Brazil: Data protection in the cryptocurrency market
The proliferation of cryptocurrency as a means of payment in recent times has made it all the more necessary to examine the data privacy aspects of this technology. Maria Godoy, Privacy Consultant at Hitachi Systems Security Inc., discusses this topic in the Brazilian context.
Data protection in Brazil is still a relatively nascent topic, driven mainly by the adoption of Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD'), which came into force on 18 September 2020. As such, here are still many challenges to be addressed regarding this topic.
When it comes to understanding privacy and data protection repercussions in the cryptocurrency market, the challenge is even more complex since this particular market in Brazil is still subject to ongoing discussions about its regulation.
Already in May 2019, the Brazilian Internal Revenue Service ('IRS') brought a series of essential definitions, including a definition of crypto-assets in the Brazilian jurisdiction, outlining it as:
'The digital representation of value denominated in its own unit of account, whose price can be expressed in local or foreign sovereign currency, transacted electronically with the use of cryptography and distributed ledger technologies, which can be used as a form of investment, an instrument for transferring value or accessing services, and which does not constitute legal tender.'
Even though the idea of 'digital cash' is not new, in recent years developments in the virtual economy has led to a growth in the commercial use of cryptocurrency, including new Metaverse projects and the rise of the NFT market. This scenario is no different in Brazil. According to the IRS, between January and November 2021, Brazilians traded USD 11.4 billion in stablecoins and nearly tripled the total traded in 20201. This market growth is evident.
With significant improvements planned for the mechanisms used in the cryptocurrency market2, 2022 might be considered the 'year of regulation' in this field3. In Brazil, this phenomenon is already being noticed, where the Committee on Economic Affairs ('CAE') will consider three bills on this matter in February 2022.
These bills will cover services related to operations carried out with crypto-assets and electronic trading platforms (Bill No. 3,825/2019), virtual currency transactions and operations of cryptocurrency exchanges (Bill No. 3,949/2019), and the activities of legal entities with virtual assets and crimes related to the fraudulent use of virtual assets (Bill No. 4,207/2020).
Alongside the effort to define a regulatory framework for cryptocurrency in Brazil, the data protection landscape is also developing. Almost one year after the LGPD came into force, in August 2021, the audits and sanctions it provides were authorised to be carried out by the Brazilian data protection authority ('ANPD').
Moreover, regarding the progress in the data protection landscape, on 10 February 2022, after a lengthy legislative journey, the right to the protection of personal data ended up being included in the list of fundamental rights outlined in Article 5 of the Brazilian Constitution, bringing greater legal security to data subjects4.
Therefore, based on all the ongoing regulatory developments for cryptocurrencies and data protection, a key question arises: where do these two fields touch when it comes to protecting individuals' rights?
Although the cryptocurrency market is not fully regulated in Brazil, national regulations in place may apply to it. This is the case with the LGPD, which applies to:
- data processing within the territory of Brazil;
- data processing of individuals who are within the territory of Brazil, regardless of what jurisdiction the data processor is located; and
- data processing of data collected in Brazil.
Considering the above, different players from the cryptocurrency ecosystem may be subject to the LGPD, such as exchanges, over-the-counter trading, portfolio management providers, lending and gaming platforms, miners, analytical tools and info resources, and trading bot providers. All these types of organisations may be required to respect Brazilian legal provisions on data protection, either in the position of the data controller or as data processors5.
For instance, considering the Bitcoin blockchain, different information - by itself or combined with other pieces of information - has the potential to identify an individual, such as by the amount of Bitcoin they possess, which wallets they use to trade, their habits of trading, and their transactions. This then may be considered personal data and protected under the LGPD.
Therefore, two fundamental steps to implement data protection under the Brazilian regulation are complying with the ten principles and the six rights outlined in the LGPD. Similar to those recognised by other privacy and data protection regulations around the world, such as the General Data Protection Regulation (Regulation (EU 2016/679) and, to some degree, Canada's Personal Information Protection and Electronic Documents Act 2000, the LGPD provides the following principles:
- the principle of purpose;
- the principle of adequacy;
- the principle of necessity;
- the principle of free access;
- the principle of data quality;
- the principle of transparency;
- the principle of security;
- the principle of prevention;
- the principle of non-discrimination; and
- the principle of accountability.
Moreover, the LGPD also establishes the following rights:
- the right to be informed;
- the right to access;
- the right to rectification;
- the right to erasure;
- the right to object;
- the right to data portability; and
- the right to not be subject to automated decision-making.
It is essential to draw attention to certain specificities in the cryptocurrency market. For instance, it is not unusual to providers use third parties to deliver their cryptocurrency-related services, which can be done for several purposes, such as identity verification, transactions processing, and tracking. These practices must then respect the principles and rights mentioned above, especially the principles of purpose, adequacy, and transparency, as well as the right to be informed.
Several other examples can substantiate the LGPD's application - and its challenges - into the market of cryptocurrencies in Brazil. One of the most discussed is the right to rectification and erasure, provided in Article 18 of the LGPD, in the context of blockchain usage, such as for the cryptocurrency market.
According to these rights, individuals can demand a data controller to erase their personal information or to correct incomplete, inaccurate, or outdated information about them. Because of blockchain technology's immutable nature, data erasure or rectification can be more difficult. Still, there are solutions for complying with these data subject rights, such as keeping users' data off-chain and applying cryptographic systems for on-chain authentication to guarantee data authenticity. Within this context, Privacy by Design is an essential aspect of data protection for cryptocurrency ecosystem.
As we have seen, although there is not a stable and comprehensive framework for the cryptocurrency market in Brazil, data subjects engaged in this field still have their data protection rights covered by national legislation, especially the LGPD. Therefore, the usual LGPD roadmap applies to the cryptocurrency market, identifying the parties and their rights, implementing appropriate safeguards, and complying with general data protection principles and rules.
1. Andrés Engler, Why is Brazil the big bet of global cryptocurrency brokerages in Latin America?, 25 January 2022 (only available in Portuguese): https://www.infomoney.com.br/mercados/por-que-o-brasil-e-a-grande-aposta-das-corretoras-globais-de-criptomoedas-na-america-latina/
2. How Ethereum Will Be Transformed in 2022, 31 December 2022: https://techguysfdc.medium.com/how-ethereum-will-be-transformed-in-2022-3bf1bec80d81.
3. Renan Sousa, World's largest cryptocurrency broker, Binance sees 2022 as the 'year of regulation' for the market, 19 January 2022 (only available in Portuguese): https://www.seudinheiro.com/2022/bolsa-dolar/papo-cripto-010-binance-criptomoedas-regulacao
4. Art. 5 - All are equal before the law, without distinction of any nature, guaranteeing Brazilians and foreigners residing in the country the inviolability of the right to life, liberty, equality, safety and property, in the following terms: LXXIX - the right to the personal data protection, including in digital media, is ensured under the terms of the law. (Included by Constitutional Amendment 115, of 2022).
5. LGPD definitions (Article 5, VI-VII): 'Controller: a natural or legal person, governed by public or private law, who is in charge of decisions concerning the treatment of personal data; Processor: a natural or legal person, under public or private law, who processes personal data on behalf of the controller.'