France: Blockchain

There are many applications that use blockchain technology, even though the phenomenon is still limited in France in terms of its contribution to the economy:

First, several applications concern the digital identification and traceability of goods (e.g. Carrefour, in the area of food product tracing; LVMH, which launched an international blockchain with Microsoft and ConsenSys for authenticating certain pr oducts).

Blockchain technology is used for time stamping and authenticity of documents (e.g. Stratumn, providing solutions for safeguarding company business data, including for auditing purposes). In line with changes made to corporate law (see below), French notaries are also working on an electronic register recording transfers of shares in unlisted companies, with a view to combining it with a smart contract technology to automate the execution of shareholder agreements.

In the video game sector, Atari took part in the platform The Sandbox built on Ethereum and announced an Initial Coin Offering (“ICO”, see question 10) for November 2020 and its aim to create a token for the videogame industry that would be available to as many platforms and users as possible.

In the public sector, a 2018 parliamentary committee recommended the use by the public services of the digital identification allowed by blockchain technology to issue official documents more quickly. However, applications to the public sector are not yet particularly developed. A first State blockchain was launched in autumn 2018 by the French Agence Nationale des Fréquences (body responsible for managing radiofrequencies) with the help of the start-up Blockchain Partner, to experiment with a new method of managing frequency spectra. The French Central Bank has also launched several digital currency initiatives with public and private partners (see question 8).

In the private banking sector, major banks are showing their support for several initiatives, such as BNP Paribas (see, inter alia, their recent crypto custody cooperation programme with the start-up Curv) and Société Générale (which for example recently joined the platform Paxos for the settlement of transactions in listed securities). Crédit Agricole, in 2019, set up a funds transfer system for the bank’s customers using Ripple, announcing significant time savings for transfers, a greater transparency of exchange rates and a structural cost reduction.

Looking to the future, banking groups are considering providing certain digital asset services and also using blockchain technology to optimize their internal organization, including their back office.

More generally, 2021 has seen a clear shift towards the development of the security token market and a growing interest in new applications in the area of decentralized finance.

The tokenisation of assets is a process that is still developing in France, following initial caution with respect to trading in digital assets by regulators and a skepticism from the banking sector as regards crypto-currencies, as reflected in a 2018 parliamentary report (see question 14).

As regards ICOs, the first fund raisings did not involve large amounts and, to date, since the enactment of a legal framework to this effect (see question 10), only three companies have applied for an optional ICO visa. Indeed, at this stage, ICOs seems to have only little impact on corporate financing.

Société Générale issued the first covered bonds in the form of security tokens on a public blockchain linked to Ethereum in 2019 totalling EUR 100 million, rated Aaa/AAA by Moody’s and Fitch. Security Token Offerings (STOs) have become increasingly popular since 2019, with a corresponding decrease in the number of ICOs, according to the French financial conduct authority, the Autorité des Marchés Financiers (the “AMF”).

Service providers such as Paymium, Keplerk and Coinhouse offer cryptocurrency exchange services or/and crypto custody services. Coinhouse was indeed the first company to receive the new French Digital Asset Service Provider status (see question 10).

Other uses of tokens and virtual assets are likely to be developed with the enactment of the PACTE law that recognizes several services in relation to digital assets even though there are currently delays in obtaining such status due to the high volume of applications (see question 10).

Several French clients have also acquired tokens / virtual assets via service providers and issuers located in other jurisdictions. The legal regime governing such foreign service providers engaging with French clients depends on the exact business they carry out and the provider’s link with France – official criteria were published in 2021 on the localization of digital asset services (see question 10).

While its use is not mandatory, the blockchain technology can be used to reinforce transparency and the traceability of products, as well as to map risks or identify activities that may have a negative impact on ESG criteria.

On the other hand, several critical voices have pointed out the currently negative environmental footprint of the blockchain technology, even though studies have highlighted the increased use of renewable energy in data mining.

A number of new blockchain-related applications around the world or simply a greater use of these applications is reported by several actors in the context of COVID-19. However, there do not seem to be any new large-scale initiatives in France. We can merely mention a secured database called Screening, that uses a blockchain based on Hyperledger Fabric to identify contaminated people and those at risk, but that is only accessible to public health bodies (the official public track and trace application is not based on blockchain).

