In part one of this series (link), we outlined some of the reasons behind the rapidly growing popularity of non-fungible tokens (NFTs), and discussed issues surrounding ownership—both of the NFT itself, as well as the associated digital asset. Part two (link) focused on IP infringement.
In this third part we'll touch on some further issues that can arise in a commercial sense, as well as some of the data protection challenges that need to be considered when dealing with NFTs.
From start to finish, the typical NFT transaction will have multiple parties involved. This may include the creator of the NFT; the owner of any assets linked to the NFT; any platform used to mint the token; the present owner of the NFT (which may be different from its creator); advertisers and influencers marketing the NFT; the purchaser; any custodian or wallet provider; and providers of other crypto-related services. In complex multi-party arrangements, it is even more important that each party's responsibilities are clearly defined.
Each party to the transaction will have different commercial interests—leaving aside issues of potential value in crypto or fiat currency for a moment—and will be subject to different legal and commercial risks. Whereas a buyer will be more interested in obtaining good title and understanding the scope of any intellectual property rights granted; and platforms and custodians will have regulatory concerns (which we will address in a future article); creators and sellers of NFTs may well need to consider compliance with consumer protection legislation.
These issues become more complex when we consider the popularity of NFTs around the world, and the potential for a global marketplace. Different jurisdictions have different legal requirements, so NFT platforms will need to ensure that they have addressed this before doing business in a jurisdiction. Market participants also need to factor in the possibility of international disputes arising, and ensure they are in a position to resolve them.
Risks for buyers and sellers
Before the scope of legal obligations can be assessed, we first need to understand who is contracting with whom? A common structure will be for the creator of an NFT to mint and list their NFTs on a third party platform which gives them access to the most relevant and broadest market for their new NFTs. In this case, there will be a contract between the creator and the platform provider for the use of the platform, and possibly between the platform provider and the other market participants (via the platform's terms of service). But what about the contract of sale for the NFT?
In many instances we've seen the contract for the initial public sale of the NFT being concluded between the creator and the purchaser of the NFT, either directly or via an agent—though there's no reason the initial 'drop' shouldn't be conducted by another intermediary. Given the degree of anonymity generally afforded by NFT platforms, the buyer has little certainty over who they are contracting with for the purchase.
A further challenge is that the terms of the sale contract are almost never adequately addressed. Not only should appropriate terms be put in place between buyer and seller to protect their respective commercial interests, and to provide clarity to both parties, but there are often legal requirements that apply to such contracts depending on the locations and identity of the parties, and the capacity in which they are contracting. Unbeknownst to the buyer and seller, additional contractual terms may be being imposed on them under the applicable law, other terms they've agreed may be unenforceable, and the contract may be cancellable by one or other of the parties. This represents a material risk which can have substantial real-world consequences when things go wrong.
Risks for platforms
And it's not just buyers and sellers that are exposing themselves to unnecessary risks, as platform providers aren't getting it right either.
For example, in July 2020 the EU Platform to Business Regulation 2019/1150 ("P2B Regulation") came into force. If NFT platforms have sellers based in Europe, then it imposes numerous measures which they need to comply with in the course of their business, such as transparency and fairness in their terms of service, a requirement to give certain specified information, restrictions around the exercise of certain legal rights, and a requirement for a system to handle user complaints. Getting this wrong can mean that the platform is unable to rely on its own terms of business, and may find itself on the receiving end of legal action as a consequence of its failure to comply.
There are also a number of risks relating to the way the transaction itself is conducted and the asset represented by the NFT is referenced, some of which we've touched on below.
As we discussed in part one, if the NFT has an associated digital asset such as an image file, the token wouldn't normally contain the asset itself. More usually, the digital asset would be stored (and linked to) elsewhere. Depending on how this is done, it can poses a risk to purchasers whereby a creator can simply change what asset is linked to at the targeted location—we've seen this happen to the buyer's dismay.
There are other risks when it comes to digital assets used in the metaverse, as whilst the NFT may be underpinned by a decentralised technology, the use of the digital assets (indeed their very existence) will be subject to the standard terms of online service providers. Significant sums of money spent on NFTs for digital real estate will be wasted if that 'land' is not accessible by the owner, or is otherwise subject to adverse contractual rights of metaverse platform operators.
It's not just a case of buyer beware however, as creators are also at risk of losing out on royalties. Because of the lack of cross-market compatibility for smart contracts, or simply because transactions can be completed off-chain and subsequently recorded (or not) on the blockchain—for example in that case of sale by an auction house—the NFT creator may not receive the royalties due on each secondary transfer.
