The Markets in Crypto Assets Regulation; Regulation (EU) 2023/1114 (hereinafter referred to as ‘MiCA’), includes some interesting statements in its recitals which, albeit their concise nature, could prove to have substantial effects on the application and interpretation of the regulation. For the purposes of this opinion-piece, I shall be focusing on Recital 22 namely, the penultimate statement contained therein:
“Where crypto-assets have no identifiable issuer, they should not fall within the scope of Title II {Crypto-Assets Other Than Asset-Referenced Tokens Or E-Money Tokens}, III {Asset-Referenced Tokens}or IV {E-Money Tokens} of this Regulation”
In attempting to deduce the actual interpretation of this ambiguous yet, potentially pivotal statement included in MiCA, I came across numerous posts (mainly on social media platform such as X), that took the above at face value and were advocating for the following (paraphrased) interpretation:
“This means that if the developers or participants of a project issuing a crypto asset operate & market their project via discord, telegram and X through pseudonyms, the corresponding crypto assets would not fall within the scope of Title II, III or IV of MiCA”.
In my opinion, this line of argumentation is overly simplistic in nature and fails to adequately address or consider the complexities and legal nuances that such a statement has presented. Thus, I will be providing my view on the matter based on publicly available EU legislation which the legislator could potentially use to clarify the matter in the future.
Thanks for reading Joseph’s Substack! Subscribe for free to receive new posts and support my work.
In deciphering Recital 22 of MiCA and assessing what the legislator could potentially mean by the penultimate statement included therein, I will be making reference to the General Data Protection Regulation; Regulation (EU) 2016/679 (hereinafter referred to as the ‘GDPR’) since, it provides valuable insight in relation to the statement posed above .
The GDPR does not explicitly define the term "identifiability" in its text. However, it provides a framework for understanding when data is considered personally identifiable information (PII) or "personal data" under its provisions (specifically Article 4 et seq). The concept of identifiability is a fundamental aspect of the GDPR, as it is a determining factor when assessing whether data falls within the scope of the regulation. Personal data is defined by the GDPR as follows (I will be highlighting key prongs relevant to our assessment in the quoted text, potentially resulting in most of the quoted text being highlighted):
“ ‘personal data’ means any information relating to an identifiedor identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
A notable mention (and one which is very relevant in consideration of the founding principles of the crypto asset industry), is the GDPR’s reference to pseudonyms/psudonymisation and the corresponding effects of whether this would result in one being identifiable or otherwise. Recital 26 states the following;
“Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person”
With the abovementioned principles from the GDPR in mind, let’s now assess the identifiability criterion under MiCA and attempt to establish when one can be deemed to be unidentifiable as per Recital 22.
a. Direct Identifiability: This occurs when information explicitly identifies an individual, such as their name, ID number, or contact details. For example, if a cryptocurrency issuer's (natural or legal person) full legal name and contact information are publicly available, this would constitute direct identifiability.
b. Indirect Identifiability: Even if data does not directly reveal a person's identity, it may still be considered personal data if it can be combined with other information to identify someone. This is often referred to as the "singling out" or "linkability" criterion. For example, if the cryptocurrency issuer's pseudonymous address can be linked to their identity through additional data sources, it may be considered indirectly identifiable. This could potentially be the case where the issuer uses pseudonyms to market or post updates in relation to the issuance of a crypto asset, with the pseudonym-account capable of being linked via an IP Address to the issuer’s physical location (for example).
c. Pseudonymous Data: The GDPR recognizes that data may be pseudonymous, meaning it is processed in a way that cannot be attributed to a specific individual without additional information. Pseudonymous data is still considered personal data if the additional information needed for identification is reasonably accessible or likely to be obtained.
Applying this understanding to the penultimate statement of Recital 22, it suggests that MiCA may not apply to crypto-assets where the issuer's identity cannot be established (directly or indirectly and taking into account different types of linkers such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons) or where the issuer is anonymous. However, this interpretation would depend on various factors:
In conclusion, one cannot evade the applicability of the provisions of MiCA by simply utilizing pseudonyms via Discord, Telegram or X in issuing a particular crypto asset; especially one which would trigger legal and/or regulatory implications under Titles II {Crypto-Assets Other Than Asset-Referenced Tokens Or E-Money Tokens}, III {Asset-Referenced Tokens} or IV {E-Money Tokens}. It is thus my personal view (at this point in time without further clarification from ESMA or the EBA), that what the legislator potentially means by ‘no identifiable issuer’ is an anonymous issuer i.e. one who is not identified, or identifiable due to there being no additional information (list previously mentioned) relating to such issuer.
Where there is this additional information relating to the issuer of crypto assets, even if using a pseudonym, which would render the particular person to be identifiable (such as location data, name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural person), then it is my view that such a person is identifiable, albeit them using a pseudonym such as 0xCerealBox. This would thus result in MiCA still being applicable to the issuance of a crypto asset issued by 0xCerealBox and, correspondingly, result in a breach of MiCA should 0xCerealBox trigger any of MiCA’s regulatory implications without getting prior authorization (if applicable in light of the crypto assets to be issued).
The information provided in this legal blog post is intended for general informational purposes only and should not be construed as legal advice. The content is not intended to create an attorney-client relationship, and you should not rely on it as a substitute for professional legal advice tailored to your specific situation.