Cryptocurrencies are not truly anonymous. By way of example, Bitcoin is pseudonymous in nature and may in fact offer less privacy than traditional, fiat currencies. Bitcoin is a public blockchain, which means that anyone in the world with the resources and capability to carry out chain analysis could potentially verify and trace a transaction on the Bitcoin blockchain so long as they know the wallet’s public address.
It follows that the sending and receiving addresses of Bitcoin transactions have the potential to be linked to real-world identities, not least because many exchanges require their users to go through KYC/AML to define their identities before using the exchange. Add to that the fact that there are many companies who in fact offer this very service, along with governmental and law enforcement agencies (such as the Met Police and the FBI) and various financial institutions, it is easy to see why cryptocurrency transactions can be easily traced and the identities of the persons behind them established. This is evident from the seizure of £180 million in cryptocurrency linked to criminal assets by the Met Police in July last year.
Privacy coins are different to other cryptocurrencies, however, as they intend to give users the ability to transact on an anonymous basis. Even law enforcement agencies have found these difficult to trace, so much so that some countries have, or are considering, banning the use and possession of them. It will come as no surprise therefore that privacy coins have become the focus of regulators and law enforcement agencies in recent times due to their potential ability to conceal identities and facilitate money laundering and the funding of terrorism, as was noted in the Financial Action Task Force guidance documents. Further to this, privacy coins have been de-listed by many cryptocurrency exchanges due to this illegal association.
In this article, we explore what privacy coins are and whether they help or hinder the UK’s General Data Protection Regulation (UK GDPR) regime.
There are several well-known examples of privacy coins, such as Monero, Dash and Zcash to name but a few. One of earliest privacy coins, Monero, describes itself as “the only cryptocurrency where every user is anonymous by default. The sender, receiver, and amount of every single transaction are hidden through the use of three important technologies: Stealth Addresses, Ring Signatures, and RingCT.”
Privacy coins have two key characteristics: anonymity and a lack of traceability. Anonymity hides the identities of those conducting the transaction. Being untraceable makes the transaction information undetectable by third parties, such as through blockchain analysis as mentioned above. For the purpose of this article, we do not explore further the technology behind privacy coins but suffice to say a privacy coin is anonymous by design.
Before going into the legal implications of privacy coins, it is important to explain some of the key characteristics of a blockchain, including clarifying the distinction between a public versus a private blockchain. Public blockchains are open to the public and anyone can participate in the network without needing permission to add and verify blocks of data. This is the basis of most cryptocurrencies, including privacy coins. Consensus protocols between participants ensure that all data stored on the chain is valid.
Private blockchains are often referred to as 'permissioned' blockchains. Unlike public blockchains, access to private blockchains is typically run and operated by a single controlling entity. This of course runs contrary to the majority of blockchains, which rule by consensus.
Another key factor of blockchains is that they are irreversible. Irreversibility is a function of cryptocurrencies (the original Bitcoin White Paper stressed the importance of transactions not being reversible), which is deliberately designed to reduce transaction costs and improve efficiency. Consequently, an attempt by one participant to erase or overwrite any existing data will be detected by the others and corrected. Immutability is therefore a key pillar of a blockchain and is enforced by all network participants.
There is no legislation that deals directly with privacy coins as, understandably, they are a relatively new creation. Under the UK GDPR and the Data Protection Act 2018 (DPA 2018) which place personal data at the forefront of data regulation, there are the so-called rights ‘to be forgotten’ and ‘to erasure’ (see Chapter 3, Section 3, Article 17 UK GDPR). It states that a data subject has:
“the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”.
This presents obvious compliance challenges when considering Article 17 UK GDPR in conjunction with blockchain technology. For the reasons outlined above, this is not possible on a public blockchain that stores transactional data and public keys containing ‘personal data’ caught by the DPA 2018 and UK GDPR. Even if the personal data was ‘hashed’, i.e. converted into a form that cannot be returned to its original state, or pseudonymised, the authors do not believe that this would go far enough to comply with DPA 2018 and UK GDPR by erasing all personal data.
Further, there has been much academic debate about whether the ‘de-linking’ of personal data with the transaction data would be sufficient to comply with the ‘right to be forgotten’. While this process may go some way to ensure that an individual was not identifiable with reference to that data, it would still be accessible and so arguably the blockchain technology would not be compliant.
Another issue similar to this comes from Article 16 UK GDPR and the ‘right to rectification’ which assumes that data can be modified or erased where necessary to comply with legal requirements. Blockchains, however, render such modifications of data almost impossible to ensure data integrity and trust in the network. One can easily see how these two concepts are in direct conflict.
Public blockchains therefore do not fit neatly with the DPA 2018 and UK GDPR regime and in fact may well contradict the rights granted to individuals by the DPA 2018 and UK GDPR. Privacy coins (which are usually transacted on a public blockchain) may go some way to alleviate this tension by allowing individuals participating in on chain transactions to remain anonymous and potentially untraceable.
While the data protection gap may be bridged by privacy coins, there remain obvious concerns surrounding their use, including anti-money laundering and counter-terrorist financing issues, along with a whole raft of other criminal issues that are yet to be overcome. No doubt that is why many countries have either banned or are considering banning the use of such crypto assets.
 The UK GDPR is the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (EU GDPR) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). It is defined in section 3(10) of the Data Protection Act 2018, as supplemented by section 205(4).
 ‘Personal data’ is defined as any information relating to an identified or identifiable living individual (s.3(2) Data Protection Act 2018), and as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) UK GDPR).