Blockchain 2024 Comparisons

The blockchain sector in Sweden is developing rapidly. For several years, the industry has been led by more traditional and well-established blockchain operations, such as cryptocurrency exchanges. However, lately there has been increased interest in other innovative uses of blockchain-based technology in entirely different contexts – eg, as a means of collateral in lending arrangements – and in crossovers and combined service offerings of token-based payment transactions and traditional payment services. Consistent with Sweden’s history and reputation as a spearhead fintech market, Swedish companies continue to show interest in innovative uses of blockchain technology in ways that extend beyond more traditional practices.

EU Regulation

The year 2024 marks a historic paradigm shift in the EU’s regulation of the blockchain market, primarily through the entry into force of Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets (MiCA). This will become applicable in a phased approach where certain sets of rules (governing asset-referenced tokens and e-money tokens) will apply from 30 June 2024; remaining parts of MiCA will apply from 30 December 2024. Supplementary delegated acts are currently being developed by the European Securities Markets Authority (ESMA) in co-operation with the European Banking Authority (EBA).

With this, all major components of the European Commission’s so-called Digital Finance Package, proposed in September 2020, have been realised.

In addition to MiCA, the package also included a proposed regulation on a pilot regime for market infrastructures based on distributed ledger technology (DLT), which was adopted in 2022 and became applicable during 2023 (Regulation (EU) 2022/858, the “DLT Regulation”). On 2 June 2022, as a consequence of the pilot regime, the Swedish government launched an inquiry into account-based bookkeeping methods for financial instruments, with the aim of exploring potential regulatory changes to facilitate the use of blockchain (see Government Directive 2022:59).

In December 2023, a legislative report was published (see report SOU 2023:102) proposing a new Swedish legislative act to supplement the DLT Regulation. The proposed legislative act contains provisions which in substance greatly correspond to what applies to book-entry financial instruments under existing Swedish legislation, but with necessary adaptations to suit the new technologies covered by the DLT Regulation. For example, such technologies are distinct in that financial instruments do not necessarily need to be held in an account, and that the information can be stored in a distributed (decentralised) manner in different nodes rather than in a single central register. As a general rule, the provisions of the newly proposed act shall take precedence over provisions in other Swedish statutes.

The most predominant use of blockchain technology in Sweden, by sheer scale of operations, continues to be in the cryptocurrency exchange sector. There are two market-leading Swedish companies offering such services, and also a number of foreign exchanges whose services are accessible in Sweden.

In terms of more innovative uses of blockchain technology, there has been increased interest in developing financial instruments based on DLT, with the intention of such instruments being traded on regulated markets. To date, there are no cases where this has been accomplished in Sweden, but foreign examples have sparked Swedish interest in evaluating and possibly developing similar models.

In April 2023, international banks SEB and Crédit Agricole announced their launch of so|bond, a sustainable and open platform for the issuance of digital bonds based on blockchain technology. This blockchain network uses a unique validation protocol that encourages its participants to minimise their environmental footprint. The aim of the platform is to improve the efficiency of the issuance process for bonds and, in the future, other types of financial instruments. The authors assisted SEB in the structuring of the platform.

There are also numerous other initiatives, with a general upward trend of Swedish companies and public bodies showing interest in utilising the unique characteristics and benefits of blockchain technology.

Two perspectives exist regarding the ownership and valid transfer of blockchain-based digital assets:

• the finalisation of a transfer as between the parties to such transfer; and
• the finalisation and validity of transfer of ownership for purposes of rights in rem.

General contract law principles apply between the parties to a transfer of blockchain-based assets (as well as the respective service providers involved in such a trade), meaning that the parties are generally at liberty to agree and determine at what point during the transactions various rights and obligations associated with the ownership of the assets shall be transferred from one party to the other, as well as the involved parties’ respective liabilities to one another during the course of completing the transaction (and thereafter). In that regard, Swedish law does not prescribe any particular rules specific to blockchain-based assets.

However, the validity of ownership transfer from the perspective of obtaining rights in rem is a more complex issue, and in the absence of precedents is a question yet to be definitively settled. One fundamental aspect of rights in rem under Swedish law is how and when transfer of ownership to certain property confers protection to the transferee (purchaser) from claims by the creditors of the transferor (seller).

