The Crypto Lawyers Toolkit: A look at various laws and regulations which may apply to cryptocurrencies and digital assets

With more and more people investing in cryptocurrency and engaging with other blockchain technologies such as NFTs, it’s important to remember that there is a broad range of possible legal implications. And accordingly, having a good understanding of these issues can be incredibly useful when considering various risks, pitfalls, remedies, and protections in the cryptocurrency space.

In this article, Kelsey Farish (associate, technology and media) and Chris Air (partner, technology and data protection) offer a high-level overview of some areas of the law which touch upon cryptocurrencies and other digital assets.

• Fraud and other financial crime. A mix of criminal offences and civil penalties apply to financial crime: the Fraud Act, common law conspiracy to defraud, lawful means conspiracy and unlawful means conspiracy are but a few of the actions which may “bite” in such instances. In the crypto space, a popular scheme is where fraudsters behind illegitimate cryptocurrencies will post advertisements which claim high returns on investment. Some adverts or even feature fake endorsements from well-known celebrities, in an attempt to make them seem more credible. Ultimately, however, the fraudsters are only after the investor’s cash and / or personal information.

This scam may be referred to as a “rug pull”, a malicious tactic where fraudsters abandon the cryptocurrency project in question after receiving investors’ funds, and run off with the money. Jonathan Brogden, a DACB partner and expert in banking and finance disputes, wrote about one such rug pull in his article, SQUIDs in! Scammers pull the rug on Netflix inspired token. Other issues to consider in the fraud context include asset tracing (especially as English courts have recognised cryptoasset as property which can be seized or frozen), disclosure, and regulatory protections for investors.

• Liability and fiduciary duties. In April 2022, encryption keys for the use of $4.5 (£3.6) billion’s worth of digital assets were deleted as the result of a cyber attack. A group of investors brought a claim against the cryptocurrency software developers, alleging the developers owed a fiduciary duty and / or duty of care to owners of digital currency assets on their networks.

Jonathan Brogden and Tim Ryan, partner and head of DACB’s technology and media practice, explored this thorny issue in their article, “Single-minded loyalty”: High Court examines Bitcoin developers’ duties to restore lost private keys. Although the case turned on very specific facts, it nevertheless offers an interesting perspective on the burgeoning legal analysis and public policy in this area. We anticipate seeing an increase in cases where developers are pursued for failings resulting in financial loss, such as malicious or negligent security threats to their networks, breach of anonymity or the operations of the “proof of work”.

• Commercial contracts. In the cryptocurrency and NFT ecosystems, there are myriad stakeholders and players. Platform providers, marketplaces and exchanges, individual creators and rights holders, as well as ‘owners’ and decentralised autonomous organisations (DAOs) are just a few examples. Each of these stakeholders will have their own priorities to pursue and interests to protect, and as such, the contractual frameworks they rely upon will vary greatly, and be highly nuanced.

A few examples of such contracts include an exchange platform’s terms of use, a software developer’s assignment of intellectual property rights, or an endorsement contract covering the use of a celebrity’s image for an NFT. Licence agreements between an NFT creator and the purchaser of the NFT, or a social media platform’s T&Cs regarding the promotion of cryptocurrency, are likewise relevant. For each of these contracts, issues regarding the rights and obligations of the parties, intellectual property, liability, warranties, jurisdiction, and much more will need to be considered. In short, as with any transactions involving property or investment, one should always be mindful of the “small print” governing a cryptoasset sales, purchases, storage, security, or transfer of other rights.

• The Advertising Standards Authority (ASA), the UK’s advertising regulator, is tasked with preventing misleading and irresponsible advertisements. Over the last year in particular, we have seen a notable increase in the ASA’s regulatory activity regarding the marketing of cryptocurrencies and Non-Fungible Tokens (NFTs). Notable areas of concern for the ASA include lack of appropriate risk warnings and the trivialisation of investments in cryptocurrency, as well as firms taking advantage of consumers’ lack of knowledge regarding how the market works.

Tim Ryan and Kelsey Farish look at several ASA decisions and list out key takeaways for companies involved in crypto marketing in their article, “Would you like Bitcoin toppings on your pizza?” UK Advertising watchdog issues rulings against crypto companies… and Papa John’s.

• Intellectual property. Rights in intellectual property, to include copyright and trade marks, are of particular importance to NFTs and other audiovisual digital assets. If you “purchase” an NFT it does not necessarily mean you own the underlying IP rights outright, unless the NFT includes a transfer of the IP. Rather, you are more likely to receive a licence to “use” the NFT, but “use” may be defined in a variety of ways. Accordingly, you should carefully study the terms of such licence, to understand the nature and scope of the rights granted.

