News and developments

Law On The Protection Of Personal Data and Cryptocurrency

Today’s world is on a constant state of evolution. Every day, a new idea or technology makes the headlines and promises to fundamentally change how we live. Once the dust settles, however, the technology may under deliver or we may get used to the incremental improvement so innately that it becomes a part of our persona (think smart phones!).

Satoshi Nakamoto’s whitepaper, the manifesto of a pseudonym, in November 2008 was such a breakthrough. This manifesto invited many to rethink their perception of money and suggested an alternative to the bulky and sluggish financial system. The peer-to-peer structure offered a substitute to the most valuable resource in the world, trust, and promised to solve a plethora of problems. But how does it hold up from a legal perspective?

Considering the trends of the developing world, it is of great importance to put blockchain technology and cryptocurrency concept into a well-developed legal framework. Along the same lines, numerous states have put forward their initial policy documents towards these technological developments which may be a part of daily life in the near future. Perspectives and support of the states on this point can significantly advance the progress of technology and increase adoption.

With the advancement of technology, the introduction of virtual money into our lives has led the way to open the doors of innovation in many areas. The money did not take many different physical forms during the historical process. Yet, the introduction of electronic payment system with the loading of smart cards in Europe in the late 1980s led to the introduction of virtual money into daily life. Although this practice has emerged to protect people against theft, it has brought a whole new dimension to money.

Bitcoin is a type of cryptocurrency using blockchain technology. Bitcoin holds a database recording all past Bitcoin transactions, including the creation of new Bitcoin units. As it has been discussed in doctrine, it is generally referred to as the General Ledger of Bitcoin systems due to this feature.

Virtual money, which has not yet been established under Turkish law, is defined by the European Banking Authority on 9 January 2019 in its recommendation report to the European Commission as “Crypto-asset means an asset that: i. depends primarily on cryptography and distributed ledger technology or similar technology as part of its perceived or inherent value, ii. is neither issued nor guaranteed by a central bank or public authority, iii. can be used as a means of exchange and/or for investment purposes and/or to access a good or service.” (European Bank Authority, Report with advice for the European Commission on Crypto-assets, 2019)

On the other hand; Banking Regulation and Supervision Agency (“BRSA”) has referred in the public statement numbered 2013/32 and dated 23 November 2013 that consists of the electronic money, virtual money and derivatives to the Code on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (“Code”), which is entered into force after being published in the Official Gazette dated 27 June 2013 and numbered 28690. Thus, the institutions that can be included in the category of payment or electronic money organization which is established within the scope of this, have been obliged to comply with the regulations and applications and regulations to be put into force by the BRSA. In addition to that virtual money was first referred to by the BRSA;  “Monetary value that is issued in return for funds accepted by the electronic money issuing institution, stored electronically, used to perform the payment transactions defined in this Code and accepted as a means of payment by real and legal persons other than the electronic money issuing institution”.

In this context, it was concluded by the BRSA that Bitcoin cannot be in the virtual money category in accordance with the Code and therefore BRSA would not be responsible for supervision and control in case of any loss of rights. In this manner, there is still no legal regulation of cryptocurrencies, virtual money, etc. under Turkish Law. The reason behind the approach of the BRSA against Bitcoin and its derivatives is the anonymity provided by the blockchain technology and security issues that come with it.

Due to the fact that cryptocurrencies are expected to be more involved in daily life in the future, it is also important to determine the legal status of these cryptocurrencies in Turkish legal systems. Additionally, it has been discussing the laws and directives for protecting personal data that are updated and developed, cryptocurrencies in terms of their effects and the application areas in terms of blockchain technology recently by Turkey and also European Union.

The European Parliament adopted the General Data Protection Regulation (“GDPR”) 2016/679 on 14 April 2016 and entered into force on 25 May 2018. The legal regulation of personal data is not based on such recent history. This is because the Directive 95/46 / EC entered into force in 1998 on personal data and the Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data can be specified as a directive that forms the framework of this GDPR.

In the context of Turkish law, the legal regulations on personal data were became a current issue on the Law on the Protection of Personal Data (“PPD”) No. 6698, which was adopted on 24 March 2016 and published in the Official Gazette dated 07.04.2016 and numbered 29677. The purpose of the PPD is to protect the fundamental rights and freedoms of individuals who have the right to privacy and constitutional rights in the processing of personal data and to regulate the obligations of real and/or legal persons who process data. At the same time, PPD sets out the principles and procedures for the processing of personal data and data processing is subject to certain conditions.

Otherwise, in the Article 3/1-d of PPD, personal data is defined as “any information which is related to an identified or identifiable natural person”. As it is clear from the provision of the article, personal data includes the fact that it belongs to a real person. In other words, it is clearly stated in the PPD that only the data of natural persons may be processed.

The applicability of cryptocurrencies should be determined within the scope of PPD. The fact that Bitcoin, that is one of the cryptocurrencies, is a platform based on blockchain technology can be indicated as a subject to PPD in terms of processed data to the blockchain. Actually, in terms of the functioning of the blockchain; blockchain is defined as “a digital global ledger, a straightforward data file which includes public, transparent, distributed, sequential and time-stamped Bitcoin transfer transactions”. As such, for instance, in the Bitcoin blockchain, individuals may consider (i) the number of Bitcoins they possess, (ii) which wallets they trade, (iii) how many transactions they may have personal data.

Article 7 entitled “Erasure, Destruction or Anonymizing of Personal Data” of the PPD in terms of blockchain technology can be stated as an important regulation within the current functioning of the blockchain. Since according to the Article 7 of PPD it has been regulated as “despite being processed under the provisions of this Law and other related laws, personal data shall be erased, destructed or anonymized by the controller, ex officio or upon demand by the data subject, upon disappearance of reasons which require the process”.

However, the fact of security, which is related as one of the basic principles of blockchain technology, makes it difficult to modify these data considerably. Nonetheless, according to the blockchain technology each block consists of the data of the previous block. For this reason, it is not possible to erase, destruct or anonymize the data regulated within the scope of GDPR and GDPR in terms of blockchain-based cryptocurrencies. In addition to the development of technology, regulations also should keep up with these technological developments. Otherwise, personal data security may be compromised due to lacunae in law in case individuals lose their rights.