The use of blockchain technology was first envisaged by an Ordinance issued in 2016 (the “2016 Ordinance”) relating to “minibonds”, debt securities designed for equity financing, whose issue or transfer can be registered on a blockchain, and then in an Ordinance issued in 2017 (the “2017 Ordinance”) allowing the representation and transmission of securities by means of a distributed ledger technology or DLT (in French: “dispositif d’enregistrement électronique partagé” or “DEEP“). The 2017 Ordinance has since been completed by a Decree issued in 2018 (the “2018 Decree”).

For securities, the 2017 Ordinance provides that the latter must meet two conditions in order to be registered in a DEEP: (i) the securities must not be admitted to a central securities depository and (ii) the issuer must decide such registration. Securities traded on a trading platform cannot be registered in a DEEP. The registration of securities in a blockchain is equivalent to a transfer of ownership and it is possible to pledge securities of unlisted companies on the DEEP. The 2018 Decree provided additional details, such as the obligation of the DEEP to guarantee the registration and integrity of the entries and to enable the identification of the nature and number of securities held, as well as their owners. The registration system in a DEEP must furthermore be covered by a business continuity plan, and the securities holders must have access to statements tracing the transactions.

Finally, a new regime was enacted in 2019 for digital assets, which includes tokens and crypto-currencies, but excludes financial instruments (see question 10). The regime has been supplemented by several texts since then, including on AML/FT matters.

Such regime may evolve in the future given the proposals published by the European Commission in September 2020 (see question 10).

Initially, the regulators and public bodies (such as the French central bank, the AMF and the French banking regulator, the Autorité de contrôle prudentiel et de résolution (the “ACPR“)) produced publications which were mainly directed at customers, for example, to point out the risks associated with digital assets and crypto-currencies.

Recently, this has started to change. In 2017, the AMF first initiated a public consultation on ICOs; starting in 2016, regulations using the DEEP were published (see question 5). Regulators started to observe with interest the development of these activities and various reports were issued. 2018 was marked by two parliamentary committees on blockchain and crypto-currencies, a publication by the AMF on ICOs, as well as a report on crypto-currencies (see question 9). These multiple initiatives showed a growing interest on the part of the government and the regulators in these technologies. In addition, in the same year, the French Minister for the Economy expressed his intention to place France at the forefront of blockchain innovation and to make France a leader in blockchain technology.

Since then, this interest led to the implementation of a regulatory framework within a French law published in 2019 (the “PACTE Law”), followed by several publications and statements by both regulators and public bodies.

The years 2020 and 2021 have been marked by a steady increase in the regulation of digital assets. The mandatory registration with the AMF provided for under the PACTE Law was extended to new categories of digital asset service providers, AML/FT requirements have been tightened, and criteria for locating digital asset services have been published (see question 10).

The current framework on digital assets may have to be adjusted depending on the outcome of the initiative launched in September 2020 by the European Commission in this area (see question 10).

The French regulatory approach is not to follow a sandbox principle when it comes to new actors or technologies. However, as mentioned above, both the government and regulators are trying to encourage the technology, in particular in the financial sector. At the EU level, a Pan-European blockchain regulatory sandbox was announced by the European Commission in September 2020.

Regulators have launched initiatives on digital currencies at a national and international level. The ECB published in October 2020 a report on the issuance of a central bank digital currency, and a 2-year project was launched accordingly in July 2021 with a focus on keeping a low environmental footprint. The French central bank has also carried out five experimental programs on a central bank digital currency, and intends to carry out four more by the end of 2021, by partnering with public and private actors on areas such as the settlement of financial securities, cross-border payments or the interoperability between market infrastructures and DLT infrastructures.

As mentioned above, in 2017 the AMF launched a public consultation on ICOs, publishing a summary of the replies received in 2018, and French governmental initiatives and reports occurred at the same time, which led to the creation of a dedicated legal regime in the PACTE law (see question 10). The AMF has also launched the UNICORN research programme on fundraising in digital assets and set up working groups with members from the Fintech sector.

The French Central Bank has launched a consultation to identify ways of improving the efficiency and productivity of the financial system, by exploring the potential opened up by blockchain technology in order, among other things, to propose a digital euro. The process is still ongoing.

Additional consultations occurred at an international level, such as by the European Commission as regards crypto-assets, or by the Basel Committee on the prudential treatment of bank’s crypto asset exposures (the latter having been harshly criticized by the Global Financial Markets Association as “effectively [precluding] banks from being involved in the crypto assets sector, by making it economically prohibitive to do so”, as it imposes conservative capital requirements on riskier crypto assets).

