Written in collaboration with the Blockbar & Blockdam community (Dutch version)

This week, the international Financial Action Task Force will vote on the regulation of “virtual assets.” This is the story of how that boring subject may become one of the biggest privacy violations of our time.

The Financial Action Task Force (FATF) is an international body that regulates all kinds of matters in the fight against money laundering and the financing of terrorist organizations, currently overseen by the United States government. In the Netherlands, the Dutch Ministry of Finance is also part of this task force. Recently the forthcoming proposals have already been welcomed by the G20, meaning these proposals can become global standards.

At the moment, the FATF is discussing developments in cryptocurrency and blockchain technology. They’re evaluating proposals from various authorities to “guarantee effective regulation and supervision of virtual asset service providers or VASPs” — meaning every virtual asset transaction would require personal, identifiable information.

This is what it boils down to: The U.S. is pushing all countries in the world to a situation where every time you make a virtual or crypto transaction, your information — by definition — must be distributed to other players in the value chain.

That is a violation of international human rights agreements and our global human right to privacy.

According to Simon Lelieveldt, a regulatory adviser focused on fintech and blockchain:

Under UN Resolution RESOLUTION 28/16 (the right to privacy in the digital age), article 8.2 of the European Convention on Human Rights and the EU Court decision on data retention (ECLI:EU:C:2016:970), the EU understanding on mass surveillance of personal data of innocent persons is that it may very well violate the right to privacy in cases where surveillance is disproportional and there are no sufficient safeguards in place. However, the human right to privacy is often disregarded when nations develop anti-terrorist policies. Scientific evaluations of the implementation of such policies outline that social side effects, such as excessive reporting of transactions and privacy of citizens, are underreported in public discussions. Similarly, a recent dissertation in the Netherlands identified that, when applying the EU Court of Justice criteria to the European Anti-Money Laundering Directive, 17 infringements of human rights can be identified. This is exactly what is at stake with the recommendation phrased in paragraph 7b of an interpretative note for Recommendation 15 of the FATF. It requires all private sector entities to register and submit the names of the parties participating in a virtual asset transfer to all counterparts in the value chain. This is not based on suspicion of criminal behaviour, but required as a standard data export for all use cases and customers transferring virtual assets. The virtual assets are defined as all non-regulated digital representations of value which may be transferred or held: ‘..countries should consider virtual assets as “property,” “proceeds,” “funds”, “funds or other assets,” or other “corresponding value”. As such, the rule effectively requires private sector market players to develop a messaging system (and adapt internal systems) that ensures future blockchain applications also function as a structure of mass surveillance. … The proposed rule constitutes an unnecessary measure that brings personal data of innocent people into the public domain, without any further proper guarantees for its treatment. The rule has met with very heavy push back during a private sector consultation (in Spring 2019) due to its incompatibility with privacy laws and its unclear definition. The FATF members did not take this into account.”

It is no coincidence that these proposals are being pushed after the United States took over leadership of the FATF this year. This is one of their publicly stated priorities for the task force:

“During the U.S. Presidency, the FATF will also embark on a new project that focuses on investigative best practices on virtual currency to support law enforcement. The project will identify relevant tools to support criminal investigations involving virtual currency payment products and services as well as identifying technological or other limitations which hinder effective investigations.”

The core of the privacy violation is the recommendation that all VASPs of so-called virtual assets (e.g. custodial wallets) must collect and exchange information about their users. Furthermore, this proposal states that the data of all parties in the entire chain of transfers and transactions must be available. In the case of private individuals, this would override the personal data and privacy principles of the GDPR.

Anyone who thinks this only concerns digital money and cryptocurrency is sorely mistaken.

Back in February 2019, the FATF held a plenary meeting on this matter. The transcript of the meeting revealed that the term ‘virtual asset’ was used to ‘prevent the impression that a legal tender is involved’ (sic). This way, the proposal can move forward without using the terms “virtual currency” or “cryptocurrency,” and the term “virtual assets” becomes fully interpretive.

For example, are the contents of a private Facebook message a “virtual asset”?

A draft interpretative note was issued for consultation with the market. This defined virtual assets as all representations of digital value that do not fall within financial products legislation.

… countries should consider virtual assets as “property,” “proceeds,” “funds”, “funds or other assets,” or other “corresponding value”

In the broadest interpretation, any digital ‘thing’ that can change ownership is a virtual good. Cryptocurrency, but also an avatar in a game and so-called “virtual twins” of physical goods in the ‘real’ world. This would also include frequent flyer miles and loyalty points, as well as other tokens to be traded in the future, such as energy tokens, which represent a certain value.