The general rule under Swedish law is that a transfer of ownership must have been manifested through some observable action in order to entail rights in rem for purposes of protection from creditors of the seller for the purchaser. For typical, physical, movable property such as ordinary goods, the change in ownership is manifested through the act of transferring possession of the goods to the purchaser, pursuant to the so-called principle of tradition. However, due to practical impossibilities this principle cannot be applied in the same way in relation to immovable property or dematerialised assets. In those cases, the legislature has instead enacted specific legislation that ties the validity of rights in rem associated with ownership to registration. For example, this applies to:

• dematerialised stocks and bonds;
• other types of financial instruments; and
• emission allowances.

For blockchain-based assets however, there are no similar rules under Swedish law which ascribe validity to rights in rem based on registration. It is therefore uncertain whether and how rights in rem could be obtained for transfers of blockchain-based assets.

This issue is addressed and commented on in the report proposing legislative changes to align Swedish law with the DLT Regulation (SOU 2023:102). If enacted, the proposed legislative changes would mean that the person registered as owner in the ledger of a DLT-based financial instrument would be presumed to also have ownership rights (unless proven otherwise). Furthermore, validity to a transfer of a DLT-based financial instrument, for purposes of rights in rem, is proposed to follow from validation of the transfer through a consensus mechanism (the details of which may vary from one DLT market infrastructure to another).

The proposal is for a validated transfer of a DLT-based financial instrument to ensure protection from subsequent claims by the transferor’s creditors in respect of any right that was not registered in the ledger prior to such transfer validation. This principle is proposed to apply not only in respect of transfers in ownership stemming from the sale of assets, but also other transfers such as gifts, wills, inheritance or division of property.

In a judicial decision from December 2023 by a Swedish Administrative Court of Appeal (see 5.1 Judicial Decisions and Litigation), the Court found that it is currently unclear under Swedish law how rights in rem are achieved for blockchain transactions.

While both judicial decisions and the current process of proposed legislative changes contribute towards making the matter of ownership of blockchain-based assets under Swedish law increasingly clear, in its current state the matter is yet to be definitively settled.

As Swedish law does not include any national bespoke categorisation system for digital assets, their legal classification needs to be analysed on a case-by-case basis against general legal concepts and definitions. Historically, this has resulted in a focus on determining whether digital assets may be deemed to be financial instruments under Swedish law. If a digital asset is deemed to be a financial instrument, the provision of investment services relating to that digital asset is subject to securities and investment laws and regulations, most notably Directive 2014/65/EU (MiFID II) and the Prospectus Regulation.

However, MiCA introduces a new regime for categorisation of digital assets which distinctly regulates three classes of crypto-assets:

• asset-referenced tokens;
• e-money tokens; and
• utility tokens.

Asset-referenced tokens and e-money tokens can both be considered what is colloquially referred to as “stablecoins”. An e-money token is defined as a type of crypto-asset that purports to maintain a stable value by referencing the value of only one official currency. Meanwhile, an asset-referenced token is defined as a type of crypto-asset that purports to maintain a stable value by referencing another value or right, or a combination thereof, including one or more official currencies.

Utility tokens are defined in MiCA as a type of crypto-asset that is only intended to provide access to a good or a service supplied by its issuer.

Swedish law does not specifically define tokenised securities (ie, traditional securities with a digital wrapper) as a distinct category of assets. The question of whether tokenised securities are subject to securities and investment laws and regulations is essentially a question of whether such securities correspond to the definition of financial instruments under the Swedish Securities Market Act, which implements MiFID II.

Traditionally, the Swedish Financial Supervisory Authority (Finansinspektionen, or SFSA) has expressed the view that, in order for instruments in a digital wrapper to qualify as securities under Swedish law, the instruments must be possible to register in a manner that has the same legal effect – specifically in regard to rights in rem – as possession and presentation of a physical certificate, such as a coupon bond or a bearer bond. Registration based solely on contractual grounds (which is binding only for the parties to such a contractual arrangement) has not been considered sufficient to meet this requirement. In addition, the SFSA has expressed the view that an instrument must entail rights to its holder or obligations to its issuer, or both, which are legally enforceable.

Historically, stablecoins have not been explicitly regulated in Sweden, but as previously noted MiCA introduces an extensive regulatory framework for any stablecoins that meet the definition of either asset-referenced tokens or e-money tokens (see 2.2 Categorisation). MiCA does not explicitly distinguish algorithmic stablecoins from others in a classification aspect, expressing instead that the rules in MiCA are the same for algorithmic asset-referenced tokens as for others.