Besides the PACTE Law itself and warnings in relation to certain risks arising out of the technology, several positions and instructions have been issued by the French regulators since 2019, mainly the AMF. The purpose of such publications is to provide clarification and guidance on the application of the PACTE Law and subsequently published texts on digital asset service providers and ICOs.

In addition to the above, several information reports have been issued, by:

• Public bodies such as the Parliamentary Office for the Evaluation of Scientific and Technological Choices (advocating in particular that European countries should be at the forefront of these technologies), or France Stratégie in conjunction with a number of players of the blockchain ecosystem (aiming to discover the potential of these technologies and propose recommendations to the public authorities);
• Government or parliamentary committees, including one which produced the Landau Report in 2018 (aiming, inter alia, to assess the risks of crypto-currencies), the 2018 report of the parliamentary committee on blockchain technology (suggesting in particular the use of blockchain at the level of the State and its administrations), or a 2019 parliamentary committee on crypto-currencies.

1. The legal regime resulting from the PACTE Law is based on the concept of “Digital Asset”, which includes Tokens and Cryptocurrencies. Tokens are defined as intangible assets representing, in digital form, one or more rights that may be issued, registered, conserved or transferred by means of a DEEP making it possible to identify, directly or indirectly, the owner of the said asset and cryptocurrencies. Cryptocurrencies are defined as digital representations of a security which are not issued or guaranteed by a central bank or public authority, which are not necessarily attached to legal tender and which do not have the legal status of a currency, but which is accepted by natural or legal persons as a means of exchange and which can be transferred, stored or exchanged electronically. Both tokens and cryptocurrencies are represented on a DEEP.

The AMF has confirmed that the qualification as a digital asset excludes that of financial instrument, savings bond, currency and electronic money. However, provisions relating to the status of intermediaries in various assets may be applicable.

2. Tokens and ICOs – As specified above, a Token cannot be classified as a security, it is therefore excluded that an ICO constitute an offer to the public of securities.

However, the PACTE Law introduced the concept of a public offer of tokens (“ICOs”). Offers open to a limited number of persons (150) are excluded from the regime.

Optional visa – In the event of an ICO, the issuer may apply for an optional visa of the AMF where the issuer:

• is a legal entity established or registered in France;
• has prepared a document (a “whitepaper”) containing all relevant information about the offer and the issuer, that will be made available to the public. Its content must be “accurate, clear and not misleading” and enable “an understanding of the risks associated with the offer”, which is verified by the AMF;
• has implemented means of monitoring and safeguarding the assets received in connection with the offering.

The AMF’s General Regulations lay down further details on the information that must be included in the whitepaper and the AMF’s control procedures; they specify that the visa does not imply either approval of the opportunity of the project or authentication of the financial and technical elements presented.

The issuer must publish the result of the offer on its website and must inform investors of the organization of a secondary market. The AMF has also a say on any related communications of a promotional nature.

The visa also entails AML obligations (see sub-section 6 below).

The AMF has the power to withdraw the visa whenever it finds that the offer no longer complies with the whitepaper or does not offer the guarantees required.

As application for this visa is optional, ICOs can, however, be carried out without being governed by these provisions.

3. Cryptocurrencies are not a currency in France. The French Monetary and Financial Code (the “FMFC”) states that the currency of France is the euro and the Banque de France has clearly specified that crypto-assets are not legal tender in France. In addition, crypto-assets are not considered as electronic money.

4. Status of intermediaries – The ACPR already pointed out in 2014 that the activity of receiving funds from a customer and transferring them to a crypto-currency vendor constitutes a provision of payment services and requires prior license.

Since then, the PACTE Law introduced a new status of Digital Asset Service Provider (in French, “Prestataire de Services sur Actifs Numériques” or “PSAN”). The activities concerned are as follows:

1. Storage of Digital Assets or private cryptographic keys on behalf of third parties, for the purpose of holding, storing and transferring Digital Assets;
2. Purchase or sale of Digital Assets in exchange for legal currencies;
3. Exchange of Digital Assets for other Digital Assets;
4. Operation of a Digital Assets trading platform;
5. The following services:

• The reception and transmission of orders on Digital Assets on behalf of third parties;
• Portfolio management of Digital Assets on behalf of third parties;
• Advising subscribers to Digital Assets;
• The direct purchase of Digital Assets for the purpose of selling them;
• The guaranteed investment of Digital Assets;
• The non-guaranteed investment of Digital Assets.

