Commentators
have suggested that 2017 is the year that blockchain transitions from theory
into practice, particularly in sectors which have been exploring the technology
for some time. That means lawyers need to get up-to-speed with the technology
and, in particular, the legal risks and challenges associated with it. Whether
you are an in-house counsel or private practice lawyer, if a client approaches
you for support on a blockchain project, here are the key questions that you
may be asked.
1. What’s the approach of law and regulators to blockchain?
There is currently no
specific law and regulation governing blockchain and distributed ledger
technology. That’s not surprising. It’s rare that we introduce law and
regulation in direct response to a technology. Indeed, increasingly, the
intention of lawmakers and regulators is to try to introduce law that is
technology-neutral to ensure that the rules remain fit for purpose as
technology evolves. However, from time to time, regulatory guidance is
introduced to provide organisations with a steer on how existing rules should be
interpreted in the context of a particular technology (eg the FCA’s guidance on
cloud computing).
For now, law makers and regulators are taking a wait
and see approach to blockchain, while acknowledging
its potential and possible risks. This is a prudent approach – until the
technology has been properly tested, any regulation of the technology could be
premature and hamper its development.
Accordingly, when approaching a particular use case
for the technology, you need to apply existing law, while keeping an eye out
for future developments. You will need
support from those with expertise in the particular area impacted by the
technology. For example, in a regulated sector such as financial services, it
will be important to work together with your relevant regulatory experts who
understand the impacted functions and processes and related rules.
2. What are the legal and regulatory issues?
There are a variety of legal and regulatory issues that will need to be considered,
but these are likely to differ depending on the particular use case, and
whether the
ledger is public or private. For private ledgers, many issues can be handled
contractually in agreements between the participating members. For public
ledgers, the approach will need to be different.
Some of the key legal issues that you will need to consider include:
· Who is regulated? Control over the ledger is necessarily distributed, so
how do you control or regulate the ledger, its users or other parties in the
system? Who is accountable in a decentralised system? Whom (or what) do you regulate? Who is liable
if things go wrong?
· Who is the regulator? Given the cross-border nature of the technology, who
would regulate? It’s very likely that ultimately there will need to be agreed
international regulatory principles and co-operation among regulators.
· Legal and regulatory
compliance.
To what extent will law and regulation
impact the use case? How will you be able to demonstrate compliance? If the
legal position is not entirely clear, how will you deal with this uncertainty?
· Legal status. What’s the legal status and
enforceability of a “smart contract” (neither smart, nor a contract; better
described as a programmable transaction), a DAO (a decentralised autonomous
organisation), or a blockchain “token”. Where the relevant concepts don’t fit
with existing legal norms, how can you mitigate risk?
· Consumer protection. Where consumers are involved, consumer protection will
be a key concern of regulators. With
such transformative technology, how do you ensure consumers understand what
they are agreeing to, and their legal redress for failures?
· Confidentiality, privacy and
security. Privacy is widely acknowledged as a key concern with
the technology. For example, how do you
reconcile the transparent, immutable, nature of blockchain with concepts of
confidentiality or laws relating to data privacy, including the ‘right to be
forgotten’ under the GDPR? In a public ledger, all counterparties would be able
to access the ledger and the deletion of information would be difficult to
implement. Security is also a key concern, highlighted by high profile
incidents such as the “DAO hack”. Indeed, it’s these concerns over security and
privacy that are key drivers for the private blockchain solutions now being
created.
· Competition. When
considering private distributed ledgers and consortia, could there be arguments
of monopolistic or cartel activity? Also, is there a risk that algorithms are
set up in a manner which produces anti-competitive results that are secret or
not readily detectable?
· Dispute resolution. Which law and jurisdiction
will govern the contract? How will disputes be handled? To what extent will
expert evidence be essential?
3. What other practical considerations need to be
considered?
Any discussion of blockchain is at risk of being rather
theoretical. As ever, when advising our clients, it’s important to focus on
practical considerations. Here are some of the issues that you will need to consider
when advising a client that is providing or procuring blockchain technology/services.
· IP strategy.
Who will provide the technology? Will the client develop the technology
in-house and seek to get value and competitive advantage from that? Or would it be more cost-effective to
licence-in the technology? Of course, given the large number of blockchain
start-ups springing up, your client might even consider acquiring a blockchain
start-up to obtain the necessary technology.
