By Paul Grewal, Chief Legal Officer
Bad facts make bad law. We see this in jurisdictions all over the world, especially when it comes to digital assets. Unfortunately, we are about to see this again — this time in the European Union — in the form of a revision to the Transfer of Funds Regulation. If adopted, this revision would unleash an entire surveillance regime on exchanges like Coinbase, stifle innovation, and undermine the self-hosted wallets that individuals use to securely protect their digital assets. The vote will likely take place this week so time is running out.
Here are the bad “facts”:
(1) digital assets like Bitcoin, Ethereum and others are a primary way criminals hide and move money
(2) law enforcement has no way to track these movements
(3) requiring collection and verification of personal information associated with self-hosted is not a violation of their privacy
State of play
The truth is that digital assets are in general a markedly inferior way for criminals to hide their illicit financial activity. That’s why, according to the best research available, by far the most popular way to hide illicit financial activity remains cash. Unlike with cash, law enforcement can track and trace digital asset transfers with advanced analytics tools. None of this requires upsetting the settled privacy expectations of wallet holders because the open architecture underlying digital assets is public and offers unprecedented transparency into transaction details. The records are also permanent — no one (not crypto companies, not governments, not even bad actors) can destroy or alter information. In short, digital assets and the immutable nature of their blockchain technology actually enhances the ability to detect and deter illicit activity. But rather than embracing and leveraging the benefits that arise from the increasing use of digital assets, the EU’s proposal would cast them aside and impose a host of new privacy invasions on wallet users.
For example, all crypto transactions will be deemed “travel rule eligible”. This means crypto is treated differently to fiat (which has a 1,000 EUR threshold), which establishes a clear advantage for traditional financial service providers over new technology, with significant anti-competition and anti-innovation implications.
Among the worst of the proposed provisions are new obligations on exchanges to collect, verify and report information on non-customers using self-hosted wallets. For instance, one provision requires exchanges to not only collect personal data about wallet users who are not their customers, but to also verify the data’s accuracy before allowing a transfer to one of their customers. In fiat terms, this would basically mean you cannot take money out of your bank account to send to someone else until you share personal data with your financial institution about that person and verify their identity. Not only is this verification requirement nearly impossible to do but requiring exchanges to engage in extensive data collection, verification, and retention about non-customers runs against core EU data protection principles of data minimization and proportionality.
Another dangerous provision would require exchanges to inform “competent authorities” of every single transfer from a non-customer’s self-hosted wallet equal to or greater than 1,000 EUR — regardless of any suspicion of bad activity. The proposal even leaves the door open to a total ban on transfers to self-hosted wallets even though there is no evidence that such a ban would have any impact on illicit activity at all. Like we said, bad facts make bad policy.
Make your voice heard
There’s precious time to act and we need to make our voices heard. A vote on Parliament’s draft proposal could come as early as Thursday, March 31st. If you care about protecting the privacy of individuals, and focusing the law on solutions that actually address legitimate concerns about the illicit use of digital assets, now is the time to speak up and be heard. We must speak with one, strong voice against this proposal before it’s too late.