Osborne Clarke’s Mark Taylor helps us to understand the technology behind blockchain, how it’s changing business, and what legal challenges it presents
Blockchain technology was first implemented to support the cryptocurrency Bitcoin, by providing a database which could record all transactions involving the currency, in a way that was secure, durable and decentralised. It was soon realised that those very attributes made blockchain technology a powerful solution that could be used in a variety of different applications.
Before we get onto those applications, let’s first review the essential background of blockchain.
There are various groups involved in a functioning blockchain:
1. The ‘originator’ of the blockchain technology, i.e. the person or people who have written the software for the system in question;
2. The users of the system, sometimes known as “peers” operating “nodes” on the network;
3. For some systems, a subset of the peers act as the verifiers of transactions, creating and confirming blocks (for example, the Bitcoin system was originally designed to be verified by the whole peer-to-peer network, but the increasing amount of computing power which is required means that verification is now undertaken by a portion of the users, known as “miners”).
Note that there may not be a “blockchain operator” — some systems are operated in a fully decentralised way by the peer network. In some systems, the originators retain a degree of control or influence, but this is not necessary. It is also possible that blockchain technology is provided as a service.
Blockchain has a set of key characteristics (although the configuration of individual systems can vary widely), with:
1. Peer-to-peer network
2. Distributed ledger constantly updated for every network node (no single-point-of-failure). This means that each user in the network holds an equally valid version of the share database — there is no definitive central “original” version.
3. Disintermediation of any Trusted Third Party via a censorship-resistant model. This means that the system is not operated from the centre but by consensus between the peers/nodes.
4. Open source software, maintained by a community of developers. As noted, sometimes the originators of the system continue to take responsibility for updating it; in other cases, the network takes over control of the underlying software as well as the blockchain contents.
Finally, there are two major classes of blockchain:
1. A private blockchain, where access to it is controlled (which may mean that there is more central control); and
2. A public blockchain, where anyone can download the software, view and participate.
Now we proceed to look at the ways blockchain is being deployed by businesses.
Smart contracts
Much of the current interest in distributed ledger technology extends beyond using ledgers for reference or provenance, and to executing actions dynamically, enabling ‘smart contracts’. Although there is no universally established and accepted definition of a smart contract, in essence it is a set of coded instructions that self-perform when certain criteria are met.
Like a traditional contract, a smart contract will contain a set of rules and consequences. But unlike a traditional contract, those rules and consequences can be automated according to pre-set input criteria being validated by the blockchain network, functioning without further input by either party.
As long as all of the necessary elements can be coded, a smart contract could function as a standalone commercial agreement. However, more commonly, (at least currently), smart contracts will have a ‘traditional’ contract sitting alongside them, to address any issues that cannot be captured in the smart contract code. That would include more subjective or difficult-to-define provisions, along with terms such as the applicable law and jurisdiction, and how any disputes should be resolved.
We now take a deeper look at the most challenging aspects of smart contracts.
Location and jurisdiction
Participants in a blockchain can be distributed across the globe, with no central controlling body. This means that it is not necessarily clear which laws apply to a smart contract transaction. It can help to designate upfront where any transaction is deemed to have taken place, and which jurisdiction and choice of law the parties are electing shall apply.
Blockchains and disputes
The absence of any central authority or regulator can lead to uncertainty and high-profile disasters. For example, in April 2016, an organisation called The DAO was launched and attracted more than $100m in funding. However, when a security flaw in the DAO’s code led to $50m of that being misappropriated, those affected were left without any viable remedy.
The different functions of participants in a blockchain will attract different rights and obligations. It will be essential that obligations and liabilities — and any limits to those liabilities — are properly set out in contracts between the different parties.
Where a dispute arises — for example a fraudulent transaction — there may be a disagreement as to whether, for example, the fraud was possible due to a weakness in the underlying technology, a weakness (technical or human) in the verification of one of the links in the network, or is attributable to those involved in the particular transaction.
Enforcement
However, even where the legal rights are clear (for example, because they have been set out in the underlying ‘traditional’ contract), enforcing those rights becomes more difficult when parties are based in harder to reach jurisdictions where enforcing foreign court judgments can be highly problematic. Blockchain contracts may be well suited to having disputes resolved through alternative, specifically designed mechanisms. This could involve appointing an appropriately qualified arbiter, who could resolve disputes online, and who may even have some kind of digital key or security to aid enforcement. The resolution of high-value, complex disputes will inevitably raise challenging issues. But having participants sign up to a first-stage online dispute mechanism — whether through specific contracts or terms of use — could help to resolve the majority of day-to-day disputes.