Some marketplaces will require publication-related rights, but some may be more restrictive, for example by prohibiting sub-licensing. For more on this, see Tim Ryan and Kelsey Farish’s article, Non-Fungible Tokens: From CryptoKitties to Smart Contracts.

• Data protection. A distinct feature of blockchain technology is that it is immutable: the ledger, which may for example be used to show cryptocurrency transactions, is indelible, permanent, and unalterable. Although this is an advantage for security and authenticity, the immutable nature of blockchain poses challenges from a data protection law perspective, to include the exercise of data subject rights. For example, if an individual wishes to be “forgotten” (i.e., have their personal data erased pursuant to the GDPR), how does that right marry up against the reality of permanent blockchain records?

More broadly, how does personal data stored on the blockchain square with the principles of the GDPR, to include those of data minimisation and limitation? Other questions to consider include whether a data subject can be a data controller in relation to personal data that relates to themselves, or if use of blockchain necessitates a need to carry out a data protection impact assessment.

• Cyber security. Cybercriminals who launch ransomware attacks often seek payment in cryptocurrency, thanks in part to the fairly anonymous nature of the ecosystem. For example, cryptocurrency payments can mask the ultimate destination address associated with the ransom demand. Furthermore, unlike traditional bank accounts, it is possible to open a cryptocurrency wallet without disclosing much (or any) personally identifiable information. This poses considerable challenges when attempting to track and seize funds paid as ransom during cyberattacks.

Thankfully, from a UK perspective, we have seen the success of a proprietary injunction to seize Bitcoin following the payment of a ransom. And, other technological and legal advancements in this area are being made all of the time. Hans Allnutt, partner and head of DACB’s cyber and data risk team, and Eleanor Ludlam, partner and expert in both contentious and non-contentious cyber and data issues, regularly write about such matters in their team’s monthly bulletin. Recent articles include Another Flash In The Pan For Bitcoin Recovery and OFAC uses the Pen and the Sword in one fell swoop.

• Regulatory law and compliance. HM Government announced in April 2022 that it plans to help make the United Kingdom ‘a global cryptoasset technology hub’. As part of this initiative, we can expect to see a continued increase in regulatory measures, including new financial services legislation.

In 2020, the Financial Conduct Authority (FCA) was given powers to supervise how cryptoasset businesses manage the risk of money laundering and counter-terrorist financing. Additionally, UK cryptoasset businesses must comply with the Money Laundering Regulations (MLRs) and register with the FCA. Looking ahead, there are plans to widen the current UK financial promotion regime to include cryptoassets, by amending the scope of the Financial Services and Markets Act 2000 (FSMA) (Financial Promotion) Order 2005. Jonathan Brogden and Mathew Rutter, a DACB partner and head of our financial services regulatory team, provided further insight in their article, Crypto Regulation: Cryptoassets to be included in the UK’s Financial Promotion Regime.

• Corporate transactions and fundraising. 2021 saw a significant uptick in corporate M&A activity regarding cryptocurrency entities, to include acquisition of trading infrastructure, data analytics, and financial technology targets. As the realms of the Metaverse, DeFi, and Web 3.0 continue to expand, we expect to see both the volume and value of such transactions to increase. Likewise, many cryptocurrency projects are now rapidly scaling to become more established and sophisticated corporates in their own right, thanks in part to cash injections from private equity firms and other aligned investors. Naturally, any sort of corporate transaction or fundraising activity will need to take into consideration a wide variety of other legal issues, to include fiduciary duties, contract law and financial regulations (as discussed above).

• Further to the above commentary with regard to regulatory law and compliance, HM Government is specifically exploring ways of enhancing the UK tax system in order to encourage further development of the cryptoasset market in the UK. At present, activities which may trigger liability to pay tax include the buying, selling and / or transferring of cryptocurrency, as well as ‘mining’ or providing goods or services in exchange for cryptocurrency. Of course, the specific type of tax will depend on who is involved, and the specific situation in question: professional advice should always be sought when seeking to determine one’s liability. That said, taxes which may apply to cryptoasset holdings and gains realised by individuals could include capital gains tax, income tax and national insurance contributions. Corporate bodies may be liable to pay capital gains tax, corporation tax, income tax, national insurance, as well as stamp duties and value added tax.

This article is provided for general information purposes only, and is not intended to be legal advice. However, we do hope that it is a useful primer for those who seek to better understand how the law may apply to cryptoassets.