· Patents. We
are seeing a wave of patent application filings. You will need to be mindful of
this and carry out appropriate due diligence for each project/service
offering. We don’t yet have industry
standards, for example royalty free, FRAND licensing standards, but these may
emerge as the technology develops.
· Contract. How do you contract for
blockchain services? Although it’s
nascent technology, analogies can be drawn. In essence, a blockchain project is
going to be similar to any complex IT development/digital transformation
services project. But it’s unlikely that there is going be a ‘one size fits
all’ approach – much will depend on the technology, use case, and nature of the
offering. A supplier of blockchain technology will want to create a contract
that mitigates risk, but isn’t so one-sided that customers won’t sign up. Of
course, where the supplier is reliant on sub-contractors or third-party
technology it will also want to make sure that risks and liabilities are
backed-off as much as possible.
4. What are the key contractual issues?
Although the technology is new, many of the issues will
be familiar.
·
Testing, Implementation and Acceptance. Given the novelty of the technology, there
will need to be considerable focus on testing, implementation and
acceptance. The parties will need to
consider carefully the potential risk of failure, what remedies should apply,
and any customer dependencies, particularly as we know that many technology projects
do fail. Projects are delayed, exceed budget, and/or don’t deliver technology
that meets the customer’s needs. And this risk is inevitably greater when you
are dealing with new technology that is not tried and tested. The “DAO hack” is
a stark lesson in the value of thorough code review. Just because a technology
is new, doesn’t mean that you can relax your standards when it comes to design,
testing and implementation. In addition to ensuring that the contract includes
appropriate remedies to deal with failures and disputes, the parties should aim
to create a contract which helps avoid those failures and disputes occurring in
the first place. For example, consider requiring a third-party specialist to
audit/validate the code before putting it into production.
·
IP. Intellectual
property ownership and licensing issues will need to be considered. For
particular use cases, the customer may try to seek exclusivity. In addition, given
the rate of patent filings and the potential risk of intellectual property
right infringement, the customer will require appropriate IP indemnities. In
which case, the supplier will want to take into account the extent to which it
controls the implementation and use of any technology or services by the
customer.
·
Warranties. The parties will need to evaluate what warranties and disclaimers are
appropriate. Wide disclaimers from the supplier are unlikely to be acceptable,
but the supplier will want to try to limit the warranties as much as possible
to cover what it can control.
·
Liability. As in any deal, liability is going to be a key focus. Risks will need to
be evaluated and it’s likely that the supplier will want to cap its liability,
and exclude various liabilities. For example, if the service offering involves
provision of a blockchain platform, the supplier may accept liability for
provision of the platform (subject to a cap). But the supplier is likely to
want to exclude liability for transactions conducted over that platform.
- Change of Law. Compliance with law and change of law provisions are going to be
particularly important, even more so than in a typical technology deal. The law
and regulation affecting blockchain is likely to shift over time. Accordingly,
it’s going to be important to set out clearly in the contract which party is
liable for compliance with laws, monitoring for change of laws and the costs of
changes. A supplier will often accept liability for compliance with laws
affecting the provision of the services. However, the supplier will generally expect
the customer to be liable for laws affecting the particular use/application of
the services, plus any industry rules. However, this is likely to be a
contentious topic – particularly if the supplier’s offering is a utility type service
or a service focused on a particular sector.
·
Changes. The parties will need to consider how to deal with other changes. For
example, how will they handle changes to code that may be required over time?
How will they deal with incidents? For example, if it’s a private ledger, will
the approval of all members be necessary? What action will be taken if error or
fraud is identified?
·
Data privacy/security. As detailed
above, it’s going to be essential to deal appropriately with data security and
cyber security risks. That will include ensuring ‘privacy and security by
design’ during the development and implementation stage, plus appropriate contractual
provisions dealing with compliance with law, incidents, audit and liability. (For
a useful overview of the cybersecurity risks, take a look at ENISA’s recent report on DLT and Cybersecurity.)
As technology lawyers, our role involves helping
clients tackle the legal risks and challenges that accompany technology change
and come up with creative solutions. The fact that law is always playing
‘catch-up’ to technology is what makes our jobs so fascinating. Blockchain is simply
the latest technology on the block. We all need to ‘roll our sleeves up’.
Sue McLean, Of Counsel, Morrison & Foerster LLP