However, an aspect of MiCA’s substantive regulatory requirements that may have an impact on the practical feasibility of issuing algorithmic stablecoins is that, among the requirements introduced by MiCA on issuers of asset-referenced tokens, there is an obligation to have a reserve of assets covering the risks associated with the underlying asset and the liquidity risks associated with rights of redemption of the tokens. The reserve of assets is required to be legally and operationally segregated from the issuer’s own assets.

There are currently no specific regulations under Swedish law in relation to NFTs. Customary commercial and consumer protection law applicable to marketing and sales in general will also be applicable to NFTs.

Swedish law does not prohibit the use of cryptocurrencies as means of payment, but does not recognise cryptocurrencies as legal tender that any person is legally required to accept as means of payment.

Swedish law recognises only banknotes and coins as legal tender that households and companies must be able to use to make payments. However, this general rule is not without exceptions. Firstly, there is the possibility of waiving the obligation to accept cash by agreement, both in private enterprise and in such public sector operations as can be equated with private enterprise (eg, municipal car parks). Secondly, there are exemptions from the obligation to accept cash as payment in a number of legal acts, such as tax legislation, which means it is not possible to pay tax in cash.

Following these observations and the limitations of cash as legal tender, in 2017 the Swedish Central Bank launched a project to assess the possibility of establishing and backing an e-currency that could potentially constitute legal tender under Swedish law (see 4.7 Other Government Initiatives).

Pursuant to Swedish law, the action necessary to perfect a pledge in order to create a security interest is generally the same as the action to be taken in order for a purchaser of an asset to receive rights in rem towards the creditors of the seller. As explained in 2.1 Ownership, the existing case law of relevance (and which is subject to the risk of being overturned on appeal) is limited to transfers in Bitcoin, and it is uncertain what action is necessary in relation to the perfection of a pledge over other types of digital assets.

The proposal for Swedish legislative changes to supplement the DLT Regulation addresses whether and how it should be possible to pledge DLT-based financial instruments. In a corresponding manner as for transfers of ownership (see again 2.1 Ownership), the proposal is for Swedish law to require a distributed ledger to have functionality for registering security rights to a financial instrument (ie, the pledging over said instruments), and to recognise a pledge over DLT-based financial instruments as occurring upon validation of such action through a consensus mechanism.

There are no specific laws or judicial decisions addressing the legal enforceability of smart contracts. The Swedish law on the formation of contracts is technology-neutral and as such does not preclude smart contracts from constituting valid agreements between the parties that use them. Two cases may be distinguished.

In the first case, parties agree “off-chain” to use a particular smart contract as a mode of delivery when executing an obligation that has been agreed off-chain (eg, an interest payment) on a particular date that is automatically calculated and executed by the smart contract where the underlying right to such a payment is documented in a loan agreement off-chain. The validity of such performance of an obligation is within the freedom of contract of the parties and would generally be legally binding.

In the second case, the parties do not have a pre-existing relationship that has been agreed off-chain but rather use the smart contract as their only mode of communicating and exchanging performances. Under Swedish law, a contract may be entered into between parties through action, with the textbook example of a car park user being bound by the terms of the parking garage by parking in the garage (as long as the terms are available to the car park user). It is likely that the same reasoning can be applied to a contract being entered into through the use of a smart contract.

It should be noted that it is not the smart contract itself that constitutes the agreement. An agreement between two parties is a legal concept of an abstract nature that in turn can be manifested and documented (eg, through a written contract or computer code in a smart contract), but where the manifestation does not necessarily reflect the binding abstract agreement between the parties (although it is often difficult to prove that the content of an agreement differs from its physical manifestation).

Furthermore, Swedish law on the formation of contracts allows for the altering of contracts on the grounds of their being unconscionable (especially in relation to consumers vis-à-vis businesses) or because the formation of the contract was invalid due to fraud, usury or duress, for example. The manifested obligations and any performance of a smart contract can therefore potentially be challenged in court on the grounds of the agreement being unfair or invalid.

Regulatory capital requirements of credit institutions and large investment firms primarily stem from Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms (CRR), and consequently are EU-based rather than Sweden-specific.

Following a proposal in 2021 by the European Commission, there is currently an ongoing legislative process of updating and amending the CRR. As part of that procedure, negotiators from the European Parliament, the Council and the Commission reached a provisional agreement in June 2023 on certain changes to be included in the legislative package. Among the points covered by the provisional agreement was a requirement for credit institutions and investment firms to report and disclose exposures to crypto-assets.

