EU Regulations loading: PhotoChromic keeps you compliant and doesn’t expose your personal information on chain

Web 3.0 is the digital future

We recently shared our initial thoughts on the new EU draft regulations [2] that were published on 1 April 2022. In short, these regulations stipulate the personal data that should accompany the transfers of funds. The draft regulations widen the rule[3] to now include transfers of crypto-assets.

In our earlier note, we shared the core values of Photochromic. We are founded on our belief that blockchain and Web 3.0 will be the future digital foundation for society and our belief that it is imperative that these systems offer privacy, security, equality, and financial access for all.

We are deeply passionate about Web 3.0 and the power of decentralization. We recognize the need to balance the power of Web 3.0 with the importance of creating a safe digital space where anonymity is not an inalienable right.

We feel that PhotoChromic provides a regulatory-friendly solution to the proposed EU legislation, while still putting the Web 3.0 customer first, by giving them the ownership and management rights to share information selectively.

We believe that the primitives of blockchain, decentralization, open-source software, immutability, consensus protocol, and community-governance lend themselves so well to reimaging the financial system of the future. Through the blockchain primitives, regulators are in fact afforded superpowers in combating financial crime. Before we expand on this in more detail, let us look at the regulation in a little more detail as that is critical in the analysis that follows.

The “travel rule” in traditional banking

Here is a simplified walk through the “travel rule” as it applies to banks today.

To transfer funds from one bank account to the next:

1. The paying bank undertakes KYC on their client (“Payer”).
2. The receiving bank undertakes KYC on their client (“Beneficiary”).
3. When the Payer wants to transmit funds to the Beneficiary, the paying and receiving bank share information as well as remit the payment.

Salient features of the draft EU regulations for crypto transfers

The draft regulations propose that in most instances, the transfer of crypto-assets should only be permitted where the person or business that is providing the transfer service (for example a crypto-exchange or wallet service) has collected and verified personal data of both the payer and the beneficiary. The personal data that is required to be collected includes:

• Name and wallet address of the payer and beneficiary.
• Address, date of birth and official personal identity document number of the payer.

Therefore the following figure illustrates the “travel rule” for crypto assets as it has been legislated.

Understandably, the Web 3 community is concerned about these proposals. The most significant concern being that the new regulations appear to be seeking to impose top-down, centralized control of transactions on the blockchain. Not only could this potentially undermine the anonymity and decentralized foundations of blockchains, but the onerous administrative burden also threatens to undermine the growth of this nascent, promising digital ecosystem, especially as a tool in banking the previously underserved/unbanked and in countries that have historically been unable to provide stable legal tender (El Salvador and now Central African Republic). Think of the tremendous value that can be provided to third world countries where corruption is so rife, if their citizens were able to transact peer-to peer such as is currently possibly on the blockchain. To combat crypto transactions involving illicit addresses which represented c.0.15% ($14 billion) of digital assets transaction volume in 2021[4], the EU may just have missed the greatest opportunity it has ever had at really alleviating poverty in third world countries which simply do not have access to adequate financial / banking infrastructure.

Leveraging the superpowers of Web 3.0

At PhotoChromic, we share these concerns. Overlaying the traditional finance approach to bank account management and personal data collection could be detrimental to Web 3. Following this approach, ignores the salient differences between Web 2 and Web 3, including the transition away from centralized control in favor of decentralized control by the owners themselves.

Our view is that the EU is not imposing the current banking system on Web 3, rather the proposal mandates what personal data must accompany the transfer of crypto-assets but not where that personal data originates.

We believe that upholding the core pillars of Web 3 while complying with the draft regulations is possible. The balance between compliance and decentralization may be achieved by using a personal data architecture that is driven by the owner’s wallet rather than an overarching controller.

By providing accurate, reliable, independently verifiable personal data directly from the owner’s wallet to the crypto-asset service provider will preserve decentralized control over blockchain transactions and the data on the blockchain. In this way, disclosing personal data is controlled by the owner of that data and is limited to the specific purpose for which it is intended by the owner of the data.

