Blockchain and the Law – a legal perspective
With the implementation of two major pieces of EU legislation on the horizon (GDPR and eIDAS), what is the legal framework within which implemented blockchain technology in the supply chain sector can operate? Ignacio López del Moral ,a blockchain legal expert, explains.

What Regulations are Related to Blockchain in the EU?
Transport and logistics are not immune to the impact that Blockchain Technologies are having on how businesses operate in the sector. Therefore, it is important to be aware of the laws in the European Union (EU) that deal with data protection, digital identity and payments. Depending on the domain and application area, there may be additional legislation required which will need careful consideration for a blockchain implementation.

General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) (EUGDPR, 2016) regulates the processing and movement of personal data. It applies to all companies processing and holding the personal data residing in the European Union, regardless of the company’s location.

“Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address,” (EU, 2017).

GDPR was intended to overhaul existing data protection legislation and bring it up to date with digital communications; however, it may have missed the opportunity to be useful or enforceable when it comes to blockchain applications.

There may be limited applicability of the GDPR to blockchain technology, in the general sense. The reason lies in the fact that, although storage, pickup, and transfer of data exists in the blockchain, to our knowledge, the data is not strictly personal and due to fragmentation personal data cannot be used to identify a natural person. Accordingly, the right to be forgotten is not enforceable.

Nonetheless, the set of obligations that inexorably must be observed by the recipient of private information is indeed a completely different thing. Consequently, there is a high demand to have a prior identity check of the subject in question. This will need to be approved and certified by those in charge of security system nodes of the blockchain implementation.

It is interesting to note that one of the most natural realms of application of blockchain technology is the transaction of data between parties that do not know each other. In many examples, it is not necessary to know the other party to verify that the party is trustworthy and reliable. Therefore, in the context of private blockchain for use in the supply chain logistics context, trusting the chain is deemed sufficient, and thus there is no need to depend directly upon another party.

Electronic Identification, Authentication and trust Services (eIDAS)
The EU has placed the Digital Single Market at the core of its current strategy and as part of this aims to improve secure cross-border electronic transactions (DGConnect, 2017). The regulation on electronic identification and trust services for electronic transactions (EUeIDAS, 2014) is a milestone to provide a predictable regulatory environment to enable secure and seamless electronic interactions between businesses, citizens and public authorities. It ensures that people and businesses can use their own national electronic identification schemes (eIDs) to access public services where eIDs are available. It also creates a European internal market for electronic Trust Services (eTS) – namely electronic signatures, electronic seals, time stamp, electronic delivery service, and website authentication. Under the eIDAS regulation these services will work across borders and have the same legal status as traditional paper-based processes.

The flexibility given by this regulation facilitates the development of new businesses where blockchain could intervene as it does not require the organisation to identify individuals and entities in a public context but can be done through the private sector accompanied by the acknowledgement of the public one.

Also, eIDAS allows the interoperability and cross-border authentication in the public sector. Furthermore, it provides the ability to identify a person through biometrics and allows us to verify only single claims such as power of attorney, address, age or professional qualifications. It is worth highlighting that there is a positive attitude towards electronic signatures in the cloud and therefore probably desirable not to depend on a centralised server but rather on a distributed system where information is not stored in a single server.

Payment Services Directive 2 (PSD2)
The first Payment Services Directive (PSD1) was established to apply the same set of rules on payments across the whole European Economic Area (European Union, Iceland, Norway and Liechtenstein). This helps consumers to make cross-border payments easily and safely. The legislation introduced the concept of a Payment Institution (such as PayPal and WorldPay) and also enabled the Single Euro Payment Area (EUPSD1, 2007).

PSD2 comes into force in 2018 and aims to improve the existing PSD1 rules, to regulate new forms of payment institutions, to introduce new interaction models and to mandate the opening of banks’ information to third parties, which will have significant implications on supply chain financial operations. PSD2 (EUPSD2, 2015) introduced lots of acronyms in this legislation so there are two that we need to know;

the:a) Payment Initiation Service Providers (PISPs) (think Amazon) to “play a part in e-commerce payments by establishing a software bridge between the website of the merchant and the online banking platform of the payer’s account servicing payment in order to initiate internet payments on the basis of a credit transfer,”

b) This enables a provider to;
1. Initiate post-verification online payments on behalf of a customer between a merchant’s website and the customer’s bank,
2. Dilute the reliance on credit/debit cards for online payments,
3. Pay the funds to cover the purchase of goods to the merchant in real time.

c) Account Information Service Providers (AISPs) (think Money Supermarket and Mint) to “provide the payment service user with aggregated online information on one or more payment accounts held with one or more other payment service providers” and to provide overall access and visibility into a customer’s account position and financial situation.