Required prior registration – The activities mentioned in 1° and 2° above, and, since an ordinance dated 9 December 2020, the activities mentioned in 3° and 4° above, require registration with the AMF, which obtains the ACPR’s assent. In particular, the AMF verifies the suitability and competence of senior managers, the qualifying shareholders and their location. Also, for the activities mentioned in 1° and 2° above, the AMF verifies the existence of internal control systems to ensure compliance with anti-money laundering and terrorist financing provisions. Changes to the elements declared upon registration are in certain cases subject to a procedure with the AMF.

Following the registration, the PSAN must also comply with certain rules of organization and good conduct. As at September 2021, 22 entities had received such a registration.

Voluntary license – In addition, all PSANs carrying out one of the activities above may apply for voluntary license. The AMF notably verifies their shareholding, financial standing and additional requirements depending on the business carried out.

Licensed PSANs must be able to comply, for receiving their license and on an ongoing basis, with several obligations, including in relation to IT and internal control systems, conflicts of interests, the existence of a civil liability insurance, client communications, treatment of client claims and pricing transparency. Several additional rules apply depending on the exact business carried out by the PSAN. Changes to the elements declared in the licensing process are in certain cases subject to a procedure with the AMF.

The registration or license above issued by the AMF may be withdrawn at the request of the PSAN itself or by decision of the AMF if it finds that the PSAN no longer meets the conditions for acquiring its status. As at September 2021, no actor had been issued a voluntary license.

5. Sanctions – PSANs and issuers of tokens depending on their status, may be subject to criminal sanctions, including for carrying out a business that requires a PSAN registration without such registration, non-compliance with legal requirements or communication of inaccurate information, wrongly suggesting that it is a registered or approved PSAN or benefits from an optional visa, or hindering the AMF’s supervisory mission. Also, licensed PSAN’s are subject to the ongoing supervision of the AMF, including its disciplinary and administrative powers.

6. Anti-money laundering and terrorist financing provisions – Following a harsh report by the public body Tracfin in December 2013, the conversion of crypto-assets into fiat was made subject to anti-money laundering obligations by a 2016 Ordinance – following which, in connection with the PACTE Law, the scope of persons subject to these obligations was clarified and made consistent with the new legal framework for blockchain technology (anticipating the transposition of the 5th anti-money laundering directive). The following are now concerned:

1. PSAN that are either required to obtain prior registration from the AMF or licensed (the scope of which was extended by a December 2020 ordinance);
2. Issuers that have obtained the AMF’s visa for their ICO, within the limit of transactions with subscribers taking part in this offer.

The entities concerned are subject, inter alia, to the following obligations: customer due diligence, reporting of suspicious transactions and refraining from carrying out suspicious transactions, record keeping, internal control obligations (it being specified that the scope of verifications to be carried out with occasional clients has been increased by an April 2021 decree).

7. Tax Aspects – The 2019 Finance Bill has implemented under French law a specific tax regime for capital gains made upon the disposal of virtual assets by a natural person acting in the management of its private wealth.

Broadly speaking, this regime provides that:

• An exchange of a virtual asset against another virtual asset is not a taxable event;
• Gains or losses are only recognized in case of cash-out;
• The gross gain or loss is equal to the difference between the sale price of the virtual asset and a synthetic acquisition price determined as the product between (x) the total acquisition price of the taxpayer’s virtual assets portfolio and (y) the ratio between the sale price of the virtual asset on the total value of the taxpayer’s virtual assets portfolio;
• Gross losses made in a given year can offset gross gains made in the same year;
• The net gain is taxable at a flat 30% rate, of which 12.8% corresponds to personal income tax and 17.2% to social levies.

In addition, French tax law provides for a mandatory reporting mechanism whereby the taxpayer has to declare yearly the virtual assets accounts he/she owns when they are opened in a foreign institution. Failure to do so may result in a fine of 750 € by undeclared account or of 125 € by omission or error, up to 10.000 € by filing. These fines can respectively be increased to 1.500 € or 250 € when the fair market value of reportable accounts excesses 50.000 € at some point in the previous year.

Other regimes apply for capital gains made by natural persons acting in the course of their professional activities or by legal persons subject to French corporate income tax.

