What are the implications of the EU Data Act for smart contract operators?
Published on 7th Jul 2023
EU policymakers finalise long-anticipated new data rules that have far-reaching significance for smart contracts
The potential for smart contracts to enable smooth data-sharing while providing effective technical protection is well documented. However, European Union policymakers are concerned about the lack of interoperability between smart contracts for data-sharing, which can hinder integration and collaboration across systems, reduce competition and limit choice.
The EU's proposed Data Act seeks to set clear rules and standards for smart contracts used to automate data-sharing in the EU to address those concerns. The EU institutions reached political agreement on the main provisions in the legislation last week, including those on smart contracts. However, the process has brought to light the significant challenges facing regulators in striking the balance between preserving the benefits of decentralised smart contracts and protecting consumers.
Definition and scope
The agreed text to define smart contracts is understood to be: "a computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological ordering".
This definition is intended, according to the amended recitals, to be technologically neutral. It can therefore include automation of execution using blockchain or distributed ledger technology or using another technique. It is also intended to apply only where the smart contract is used to execute contractual arrangements between different parties and not, for example, where smart contracts are used to automate a business's internal processes.
The context in which the definition is used makes it clear, moreover, that the smart contract provisions only apply where a smart contract is being used to automate the execution of a data-sharing agreement (or provisions within it).
The following "essential requirements" will be imposed on smart contracts used in data-sharing arrangements:
- Robustness and access control to avoid functional errors and third-party manipulation.
- Safe termination and interruption.
- Data archiving and continuity, saving transactional data and the logic and code used for the smart contract.
- Access control protecting the smart contract by rigorous access controls at governance and smart contract layers.
- Consistency with the terms of the data-sharing agreement that it executes.
Compliance with all of the above must be self-assessed by the smart contract vendor or the person deploying the smart contract commercially. An EU declaration of conformity must be made.
The regulation also provides for standardisation in relation to the essential requirements listed above, although the standards themselves are to be defined by a standardisation organisation appointed by the European Commission. Enforcement of the Data Act will be handled at Member State level by the competent authorities.
Operation of the 'kill switch'
The proposals around safe termination and interruption (the "kill switch") were challenged by the blockchain and smart contract community. They require smart contracts to "include internal functions which can reset or instruct the contract to stop or interrupt the operation to avoid future (accidental) executions".
While a kill switch provides a means to intervene in instances of fraud, security breach or illegal activities, for example, purists argue that it undermines the core aspect of distributed ledger technology. In a fully decentralised and automated system, there would not be anyone to operate a kill switch.
The Data Act appears to assume that if the smart contract is being used to automate a data-sharing contract, then there are, by definition, two parties involved and that one of them can operate the switch.
The text of the Data Act agreed at political level between the EU institutions will now be subject to technical drafting refinements and amendments. It will also need to be translated into each of the EU's official languages. For the Data Act to pass into law, the European Parliament and Council, representing the bloc’s 27 member states, must each vote formally to adopt the text agreed by their respective negotiators.
This final stage typically takes around six months and so it is expected that the Data Act will be finalised around December 2023. We understand that the agreed text gives businesses a 20 month "grace" period within which they must become compliant.
Osborne Clarke comment
The Data Act is another example of how data regulation is extending far beyond personal data, reflecting its significance as a raw material of our digitalised economies. In addition to the smart contract provisions, it includes data access provisions that will have wide-reaching ramifications, potentially shaking up a lot of business models and making it easier for customers to switch between suppliers. Moreover, many businesses are already thinking about the strategic opportunities that opening up access to data might give them.
As for the implications for smart contracts, there is concern in the crypto-DeFi community about the "kill switch" requirement. Where a blockchain system is permissionless and entirely decentralised, this could be very difficult and nearly impossible to comply with, as there is no "control" or (centralised) management of the system who could take responsibility for operating such a switch. Where existing data-sharing arrangements between different parties are executed by a smart contract, the parties will need to check whether the smart contract falls within the scope of the new regulation and, if so, whether it is – or can be made to be – compliant with the essential requirements.
That said, we have previously seen similar concerns around blockchain operators' ability to comply with regulation (for example, the General Data Protection Regulation), which ended up being something of a storm in a teacup, in practice. The industry quickly came up with a technical solution to ensure compliance. Our experience, moreover, is that there are not many truly decentralised commercial blockchain operations. Ultimately, the fintech industry will need to comply with the final rules, whatever they look like.
If you would like to discuss any of these issues, please contact the authors or your usual Osborne Clarke contact.
Mirshad Ahani, Trainee Solicitor with Osborne Clarke, contributed to this Insight.