The regulator is pushing for banks to make some of their data public through Application Programmable Interfaces (APIs) in the benefit of better competition in the market. On the other hand, the introduction of AISPs allows a customer to authenticate once in each financial institution they bank with, then log into their AISP portal for a single customer view of all of account balances and transactions. With AISP, consolidated account information is provided to a customer on payment accounts from several financial institutions. Whilst providing access to accounts in this manner is a worthy innovation, it also potentially exposes AISPs as a single point of attack for access to multiple accounts.

According to Jorge Lesmes in the Everis UK RegTech Report, “PSD2 is a strong candidate to combine new technologies to provide a valid solution to customers. Subject to consent, banks could open access to their customer data and payment capabilities using a secure, thoroughly documented federated, shared protocol.” (Lesmes, 2017).

Blockchain could be the key to control the access to data. Thus, access to customer accounts enables the provision of entirely new types of services will now be regulated under PSD2 and could realistically be implemented with blockchain technology.

General Legislation Governing Supply Chain Logistics
The EU regulation sets out many specific due diligence and disclosure obligations that can be considered in a logistics context for importers and exporters, including:
1. Comply with the OECD Due Diligence Guidance or another diligence scheme.
2. Incorporate their policies into their contracts and agreements.
3. Include a grievance mechanism for customers to report concerns.
4. Gather information about the source and chain of custody of the imports in question.
5. Identify and assess the risks of adverse human rights impacts in their supply chains.
6. Make annual public disclosures about their supply chain due diligence policies and procedures relating to responsible sourcing.

A Hypothetical example to Chain it all Together
In order to demonstrate how blockchain may be used in logistics with due consideration given to various regulation, we will use the example of food supplies. Let’s think of perishable food, with an expiry date such as eggs. For this paper exercise we propose a blockchain called EggsChain which ensures full transparency of the egg supply chain from farm to fork, from hen to omelette. As eggs move from producer to wholesaler to retailer to consumer, the data that accompanies their progress is written to the EggChain blockchain.

When eggs are produced they are readied for shipment and data such as production date, expiry date, and producer name is printed on the egg carton and simultaneously recorded in the EggChain.

Documents related to the health and safety and licensing of the production facility and test results pertaining to the presence for bacteria, pesticides, or parasites are required by the wholesaler. These documents are also recorded in the EggChain.

In this hypothetical case, the letter of credit facilitates payments and provides security because it allows for the verification of the duties of compliance. Therefore, once the producer has demonstrated that he has shipped the eggs stipulated in the contract, he can receive payment. The contract itself is a Smart Contract that has been stipulated when the relationship was first set up, and the EggChain triggers payment when the contract conditions are met.

Even when documents (such as the bill of lading, the invoice or the inspection certificate) prove that everything has been done, there is always a chance of human error or fraudulent manipulation. If the eggs were contaminated by salmonella it would be possible to trace back the location of the potential contamination and also to identify to what retailers and potentially which consumers are potentially impacted, all through EggChain.

For a successful blockchain implementation, such as EggChain, we will note that it is essential to:
1. Foster a great degree of cooperation among supply chain trading partners from end to end; a successful blockchain implementation does rely on interoperability and collaboration.
2. Ensure that control is exerted by an external legal authority over the authenticity of the content of transactions in the blockchain implementation. For example, legal entities play a key role in the Spanish “Red Alastria Consortium”, a multisector Spanish blockchain network established in 2017 for developing projects and providing services which has all the required identification guarantees and will also comply with current legislation on data protection (Puig, 2017).

Conclusion
It is clear from past experience the rapid development of new technologies leaves legislators playing catch up and as blockchain seeps into the wider world, there no doubt will be legislative challenges on its governance and use along the way. Proper advice on these and all other technical issues are of course, a must.

Ignacio López del Moral is a blockchain expert and business consultant with Spanish firm Everis.

The author acknowledges and thanks colleagues in ESP, CILT and Everis for all their assistance.

For further details contact Ignacio Lopéz del Moral, Everis. A full bibliography on this article can be found at www.linklinejournal.com/blockchain