In parallel with the EU legislative process, the Basel Committee on Banking Supervision issued a consultative document in October 2023, for comments to be submitted by the end of January 2024, regarding disclosure of crypto-asset exposures. The proposed disclosure requirements are planned to apply to internationally active banks at the top consolidated level. The Basel Committee has proposed an implementation date of 1 January 2025.

There are currently no regulatory sandboxes for blockchain technology in Sweden. However, the SFSA has established an innovation hub that deals with fintech in general.

The two dominating sets of regulatory frameworks within the field of blockchain under Swedish law – the DLT Regulation and MiCA – are heavily influenced by international standards. As the rules introduced by MiCA are based on a directly applicable EU Regulation, they are harmonised within the EU and are not specific to Sweden. Similarly, many of the proposed changes to Swedish law have the aim of aligning Swedish law with international standards by enabling the DLT Regulation to be applied in Sweden in the manner intended by the EU legislature.

The SFSA is the Swedish competent authority for purposes of MiCA and the DLT Regulation, giving the SFSA both a supervisory mandate and the role of processing applications for authorisation and other types of regulatory approval under MiCA and the DLT Regulation.

Historically, the SFSA has held a generally cautious and sceptical position towards cryptocurrency and, in particular, has repeatedly communicated warnings to consumers against investing in cryptocurrencies. It is not unlikely that MiCA may cause a shift in the SFSA’s position towards blockchain and digital asset firms, by regulating such firms more diligently than before and therefore bringing a degree of legitimacy to those firms who qualify for authorisation. However, it is still too early to tell if and how MiCA will have an impact on the SFSA’s approach to blockchain and digital asset firms.

Currently, there are no self-regulatory organisations or trade groups that perform regulatory or quasi-regulatory roles in relation to blockchain in Sweden.

The Swedish Central Bank (Riksbanken) is currently assessing the possibility of establishing and backing an e-currency: the e-krona.

Since February 2020, Riksbanken has been running a pilot project with a third-party technical service provider to develop a technical platform for a blockchain-based e-krona. The pilot project has undergone three phases of (mainly technical) analysis, testing and evaluation, and the results of the third phase were released in April 2023.

The solution is based on digital tokens that are portable, cannot be forged or copied (double-spent) and enable instantaneous peer-to-peer payments. The tokens would be guaranteed a fixed value corresponding to the Swedish krona, so that the value of the user’s funds would always be identical regardless of whether they are held in the form of cash, a bank account balance or e-currency. The technical solution for the e-krona currently being considered is based on the e-krona being issued and redeemed exclusively by Riksbanken, while the e-krona would be distributed via participants in a private e-krona network administered by Riksbanken (eg, banks).

In March 2023, the Swedish government published a report in which the current need for an e-currency was questioned. During 2024, Riksbanken will continue to:

• work on the design and legal aspects of an e-currency;
• evaluate the need for and the potential effects of an e-currency on the Swedish economy; and
• analyse the need for legislative amendments to enable and facilitate implementation of an e-currency.

Digital Negotiable Debt Instruments

In a judgment from 2017 (NJA 2017 page 769), the Swedish Supreme Court assessed whether a negotiable debt instrument under Swedish law can be digital. A negotiable debt instrument is essentially an instrument that is itself representative of a legal debt, meaning that whoever holds the instrument is typically entitled to require payment from the obligor. The Swedish legislation on negotiable debt instruments is from 1936 and thus assumes that these instruments exist in physical paper form.

However, the Supreme Court’s judgment held that the law does not strictly require a negotiable debt instrument to exist physically, and should be interpreted and applied in a technology-neutral manner, provided that doing so does not jeopardise the fundamental principles and interests that the law is intended to protect. According to the Supreme Court, this means that a digital negotiable debt instrument can be recognised legally, provided that it is designed in a manner that ensures an obligor is afforded technical means of verifiably fulfilling its payment obligation and extinguishing the debt, comparable to those afforded an obligor under a physical negotiable debt instrument (who is by law entitled to have the physical negotiable debt instrument returned to them upon making payment).

While the Supreme Court did not specify in its judgment how this could be achieved in practice, it has been theorised and discussed in the legal community that blockchain-based technology could possibly enable corresponding possibilities of verifying payment, due to its inherent limited capability of being manipulated.

