They can easily be.
GDPR definition of personal data: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier”
CCPA definition of personal information: “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.
As the address (or better, the public key) isn’t necessarily linked to real-life data, we may have either (1) anonymous data that isn’t subject to data protection laws, or (2) pseudonymized personal data (i.e. the data subject can be identified by adding other data) that isn’t. How do we tell? The GDPR test (see recital 26) is “account should be taken of all the means reasonably likely to be used … to ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.”
So the – somewhat similar-feeling – tests are whether the address: (i) belongs to an identified person or someone who can be identified using means that are reasonably likely to be used; or (ii) is an address reasonably capable of being associated with or linked to a consumer or household.
The Frosties Rug Pull case is one example of this working in practice:
Very briefly, in that case the defendants sold NFTs based on the promise of future value and utility, concealing their real-life identities, but terminated the project and transferred the sale proceeds (ETH) to personal wallets. They used Tornado Cash to try and hide it but eventually transferred it to centralized exchanges (presumably to cash out). The US IRS and DOJ were able to identify them and bring proceedings for fraud and money laundering offences. For this, some not actually very novel techniques were used to associate the addresses linked to the suspicious activity with the real-life identities of the defendants by combining among other information:
- IP addresses, usernames, phone numbers, and emails from Discord;
- names and residential addresses from Coinbase KYC records;
- law enforcement records of who resided at the addresses;
- IP address activity on Twitter;
- blockchain transaction records linking the NFT funds with the defendants’ wallets;
- information from credit card providers, Opensea, Bitpay, GoDaddy, PayPal, Fiverr, etc. (relating to the defendants’ use of services to set up the NFT website and design the images and transfer funds).
Maybe the defendants were careless in leaving traces – but the IRS didn’t have to look very far.
At least the exchange addresses which are firmly linked to real-life identities would seem to fall squarely into the category of personal data. But then private/unhosted addresses also appear to be linkable given enough additional data (not to mention naming services that allow us instead of 0×2113A96bdBfbBd5E192Bca20b46Cc40AE5Fe316F to use “edenlegal.eth” or similar). Returning to the GDPR test, of course, the IRS is able to use different means to obtain additional information – we can’t (and have no reason to) subpoena CEXs or credit card companies. However, we should definitely be looking at the other data we have on the user. Depending on the dApp, game, mint, or other service, we’ll often ask them to connect their Discord ID to their account. And we’ll probably have analytics with unique IDs and IP addresses. And that could be enough. Mandatory KYC is spreading to other crypto applications too.
So we may be in the presence of (pseudonymized) personal data here (also see Blockchain and the General Data Protection Regulation, European Parliamentary Research Service, 2019). Which would mean that the requirements of data protection laws will apply in full: a proper legal basis for processing to be identified; transparency information to be given; documentation and security measures to be put in place; impact assessments to carry out; maybe a data protection officer or EU/UK representative to be appointed; individuals’ legal rights requests to respond to; data breaches to notify; agreements with third parties to put in place; restrictions on international transfers. etc. etc. And fines if we don’t. And not forgetting the extraterritorial scope of these laws. This raises another question – under GDPR we need to apply principles of data minimization, and data protection by design – so we should also be considering what parts of this data we actually need.
Of course, this doesn’t feel very “Web3”. It’s common to hear that “blockchain is different” (see also: IP rights). But yet again, “real life” laws still apply on-chain, and these are the sorts of surprises we need to consider, and either rule out or prepare ourselves for.
Image Credit: FlippyFlink, CC BY-SA 4.0