As part of the ongoing parliamentary discussions on the 2022 Finance Bill, some members of parliament have amended the draft bill in order to:

• Clarify the criteria to distinguish capital gains made by a natural person acting in the management of its private wealth from (i) capital gains made by natural persons acting in the course of their professional activities and (taxable as commercial income) and (ii) capital gains made by natural persons acting as if they were professional (taxable as non commercial income)
• Align the tax regime of capital gains made upon the sale of non-fungible tokens with the tax regime applicable to the capital gains made upon the sale of the underlying assets
• Allow natural persons acting in the management of their private wealth to opt for a taxation of their capital gains based on the progressive income tax scale rather than based on a flat 12.8% rate

8. Location of digital asset services – A decree dated 12 May 2021 has officially established that digital asset services are deemed provided in France where (i) the provider has facilities in France or (ii) the service was provided on the initiative of the service provider to clients residing or established in France. Aside this general principle, the decree provides for a list of more detailed criteria that entail a provision of digital asset services in France.

9. EU September 2020 proposals – Existing rules will likely be amended in the near future following proposals of the European Commission published in September 2020:

• The MiCA regulation proposal aims at establishing a European-wide definition of crypto assets (also addressing stablecoins and e-money tokens), a crypto asset service provider status (incl. a European passport regime) and an crypto asset issuer regime. These regimes will be mandatory.
• The Pilot regime regulation proposal will offer the possibility for actors of the security token market to apply for operating a DLT multilateral trading facility or DLT securities settlement system under specific favorable conditions (by applying for exemptions to regulatory requirements, including requirements arising out of the Central Securities Depositary Regulation), as long as they operate under certain thresholds.
• The DORA regulation proposal, that will apply to crypto asset service providers but also other types of regulated entities, will increase regulatory convergence in the area of information and communication technologies requirements.

Not per se, subject to applicable requirements described above (see in particular question 10). It is noteworthy that derivatives with an underlying crypto-currency can be classified as financial instruments. Platforms offering this type of product are investment services providers that must obtain a license and comply with all applicable obligations.

The phenomenon remains very limited both in terms of the number of companies that have raised funds and the amounts raised. As at January 2019, the AMF was aware of €89 million raised, for 83 ICOs or ICO projects, representing only 4% of equity financing and 0.75% of funds raised with ICOs worldwide.

More specifically, the first three ICO projects in France were carried out by Beyond The Void (€110,000), iEx.ec (raised US$ 12.5 million in less than three hours on 19 April 2017) and Domraider.

Since the launch of the AMF’s optional visa, only three companies in France used that possibility; (see question 10). A September 2021 parliamentary report took note of a current stagnation of the ICO market in France, in line with what can be observed at the international level.

The issuer may apply for the AMF’s optional visa (see question 10).

As mentioned above, there are several French actors operating in the cryptocurrency sector, and the latter has been encouraged with the PACTE law.

In practice, the parliamentary committee on cryptocurrency noted in 2018 that the phenomenon was rather limited in France because of the reluctance of banking institutions to open accounts for professionals and to provide them with cash. The major French exchange at the time of the committee’s report experienced several account closures and was subject to major restrictions on transaction flows by its bank. It can be noted that the PACTE Law since then has introduced a legal right to open a bank account, but only for registered or licensed PSANs or issuers having received an ICO visa (see above).

For its part, the AMF has issued several warnings about volatility risk and fraud. It has published a blacklist of cryptocurrency trading platforms and recommends turning to registered PSANs.

Several issues arising out of uncertainties on the applicable tax regime were also pointed out prior to the 2019 Finance Bill (see question 10).

1. DEEP – See question 5 for the legal regime applicable to minibonds and the transfer of certain securities based on the DEEP.

2. Security tokens – Security tokens are tokens (in the common sense, as opposed to the legal definition of Tokens in French law) that may be qualified as financial instruments under French law. As such, they are not a Token subject to the Digital Asset regime, but securities giving access to capital or debt securities. The AMF has identified a number of transactions and notes that in 2020 the trend towards STOs (Security Token Offerings) has largely supplanted that of ICOs. The aforementioned issue by Société Générale in 2019 involving bonds constitutes an STO.

This qualification implies, among other things, the application of the EU Prospectus Regulation and the application of the regime for investment services providers and financial advice providers for intermediaries.

