence.
Steve Ehrlich is an associate at Spitzberg Partners, a boutique corporate-advisory and investment firm headquartered in New York that provides strategic counsel and investment insights on European and international political, economic, technology and security matters.