NFT giant OpenSea reported a large-scale email data breach in July 2022. OpenSea, a US-based company valued at $13.3 billion in April 2022, is the largest trading platform for NFTs (non-fungible tokens). Over 1.8 million users made a NFT purchase via Ethereum in June 2022. The breach occurred after an employee leaked the personal data of users, and it is predicted that the breach could affect millions as any OpenSea user who has shared their email address could be vulnerable.
We consider the impact of the breach below from the perspective of UK data protection law.
What is an NFT?
An NFT or ‘non-fungible token’ is a token, which is linked to a digital asset. NFTs can be bought and sold in a digital environment but are not quantifiable or physically there. A token or digital receipt for a non-fungible item is a way to determine ownership of an NFT. While a traditional digital file, e.g. a google image, can be copied multiple times, the token or digital receipt for a NFT authenticates unique ownership.
Unlike physical property, the records that are kept on ownership are stored on a blockchain, usually the Ethereum platform. The records cannot be forged as the data stored is spread over thousands of computers around the world. The nature of the blockchain is such that it is a shared ledger for recording data, transactions, and tracking assets. NFTs and the blockchain are relatively new, and with such developments come new data protection and cyber security challenges that must be considered.
NFTs and the risk to data protection
Most transactions within NFT marketplaces use cryptocurrency such as Bitcoin or Ethereum, which presents regulatory challenges. While some platforms accept traditional forms of payment, NFT transactions are primarily funded from crypto wallets. Cryptocurrency is mostly unregulated and largely untraceable, making enforcing any personal data breaches difficult.
When handling cryptocurrency, exchanges can be centralised or decentralised. A centralised exchange is a platform where users can buy or sell digital assets, and a third party (a central authority) monitors transactions. Centralised exchanges require users to submit their personal or business information.
A decentralised exchange does not have a central authority involved, and the funds remain on the blockchain. Decentralised platforms allow peer-to-peer trading, which uses assets, proxy tokens and an escrow system. For some users, the decentralised system is appealing given the anonymous element, however, trends show that the average user prefers centralised services, such as OpenSea. The presence of a central authority can provide comfort to purchasers and sellers alike.
The UK GDPR applies whenever the personal data of UK individuals is being processed and this brings blockchains and NFT marketplaces within the scope of the UK GDPR. Decentralised blockchain NFT marketplaces, however, are not always closely aligned with requirements of the UK General Data Protection Regulation (“UK GDPR”). An example of this is the “right to be forgotten” or the right to erasure, under Article 17 of the UK GDPR. While this right is not an absolute right, it does not sit comfortably with a blockchain’s immutable ledger. As the right is not absolute, a blockchain is not in direct breach of the UK GDPR, but it is important to consider the tension points and the potential for conflict that may arise in the future. Users should also carefully consider any potential risks to their data.
A Cyber Security Risk?
In general, services that use cryptocurrency, such as Bitcoin, are becoming increasingly attractive to cyber criminals, due to the high financial reward and the potential for anonymity. Decentralised blockchain start-ups though give rise to potential data protection compliance concerns with more users opting for centralised services.
While centralised platforms have been seen as more reliable due to the presence of a central authority, the recent OpenSea data breach highlights that there are individuals operating within centralised platforms who have access to significant amounts of personal data. While policies to protect personal data are constantly evolving, the OpenSea breach highlights the risk of personal data being leaked from centralised platforms. Following the beach OpenSea has reviewed its security policies and introduced changes that users can make to the amount of data held and the length of time for which their data is held. Those using such platforms should, however, consider the extent to which they can reduce the amount of personal data they provide, whilst still enjoying the many exciting features the world of NFTs can provide.
If you require any advice in relation to data protection compliance, please contact a member of our specialist Data Protection & Cyber Security team.