In this context, French parliamentarians have raised the possibility of creating a new special regime for STOs in the face of the many difficulties summarized by the AMF in the aforementioned document. The European Commission published in September 2020 a proposal for a regulation on a pilot regime to this effect, following an ESMA notice published in 2019 (see question 10).

There are no major legal or regulatory issues identified in this respect.

At present, there is no legislation or case law on this matter. However, legal scholars have highlighted certain legal difficulties raised by smart contracts under French law:

• First of all, any contract must be subject to the law of a State – it cannot exist in autarchy and be subject only to the rules of a computer code.
• The question also arises as to whether a smart contract complies with the legal conditions for forming and concluding a contract. Scholars distinguish between two cases: either the smart contract is a simple form of execution of a separate and validly formed contract, or the smart contract is in itself the contractual relationship entered into.
  • Where the computer code forms in itself the agreement, it must comply with a contract’s conditions of validity under French law, i.e. capacity, consent (which presupposes the identification of the author) and a valid content. Issues in this respect include the necessity to have a computer code able to contain the entire content of the contract (which limits smart contracts to the simplest contracts in law), and situations where the law requires a contract to be in writing. Indeed, the blockchain is often deemed unsatisfactory under applicable regulations on electronic signatures, as the reliability presumption of the eIDAS Regulation will likely not apply. The 2018 parliamentary committee’s report thus recommended that regulations on electronic evidence and digital signatures be amended to give full probative value to the acts and information contained in the blockchain. With respect to the problems of enforcement and handling of breaches of contract, authors further note that there may be issues with untimely and disproportionate forced executions in the light of the proportionality control of Article 1121 of the French Civil Code, depending on how the code is designed.
  • It is also possible to use smart contracts as a means of executing a contract or part of a contract, which raises less issues. However, contract law continues to apply and some of its provisions should be reproduced in the code, such as exception of breach or formal notice before claiming damages.

Finally, in the absence of court rulings, legal scholars point out that one should be cautious as to the binding force to be given to any contracts concluded directly on the blockchain.

There are few public examples of existing smart contracts in France. Axa reportedly created with the start-up Utcoat a contract named Fizzy for handling flight compensation claims and based on Ethereum. However, this offer was withdrawn in 2019 on the basis of difficulties in selling this insurance policy and finding partners to commercialize it. Smart contracts will also play a leading role in the decentralized finance applications that become a growing focus of attention.

Not to our knowledge.

Given the recentness of the legal framework described above, there is mainly one decision of interest that can be highlighted. On 26 February 2020, the Commercial Court of Nanterre rendered a decision in a dispute between a French digital asset exchange platform that granted several loans of bitcoins to a British company between 2014 and 2016. The court qualified bitcoins as a fungible and consumable thing, added that loan contract to which they give rise are covered by French consumer loans provisions, and that such loan implies an obligation of restitution in nature, i.e. of the same kind and quantity. It ruled that the borrower is entitled to receive the proceeds of the loan, including Bitcoins cash considered as proceeds generated by the Bitcoins loaned, and does not have to return them.

Other decisions relate to questions arising out of a no longer applicable legal framework (including in tax matters).

1. Privacy and data protection: In France, the protection of personal data is governed by Regulation (EU) no. 2016/679 of 27 April 2016 (“GDPR”) and the law of 6 January 1978 n°78-17, as amended in 2018.

The French data protection supervisory authority, the Commission Nationale de l’Informatique et des Libertés (“CNIL”) issued an opinion regarding the compliance of blockchain technology in 2018, which underlines certain points regarding the main GDPR compliance challenges posed by blockchain technology, as follows:

• Personal data: two categories of personal data may be found in a blockchain: (i) participant (including miner) identifying information and (ii) additional personal data registered and stored in the blockchain. The CNIL states that ideally, personal data should be stored off the blockchain and that the blockchain should only contain information proving the existence of the data or a highly secure means of accessing it. Clear storage of data on the blockchain is nonetheless possible if no other solution can be implemented, when this is justified by the purpose of the processing and when a data protection impact assessment has shown that the residual risks are acceptable.
• Qualification of controller: the identification of a controller responsible for personal data processed on the blockchain is complex due to the diversity of actors involved in a blockchain and its decentralized nature. The CNIL considers that a participant with a right to write on the chain should be considered a controller. More specifically, the CNIL considers that the participant is a controller when, (i) he/she is a “natural person and that the processing of personal data is related to a professional or commercial activity (i.e. when the activity is not exclusively personal)”, e.g. a notary, or (ii) it is “is a legal entity which registers personal data in a blockchain”, e.g. a bank. Natural persons who enter personal data on the blockchain, and who do not act as part of a professional or commercial activity, are not controllers (pursuant to the “purely personal or household activity” exclusion set out in Article 2 of the GDPR). The European Data Protection Board (“EDPB”) has published updated guidance regarding the concepts of controllers and processors, and scope of their respective obligations under the GDPR (Guidelines 07/2020 on the concepts of controller and processor in the GDPR). The guidance, which emphasizes the requirement to properly attribute roles to the parties involved in data processing activities and to ensure that these roles are properly documented and responsibilities amongst parties attributed, should be taken into consideration by parties involved in the design and implementation of a blockchain.
• Subcontracting: according to the CNIL guidance, the following parties will be considered processors and subject to certain obligations under the GDPR: (i) the developer of smart contract who processes personal data on behalf of a controller (e.g. a software developer who offers a solution to an insurance company) and (ii) miners who validate personal data in the blockchain. Controllers and processors should execute a contract which specifies each party’s obligations and which reproduces the provisions of Article 28 of the GDPR. The CNIL acknowledges the practical difficulties that this may cause since it may be practically impossible for the controller, in a public blockchain, to enter into contractual relationships with all miners to control their data processing. The CNIL encourages stakeholders to use innovative solutions allowing them to ensure compliance with processors’ obligations under the GDPR.
• Principle of risk minimization: as part of the privacy by design obligation (Article 25 of the GDPR), the CNIL invites controllers to check whether the use of a blockchain is necessary to achieve the desired objective. Certain risks cannot be minimized, for example: transfers outside of the European Union, especially in public blockchains, because the controller has no control over the location of the miners, and over the data retention period which is equivalent to the life of the blockchain. In addition, some data cannot be minimized: each participant has an identifier which constitutes the public key to the participant’s account and which is always visible, as it is essential for the account functioning. It is also necessary to favor a blockchain that allows adequate governance of personal data, in particular to avoid transfers outside the EU unless such transfers can be subject to an appropriate legal framework, as set out in Chapter V of the GDPR. The European Court of Justice’s decision in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (Case C-311/18 – “Schrems II”), dated 16 July 2020, creates additional complexity in relation to international transfers of personal data, and therefore parties identified as controllers responsible for the processing of personal data on a blockchain should seek to clarify from the outset in which jurisdictions personal data may be processed and, if personal data will be moving outside the European Economic Area, to implement appropriate safeguards, or to restrict the flow of personal data altogether.
• Data subjects’ rights over their personal data: certain rights such as the right to information, access and data portability are compatible with the blockchain technical properties and controllers can comply with their obligations. However, the immutability of data stored in a blockchain makes deletion or rectification of such data very difficult to achieve without compromising the blockchain itself. Nevertheless, according to the CNIL, the controller has the possibility to use technical measures to make the data practically inaccessible, and therefore moves closer to an effective right to erasure.

The CNIL has been one of the first European data protection authorities to issue such an opinion, but considers that the challenges raised by this technology in terms of compliance with human rights and fundamental freedoms necessarily require a response at the European level.

On 24 July 2019, the European Parliament also published a study exploring the tension between blockchain technology and compliance with the General Data Protection Regulation.

According to the European Parliament, there is currently a lack of legal certainty as to how various elements of European data protection law ought to be applied to blockchain. The Parliament indicates that this could be addressed through regulatory guidance, self-regulatory codes of conduct and certification mechanisms, and further research into governance mechanisms.

2. Antitrust – As in all matters, anti-competitive practices are likely to occur on a blockchain, between the different actors and at different levels. However, competition law does not seem to pose a problem, except that problems of accountability may arise or for access to data by investigation services. On this subject, several legal commentators consider that the powers granted to them are sufficient to allow them to access encrypted information on a blockchain, particularly in the case of a private blockchain.

3. Insolvency Proceedings – French legal scholars highlight the difficulties arising out of smart contracts, given the fact that their automated enforcement may accelerate an entity’s difficulties and that they do not necessarily provide for insolvency measures (see also question 17).

A March 2021 joint report from the French regulators has pointed out that many actors of the crypto asset sector still face difficulties in opening a bank account in France, an issue that has been consistently raised in previous years, and which hampers the development of a French crypto asset ecosystem. The French banking federation has distanced itself from these findings.