It would appear therefore that the cryptographic security, privacy, immutability and open-source nature of the blockchain can in fact safeguard not only the users / owners of the blockchain but indeed, also the regulators in such a way as to preserve privacy to create a safe digital space for all, something that is currently not possible in centralised traditional finance.

As can be seen above, KYC is undertaken on both the Payer and the Beneficiary, and the privacy of their personal information is preserved by storing it decentrally in their own wallet. Their data, their assets, their identity, only for them to view, until they chose to share it with a counterparty that they’re transacting with.

The Payer and the Beneficiary is no longer vulnerable to security hacks because their data is cryptographically secured by their biometrics. Data privacy by design and a composable block of security that achieves the objectives of the “travel rule” in a manner not possible in traditional banking.

The digital future reimagined

PhotoChromic[5] is one of the leading NFT Self-Sovereign Identity protocols on the blockchain. PhotoChromic empowers users to create their own private personal data NFT. Once the owner has minted their PhotoChromic NFT, the owner is the only person who owns and uses their identity and personal information, maintaining full control over the sharing and use of their data. The owner of a PhotoChromic NFT can selectively share up-to-date, verified, immutable personal data to third parties of their choice.

At PhotoChromic, we envision a world where we can be as identifiable or unidentifiable as we wish, entirely under our own control.

Imagine a world where you can choose just how identifiable you want to be and you can choose what data you want to share with every single transaction. To illustrate this, let us walk through an example:

Let’s assume that you would like to buy some $ETH and you log into your profile at an exchange. Under the proposed regulations, you will be required to be identifiable for this purchase. As a PhotoChromic NFT holder, you can use the slider control on your PhotoChromic identity NFT, selectively sharing just the specific data that the exchange requires. As soon as the transaction is approved, you can return the slider control to its original position, returning to being unidentifiable with your personal data safely hidden from view.

Through the use of your PhotoChromic NFT, you have ensured that your data sharing is minimized to the smallest amount required to be shared at the time.

GDPR, the law that protects our personal data

Our final thoughts relate to GDPR[6], the law that protects our personal data. The draft regulations state that all processing of personal data is expressly subject to the GDPR regulations[7] and must be collected and used in a proportional manner.

This is not the first time the European Parliament has spoken about personal data, GDPR and the blockchain. The European Parliament previously wrote[8] that blockchains may be able to provide better control over personal data than current banking and Web 2 systems.

Our interpretation of the draft regulations is that they have been drafted with this earlier paper in mind, leaving it open to the community to find a better solution than the current system where our personal data is controlled and processed by anonymous centralized corporate entities, away from scrutiny.

Controlling our data from our wallets

PhotoChromic enables us to each mint our own identity NFT which we then carry with us in our wallet. After years of surrendering our greatest asset to third parties, we are finally able to regain full control over our personal data. The proportionate disclosure of our own data for specific purposes, including the transfer of crypto assets, will enable the Web 3 community to find the balance between a safe digital environment which is accessible to all and flourishing with innovation and the decentralized, anonymous values of the blockchain.

Footnotes

[1] Please Note: This article is for discussion purposes only. This article does not contain legal advice. Photochromic.io is not soliciting or recommending any action based on the views expressed herein. Readers of this article should undertake their own research and draw their own conclusions on the laws and regulations referenced in this article.

[2] Report on the proposal for a regulation of the European Parliament and of the Council on information accompanying transfers of funds and certain crypto-assets, dated 1 April 2022 and having the reference A9–0081/2022.

[3] This rule is known as the “travel rule” and is discussed in more detail in our earlier note here.

[4] Jonathan Levin, Written Testimony of Jonathan Levin, Co-Founder and Chief Strategy Officer

[5] http://photochromic.io

[6] Regulation 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation.

[7] Article 20

[8] See the European Parliamentary Research Service: Blockchain and General Data Protection, dated July 2019 and having the reference PE 634.445