Sustainability is also a live issue, and the impact of cryptocurrency on the environment is well documented. Those same concerns apply to NFTs, and this can give rise to significant reputational issues to those who wish to participate in the market at any scale. Last year, ArtStation (a large digital art exhibition space and marketplace) announced plans to launch an NFT platform. Within hours of the announcement, the backlash relating to the environmental impact of such a venture was so severe that ArtStation released a statement cancelling their plans. Even despite them having plans to offset the emissions from their platform, critics stated dealing in cryptocurrency was environmentally unethical and that ArtStation's measures to offset emissions were inadequate.
Personal Data and DLT
The use of any distributed ledger technology is difficult to square with UK and European data protection laws—specifically, the EU and UK General Data Protection Regulation (collectively, the "GDPR"). Right now, there is also a lack of clear regulatory guidance as to how, in practice, those laws should be applied to blockchain and other Web 3.0 technologies. However, regulatory commentary is regularly published and, as cases are decided, the law in this area is constantly evolving. This presents uncertainty and a degree of risk to those using and operating the technology.
The GDPR regulates the processing of personal data, and transactions involving NFTs will often involve the processing of personal data in some capacity. The token will contain personal data relating to its creator and, depending on the nature of the associated digital asset, that asset may contain or comprise personal data (whether of its creator or of another third party). As the NFT changes hands, new personal data of each subsequent owner will be written to the blockchain ledger to record their ownership. While this personal data is usually pseudonymised, unless it is rendered completely anonymous (which carries a high bar) it will still remain governed by the GDPR.
Controller / Processor Determinations
Obligations under the GDPR apply to controllers (the person or entity that determines 'what, how, and why' personal data is used), and processors (the person or entity that processes personal data under the instruction of the controller). The majority of obligations, and the most onerous, fall to controllers.
Whilst the determination of who are controllers and who are processors is a question of fact, it is a difficult question to answer in a distributed ledger context where there are multiple parties involved and, indeed, many of those parties arguably able to influence the 'what, how, and why'. The answer may well differ depending on how the blockchain is operated—for example, whether it is private, public, permissioned, centralised, or decentralised. In the NFT space, it's entirely possible that platform providers influencing what personal data is collected on market participants (and which may subsequently be written to the blockchain) would be considered by regulators to be controllers, with substantial consequences.
Fundamentally, this makes it difficult to determine which parties bear ultimate responsibility and liability for compliance with the controller requirements of the GDPR. This is evidently a key question for those establishing a blockchain solution to consider and resolve from the outset, it also makes it very difficult for market participants to understand who is responsible for how their personal data is used.
Another key challenge with distributed ledger technology is the processing of personal data contained in the blockchain across multiple different networks and territories.
The GDPR generally prohibits the transfer of personal data out of the EEA and the UK unless to a limited number of 'adequate' territories, or unless the transfer is subject to appropriate safeguards (such as standard contractual clauses approved by the UK/EU). However, it becomes difficult—particularly in the context of a public blockchain—to maintain oversight and governance over the data flows that may arise when blockchain transactions are verified and written by miners located all over the world. This then begs the question of how a controller can implement appropriate safeguards.
Data Subject Rights
Data subjects are afforded a number of rights under the GDPR, including, for example, the right to access their personal data, the right to have inaccurate data rectified and the right to erasure. The immutable nature of blockchains makes it inherently more difficult to comply with data subject rights that are exercised with respect to personal data recorded within them. Yet regulators expect these rights to be complied and suggest that controllers should look to technical solutions that make compliance possible. For example, by only recording hashed data to the ledger and deleting the hash function's key in response to a deletion request. Those parties responsible for compliance with data subject rights will need to consider how to go about technically giving effect to them.
Finally, particular attention should be paid to the security requirements of the GDPR. Controllers will need to consider how they can ensure the security of any personal data contained in the blockchain to avoid the risks of security incidents affecting the ledger and any personal data contained in it. This may involve a combination of technical and contractual measures.
In our view, the current market does not adequately address these fundamental legal issues, and a lack of understanding of the risks is very likely to lead to buyers, sellers, and platforms getting their fingers burned. This really is an area that is ripe for reform, and those active in the market need to ensure they get the basics right.
In the next part of this series, we will look at the potential for criminal liability and compliance issues when it comes to NFTs.
The issues associated with NFTs, blockchain, distributed ledger technology (DLT), and digital assets are cross discipline—from regulation and technology licensing, to privacy and IP. Our leading technology law team has the expertise and experience to help you achieve your strategic objectives when it comes to emerging technologies.
If you have any questions about NFTs, please contact Chris Eastham at firstname.lastname@example.org.
Sign up to our email digest