newtech.law - legal aspects of new technologies

When hackers exploited vulnerability due to software not being updated at a US credit agency, important data of millions of customers in the US, Canada, and the UK were leaked. The US federal authorities have launched an investigation that could lead to millions in fines. Bosses at the firm were questioned in a congressional hearing and the agency is facing the largest class action in US history. This sounds like the plot of a financial thriller, but the Equifax case did in fact happen and is a lesson for the future.

Apart from disrupting business activity, causing financial losses, and damaging a firm’s image, hacking can also lead to severe fines for failing to comply with personal data protection or cybersecurity regulations. Businesses which are victims of cybercrime might also be liable towards customers and employees for loss or leaking of important data. Compensatory liability is also possible under Polish law in cases of this kind, and may affect anyone. Cybersecurity reports show that approximately three quarters of businesses have experienced a cybersecurity incident of some kind, and these statistics are unlikely to fall in the near future. Former FBI director Robert Mueller summed up this situation well, saying “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again”.

The legal status of cryptocurrency is particularly important not only for the so-called crypto space, but also for the future of development of blockchain technology. Recent EU legislative proposals classifing “virtual currencies” as financial instruments might significantly reduce blockchain activity in Europe.

Newly formed companies, and companies that have been on the market for some time, are becoming increasingly aware of their obligations under AML/FT regulations. Firms in various sectors, such as the technological sector, do not always realise that these obligations are only applicable to the types of entities listed in AML laws. Some businesses employ know your customer (KYC) identification procedures equivalent to those provided for in AML laws even though they are not subject to these laws. The problem is that overzealousness of this kind might be a breach of laws in other areas, especially personal data laws, above all the GDPR.

Anti-money laundering (AML) is the first area of Polish law where the parliament has adopted regulations directly related to cryptocurrencies and some other types of crypto-assets. We have devoted a lot of articles to this issue on the blog.

The direction of changes in the Polish law concerning AML results from the development of a global approach to this issue. Mostly this is due to the work of the Financial Action Task Force. FATF is an intergovernmental organisation authorised to create and assist in the implementation and monitoring of anti-money laundering standards, financing of terrorism and financing of the proliferation of weapons of mass destruction. The EU and Polish legislative work on revision of the AML regulations is based on the models presented in FATF publications from 2014 and 2015.

Smart contracts eloquently capture the dilemma facing traditional legal systems, whose inefficiency has reached dimensions threatening systemic incoherence and failure to achieve the purposes the law is intended to serve. The system needs urgent reform. But the alternative of replacing the law as we know it with automation and algorithms threatens the loss of the internal profundity of the law and its openness to nuances. This dilemma will be more and more apparent in the years to come. In this context, it is essential to achieve a clear understanding of the hopes and threats integral to smart contracts.

It should come as no surprise to attentive readers of this blog that the European Union may take up the regulation of ICOs as a method of obtaining funds through the public distribution of digital tokens (or coins).

So far, we have only been confronted with market speculation on this issue, and the Commission itself has not signalled a willingness to take any legislative steps in the imminent future (see e.g. FinTech action plan published in March 2018).