Cryptocurrencies and Foundation Requirements

In a more recent judicial decision from January 2023, the Administrative Court of Appeal in Göteborg found that a Swedish foundation (stiftelse), where the assets under management were a type of cryptocurrency, satisfied the legal requirements for registration and recognition under Swedish law (eg, that the assets of the foundation can be managed indefinitely). The Court found that the volatile nature of cryptocurrencies did not preclude the assets from having an economic value and it being possible to manage them indefinitely.

Payment in Kind Using Bitcoin

Another notable recent judicial decision relating to blockchain technology is a decision from the District Administrative Court in Härnösand in November 2022 relating to whether a Swedish limited liability company could be incorporated by payment for company shares in kind using Bitcoin. The Court found that payment in kind using Bitcoin could be considered to satisfy the requirements under Swedish law. However, the decision was appealed, and in December 2023 the Administrative Court of Appeal in Sundsvall repealed the decision, owing (inter alia) to uncertainty regarding rights in rem in relation to blockchain transactions and to the volatile nature of Bitcoin.

In 2013, the SFSA issued a decision against a person who was providing money remittance services comprised of taking receipt of fiat currency from customers in Sweden, and of using those funds to purchase Bitcoin from an exchange service provider in Iran. The customers could subsequently instruct the Iranian exchange service provider on how to settle the outstanding balance – eg, by exchanging the balance in Bitcoin into local currency. In essence, this enabled the customers to transfer money from Sweden to Iran by way of exchanges into and from Bitcoin. The SFSA intervened and ordered the Swedish service provider to cease its operations, on the basis that they comprised licensable payment services for which the service provider did not hold the requisite licence as a payment institution. The decision was appealed but was upheld by the Stockholm Administrative Court in 2014.

This case provides some guidance as to the boundaries of permitted and prohibited blockchain activities, by clarifying that, although virtual currencies themselves are not considered to constitute “funds” for purposes of the Swedish Payment Services Act (SFS 2010:751), a service provider taking receipt of funds (ie, fiat currency) from customers and transferring a corresponding amount by purchasing Bitcoin for purposes of effectively remitting the customers’ funds is carrying out activity that is licensable as a payment service under the Payment Services Act.

No particular Swedish tax rules other than applicable EU legal acts have been introduced in relation to blockchain or cryptocurrencies, or to operations relating to such technology. Consequently, many Swedish taxpayers have experienced more significant challenges in practically meeting the administrative tax-filing burden according to the applicable rules, rather than in the form of legal uncertainties as such. This is because taxable income from transactions in virtual currencies needs to actually be calculated and reported, whereas many other forms of savings and investment products can be managed through a so-called investment savings account (investeringssparkonto), which is subject to standard tax based on the balance on the account as opposed to individually calculated capital gains or losses resulting from transactions.

In November 2021, the SFSA and the Swedish Environmental Protection Agency (Naturvårdsverket) published a joint opinion proposing that mining activities should become regulated due to the environmental impacts of the inherent high energy demand of the “Proof of Work” mining method. The opinion was partially a reaction to an observable significant increase in energy consumption for cryptocurrency mining in Sweden during the period from April to August 2021, which was likely a result of cryptocurrency miners looking to operate out of Sweden due to the low energy prices, attractive tax regulations and good supply of renewable energy sources. The opinion has not yet resulted in any legislative action in Sweden, and on an EU level the most recent legislative developments indicate that the position may be against a ban on the “Proof of Work” mining method.

However, MiCA explicitly recognises the potential adverse environmental impacts of consensus mechanisms used for the validation of transactions in crypto-assets, and deals with this by imposing disclosure requirements related to principal adverse impacts on the climate and other environment-related adverse impacts, as part of the White Papers to be drawn up by the offeror, issuer and/or person admitting a crypto-asset to trading on a trading platform. Furthermore, crypto-asset service providers are required to make such ESG-related disclosures available in a prominent place on their websites, in respect of each crypto-asset available through such service provider’s scope of services.

ESMA has been empowered under MiCA to develop more detailed delegated legislative acts specifying the content and form of ESG-related disclosures. At the time of writing, the process of developing such delegated acts is underway, and ESMA published a consultation paper in October 2023 with a deadline for submitting responses by 14 December 2023, as well as an indicative expected timing of June 2024 for submission of ESMA’s proposal to the European Commission.

