Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation on Markets in Crypto-assets, and amending Directive (EU) 2019/1937

(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2021/C 337/03)

The European Commission adopted on 24 September 2020 a Proposal for a Regulation on Markets in Crypto-assets, and amending Directive (EU) 2019/1937 (the ‘Proposal’). The Proposal establishes transparency and disclosure requirements for the issuance and admission to trading of crypto-assets; rules on the authorisation and supervision of crypto-asset service providers and issuers of asset-referenced tokens and issuers of electronic money tokens; regulates the operation, organisation and governance of issuers of asset-referenced tokens, issuers of electronic money tokens and crypto-asset service providers; and provides consumer protection rules for the issuance, trading, exchange and custody of crypto-assets, as well as measures to prevent market abuse to ensure the integrity of crypto-asset markets.

The EDPS recalls the need for a broader reflection on how to better ensure that the underlying technology of crypto-assets, namely blockchain and distributed ledgers respect data protection rules and principles, and refers in this regard to the general comments made in his Opinion on the Proposal for a pilot regime on distributed ledger technology (DLT) market infrastructures and reiterates the need that such a discussion takes place before the relevant proposal(s) enter into force.

At the same time, the EDPS stresses the responsibility of the EU legislature to ensure that the processing implied in the Proposal can be implemented in a data protection-compliant manner, as well as the responsibility of controllers to ensure compliance in accordance with the principle of accountability.

The EDPS considers that the issuers of crypto-assets would typically be controllers under the GDPR, having regard to the issuers’ project and insofar as the latter involves the processing of personal data. To increase legal certainty, the EDPS invites the legislature to explicitly designate the issuers as controllers in the Proposal. In addition, the processing of personal data may meet two or more of the criteria that indicate that the processing is likely to result in a high risk within the meaning of data protection law. As a result, the issuer of crypto-assets may fall under the obligation pursuant to Article 35 of the GDPR to perform a Data Protection Impact Assessment (DPIA), prior to the envisaged processing of personal data.

The EDPS welcomes the objective of the Proposal to enhance the protection of consumers as purchasers of crypto-assets (investors). At the same time, the EDPS considers that the Proposal should also include the obligation for issuers to make particularly prominent certain guarantees regarding data protection in order to better protect data subjects. The EDPS recommends including in the Proposal, as part of the information to be provided as content of the crypto-assets white paper, information regarding foreseen processing operations involving personal data, as well as the main risks envisaged and mitigation strategies for what concerns data protection.

Regarding the publication of administrative penalties, the EDPS recommends including, among the criteria for consideration of the competent authority, the impact on the protection of the personal data of the individuals. Moreover, the EDPS recalls that the principle of storage limitation requires that personal data is stored for no longer than is necessary for the purposes for which the personal data are processed, and recommends laying down a maximum instead of a minimum data retention period under Article 95(4) of the Proposal.

1. Background

The European Commission adopted on 24 September 2020 a Proposal for a Regulation on Markets in Crypto-assets, and amending Directive (EU) 2019/1937 (the ‘Proposal’) (1). The Proposal is a regulatory framework developed to regulate currently out-of-scope crypto-assets and their service providers in the EU and to provide a single licensing regime across all Member States by 2024. The Proposal aims to harmonise the European framework for the issuance and trading of various types of crypto token as part of Europe’s Digital Finance Strategy.

The Proposal is part of the Digital Finance package, a package of measures to further enable and support the potential of digital finance in terms of innovation and competition while mitigating the risks. The digital finance package includes a new Strategy on digital finance for the EU financial sector (2) with the aim of ensuring that the EU makes the benefits of digital finance available to European consumers and businesses. In addition to this Proposal, the package also includes a Proposal for a pilot regime on distributed ledger technology (DLT) market infrastructures (the ‘Proposal for a pilot regime’) (3), a Proposal on digital operational resilience (‘DORA’) (4), and a Proposal to clarify or amend certain related EU financial services rules (5).

The EDPS was consulted on the Proposal on the pilot regime and delivered his Opinion on 23 April 2021 (6). He was also consulted on the Proposal for digital operational resilience on 29 April 2021 and delivered his Opinion on 10 May 2021 (7).

On 29 April 2021, the European Commission requested the EDPS to issue an opinion on the Proposal, in accordance with Article 42(1) of Regulation (EU) 2018/1725. These comments are limited to the provisions of the Proposal that are relevant from a data protection perspective.

4. Conclusions

In light of the above, the EDPS:

—

recalls the need for a broader reflection and discussion, not only related to crypto-assets, into the issue of how to ensure that the underlying technology of crypto-assets, namely blockchain and distributed ledgers, respect in the most effective way, data protection rules and principles and reiterates the need that such a discussion takes place before the relevant proposal(s) enter into force;

—	recommends to explicitly designate the issuers as controllers in order to avoid any possible problem of interpretation in assessing the role, in particular having regard to the complexity of the subject matter of the Proposal and the relationships between the relevant actors;

—

recommends including under Articles 5, 17, and 46 of the Proposal, as part of the information to be provided as content of the crypto-assets white paper, the following: ‘where applicable, the list of the foreseen processing operations involving personal data, as well as the main risks envisaged and mitigation strategies for what concerns data protection’;

—

regarding the publication of administrative sanctions, the EDPS recommends including, among the criteria for consideration of the competent authority, the risks to the protection of personal data of the individuals, and replacing the minimum data retention period under Article 95(4) ‘at least five years’ by a specified maximum data retention period;

—

regarding the administrative cooperation between competent authorities, the EBA and ESMA, as well as cooperation with the oversight authorities of third countries, the EDPS recommends considering the deletion of the reference to the EUDPR under Article 108(3), given the ‘horizontal’ reference to the applicability of the EUDPR made under Article 88(2) of the Proposal.

Brussels, 24 June 2021.

Wojciech Rafał WIEWIÓROWSKI

(1) Proposal for a regulation of the European Parliament and of the Council on Markets in Crypto-assets, and amending Directive (EU) 2019/1937, 24 September 2020, 2020/0265 (COD).

(2) Communication from the Commission to the European Parliament, the European Council, the Council, the European Central Bank, the European Economic and Social Committee and the Committee of the Regions on a Digital Finance Strategy for the EU, 24 September 2020, COM(2020)591.

(3) Proposal for a Regulation of the European Parliament and of the Council on a Pilot Regime for market infrastructures based on distributed ledger technology - COM(2020)594.

(4) Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 - COM(2020)595.

(5) Proposal for a Directive of the European Parliament and of The Council amending Directives 2006/43/EC, 2009/65/EC, 2009/138/EU, 2011/61/EU, EU/2013/36, 2014/65/EU, (EU) 2015/2366 and EU/2016/2341 - COM(2020)596.

(6) Opinion 6/2021 on the Proposal for a Pilot Regime for Market Infrastructures based on Distributed Ledger Technology, available at https://edps.europa.eu/system/files/2021-06/2021-0219_d0912_opinion_on_pilot_regime_for_market_infrastructures_en.pdf.

(7) Opinion 7/2021 on the Proposal for a Regulation on digital operational resilience for the financial sector and amending Regulations (EC) 1060/2009, (EU) 648/2012, (EU) 600/2014 and (EU) 909/2014, available at https://edps.europa.eu/system/files/2021-05/2021-0203_d0943_opinion_digital_operational_resilience_for_the_financial_sector_en.pdf.