Jago Grahak Jago

Jago Grahak Jago Logo

What general regulatory issues should users of a blockchain application consider when using a particular blockchain/distributed ledger protocol?

As mentioned in question 1.1, the RBI has issued several cautionary advisories in the form of press releases (issued on 24 December 2013, 1 February 2017 and 5 December 2017) to users, holders, investors, traders and similar parties that deal in virtual currencies, highlighting the potential financial, operational, legal, customer protection and security-related risks associated with dealing in virtual currencies.

In its press releases, the RBI highlighted the following risks:

  • The electronic wallets in which virtual currencies are digitally stored are prone to losses due to hacking, malware attacks and so on. As virtual currencies are not traded through an authorised central agency, the loss of an electronic wallet could result in the permanent loss of the virtual currency stored therein.
  • Users of blockchain-based applications should be mindful not to transact using virtual currencies or engage with entities within the RBI’s regulatory supervision, such as banks and financial institutions, in connection with virtual currencies. As payment of virtual currencies over such applications takes place on a peer-to-peer basis, without regulation by an authorised central agency, customers may have no recourse in case of problems or disputes.
  • There have been media reports of the use of virtual currencies for illicit and illegal activities in various jurisdictions. The absence of information of counterparties in peer-to-peer anonymous/pseudonymous systems could subject them to unintentional breaches of laws relating to anti-money laundering and counter-terrorist financing.

However, the above issues are relevant only in the case of virtual currencies. For applications other than virtual currencies, organisations using blockchain technology should be cognisant of the regulatory framework that governs the use of technology over the Internet and the sectoral regulations that may apply to the deployment of such technology, keeping in mind the sector in which it is proposed to be implemented.

In this regard, the Information Technology Act, 2000 and rules framed thereunder (including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘SPDI Rules’) not only provide legal recognition and protection for transactions carried out through electronic data interchange and other means of electronic communication, but also contain provisions which are aimed at safeguarding electronic data, information and records, and preventing unauthorised or unlawful use of a computer system.

While compliance with the requirements stipulated under the IT Act and the rules framed thereunder (including the SPDI Rules) could pose practical challenges in implementation, due to the decentralised nature blockchain technology (as there is usually no controlling ‘body corporate’ to hold accountable for adherence to the data privacy and cybersecurity framework), it is advisable that users of blockchain technology:

  • implement reasonable security practices and procedures with respect to the collection, handling and sharing of personally identifiable data or information, in conformity with the SPDI Rules; and
  • build a robust governance framework that is designed to mitigate cybersecurity risks.