An essential piece of information expected to be included in White Paper disclosures regarding ESG impacts is a description of the consensus mechanism used for each particular crypto-asset (eg, a Proof of Work-based mechanism or Proof of Stake-based mechanism), which will need to be accompanied by an analysis of the environmental impact of the consensus mechanism used. ESMA considers that such an impact analysis should be anchored in three main features:

• the energy consumption of each DLT network node;
• the location of the DLT network nodes; and
• the devices used by each DLT network node to take part in the DLT network and to technically hold a replica of the network’s ledger.

In terms of indicators and methodologies for presenting the ESG-related information to be disclosed, ESMA has proposed that persons drawing up White Papers be required to calculate and disclose quantitative data on energy consumption, energy intensity and greenhouse gas emissions resulting from the crypto-asset. However, ESMA’s consultation paper also makes note of challenges that may arise in accurately calculating and disclosing quantitative data – for example, due to limited consensus in the research and crypto communities – and ESMA therefore expressed openness to possibly allowing the use of estimates to calculate and present information on sustainability indicators if the information is not otherwise readily available.

At face value, the Swedish laws and regulations that apply to data privacy fundamentally apply to operations with blockchain-based products and services in the same way as for other operations, without any specific derogations or distinctions to account for the particularities of blockchain-related operations. To date, there is no clearly guiding case law or guidance from the Swedish Authority for Privacy Protection that settles how data privacy rights and obligations can be applied to blockchain-based operations.

As in other EU jurisdictions, the main source of data privacy-related rights and obligations in Sweden is the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR), which governs matters such as individuals’ right to:

• access their personal data that is being processed;
• the rectification of incorrect information about them; and
• the erasure of personal data that it is no longer necessary to process, for whichever purpose it was originally collected and processed.

The rights and obligations in the GDPR require careful analysis when being practically implemented in blockchain-based operations. Data protection measures should take into consideration the inherent characteristics of blockchain technology, and particularly that services and products are often based on public blockchains, which do not require any special permissions to become a participating node (eg, the most common cryptocurrencies powered by blockchain).

The GDPR is based on the assumption that there is a “data subject”, whose personal data is being processed by a “controller” that determines the purpose and means of the data processing. A typical scenario is of a bank that acts as the controller of the personal data that it processes about its customers. The bank may, in its role as a controller, engage service providers as its processors. Consequently, the GDPR establishes rights for data subjects and corresponding obligations for controllers and processors.

The concepts of the different roles – ie, controller, joint controller and processor – play a crucial role from a data protection perspective. It is therefore important to carefully analyse and outline the roles and responsibilities of all parties engaged in the blockchain-based operations at an early development stage, keeping in mind that there may not be a single controller, but rather a vast number of independent parties who may upload, process and store data (which may include personal data) on and outside the blockchain. Thus, the roles set forth in the GDPR must be taken into consideration from the very beginning of the design phase of the blockchain in order to clearly define accountability for fulfilling the obligations that the GDPR imposes on controllers.

The parties must also take into consideration the rights established in the GDPR in order to apply such rights in practice to blockchain-based technology. The architecture and design of the blockchain must therefore include data protection strategies in order to ensure that such rights are secured, considering that the blockchain-technology only permits data to be added to a blockchain, not removed from it. A notable example that needs to be complied with is the so-called right to be forgotten – ie, the right for a data subject to have their personal data erased when there are no longer any lawful grounds for processing it.

The GDPR establishes the concept of “data protection by design and default”, meaning that data protection measures should be implemented as integrated components of technical systems and services rather than as additional layers “on top”. Moreover, the GDPR requires controllers of personal data to implement appropriate security measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, and to restore personal data in the event of any unforeseen incident.

Where appropriate, security measures should also include measures for the encryption of data, which is particularly interesting in the context of blockchain technology. There is an important distinction between truly anonymised data and data that is only pseudonymised. Where an anonymisation process results in data that is impossible to link to any individual and where that process is also irreversible, the resulting anonymous data is entirely beyond the scope of the GDPR. Methods for removing identifying characteristics of data that do not meet this standard of true anonymisation are instead referred to as “pseudonymisation”, and the GDPR remains applicable to pseudonymised personal data. In a blockchain context, this means that data on the blockchain will often qualify as pseudonymised personal data subject to the GDPR, as although a public blockchain may not openly and explicitly contain identifying details, it is possible to indirectly link the visible public keys or addresses to an individual (eg, through pattern analysis).

This means that blockchain-based services and products are generally not considered as anonymous (although each blockchain needs to be assessed on its particular circumstances) but are instead subject to requirements under the GDPR.