The underlying ‘traditional’ contract will of course be vital. As is often the way in commercial transactions, the key is to define the contractual model clearly.
Blockchains and privacy
Data protection
Data protection regulations are becoming increasingly stringent and pose a particular challenge for blockchain applications, in which information is held as immutable records on a distributed global network. Given the extraterritorial reach of much privacy legislation, including the EU General Data Protection Regulation (GDPR), multiple sets of data protection rules could apply.
If there is a blockchain service provider or operator, it would almost certainly be considered a data controller. Since data is being held and transferred by all of the other participants in the blockchain network, they may also be considered data processors or data controllers, depending on the precise set-up of the relevant blockchain. To allow for this, any contracts between the blockchain service provider and the participants in the network should include appropriate provisions relating to data protection and security.
The GDPR precludes the transfer of data outside the EU without adequate protection. Unless the non-EU country has been deemed to have an ‘adequate’ data protection regime in place, an arrangement (such as the EU-US Privacy Shield) or more bespoke contractual protections based on the EU’s Model Clauses will need to be put in place.
Turning the issue on its head, blockchain technology could be used as a solution for maintaining data protection. The GDPR encourages concepts such as encryption and pseudonymisation, which are fundamental in blockchain technology. However, it will take some time for regulation to catch up with technology in recognising the role that blockchain could play here.
Right to be forgotten
A particularly challenging data protection scenario would be where a data subject requests that their data be removed — the so-called “right to be forgotten”. Since one of the fundamental aspects of blockchain is the immutability of the entries on its ledger, this could prove a technical and regulatory challenge.
An option blockchain service providers could consider is ‘tokenisation’. This involves replacing the data in the ‘blocks’ with unique identifiers that securely link to ‘tokens’ holding the personal data. By doing so, operators enable the removal of the personal data where required, without compromising the integrity of the records on the blockchain.
Access to and policing of private blockchains is far more straightforward than for public blockchains, where access is not controlled and the identities of participants are not always known. Terms of use can still be communicated to users, but may be more difficult to enforce. In a private blockchain, the governance model can be pre-defined and participants will need to agree to the contractual model, which can allocate roles and risks between all those involved, in order to be given access. The right approach to data protection and security will depend on the type and purpose of the blockchain.
Blockchain in action: managing IP rights
One potential use of blockchain that is generating a lot of interest is in the digital content industry. Rights to royalties can be spread among several contributors to a work, and the management of rights and royalties is far from straightforward. Blockchain, being a public and incorruptible register, can generate a certification of authenticity which is reliable, transparent and perpetual. As such, blockchain technology could be used as a basis for systems that:
• identify the owner(s) of a work and their moral rights;
• allow the identification of authentic products, as a way of combatting counterfeiting; and
• automatically allow revenues to be divided between holders of IP and contractual rights through a smart contract.
An early example of this working in action is a start-up that aims to allow artists to distribute their music directly, with consumers able to purchase licenses to stream, download or even remix songs. The blockchain technology automatically allocates payments to the owners of the IP.
IP management societies are also showing interest, with three of the largest music collection societies (PRS, ASCAP and SACEM) in April 2017 announcing a collaboration to prototype a blockchain-based licensing solution. But equally, blockchain solutions can fill a gap where there is currently no central authority administering those rights.
Regulating blockchain
Like some other types of new technology, we do not see legislators attempting to regulate the technology itself. Rather, it will be specific applications of blockchain that may be subject to regulation. For example, there is great interest in potential uses of blockchain in financial services, such as securities. The European Securities and Markets Authority is looking at this and in February 2017 issued a report which looked at whether the use of blockchain technology in the European securities market should be subject to specific regulation. For now, at least, the report concluded that existing regulation is sufficient. But the report also identified issues that would need to be addressed, including in relation to identity verification and data protection. If blockchain technology does become widely used in financial services markets, further regulation may be needed to address some of those concerns.
The challenge for legislators is identifying where existing regulation is not adequate to deal with the novel challenges posed by blockchain, without stymying the development of blockchain applications that can bring great benefits to consumers and industry. There will not be one catch-all solution; individual regulators and legislators in different sectors and countries will need to decide what is needed in their area.
Mark Taylor is a digital business partner at Osborne Clarke.
For more insight, check out Osborne Clarke’s articles hub.