MiCA & Unidentifiable issuers of crypto assets

The Markets in Crypto Assets Regulation; Regulation (EU) 2023/1114 (hereinafter referred to as ‘MiCA’), includes some interesting statements in its recitals which, albeit their concise nature, could prove to have substantial effects on the application and interpretation of the regulation. For the purposes of this opinion-piece, I shall be focusing on Recital 22 namely, the penultimate statement contained therein:

“Where crypto-assets have no identifiable issuer, they should not fall within the scope of Title II {Crypto-Assets Other Than Asset-Referenced Tokens Or E-Money Tokens}, III {Asset-Referenced Tokens}or IV {E-Money Tokens} of this Regulation”

In attempting to deduce the actual interpretation of this ambiguous yet, potentially pivotal statement included in MiCA, I came across numerous posts (mainly on social media platform such as X), that took the above at face value and were advocating for the following (paraphrased) interpretation:

“This means that if the developers or participants of a project issuing a crypto asset operate & market their project via discord, telegram and X through pseudonyms, the corresponding crypto assets would not fall within the scope of Title II, III or IV of MiCA”.

In my opinion, this line of argumentation is overly simplistic in nature and fails to adequately address or consider the complexities and legal nuances that such a statement has presented. Thus, I will be providing my view on the matter based on publicly available EU legislation which the legislator could potentially use to clarify the matter in the future.

Thanks for reading Joseph’s Substack! Subscribe for free to receive new posts and support my work.

Identifiability

In deciphering Recital 22 of MiCA and assessing what the legislator could potentially mean by the penultimate statement included therein, I will be making reference to the General Data Protection Regulation; Regulation (EU) 2016/679 (hereinafter referred to as the ‘GDPR’) since, it provides valuable insight in relation to the statement posed above .

The GDPR does not explicitly define the term "identifiability" in its text. However, it provides a framework for understanding when data is considered personally identifiable information (PII) or "personal data" under its provisions (specifically Article 4 et seq). The concept of identifiability is a fundamental aspect of the GDPR, as it is a determining factor when assessing whether data falls within the scope of the regulation. Personal data is defined by the GDPR as follows (I will be highlighting key prongs relevant to our assessment in the quoted text, potentially resulting in most of the quoted text being highlighted):

“ ‘personal data’ means any information relating to an identifiedor identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

A notable mention (and one which is very relevant in consideration of the founding principles of the crypto asset industry), is the GDPR’s reference to pseudonyms/psudonymisation and the corresponding effects of whether this would result in one being identifiable or otherwise. Recital 26 states the following;

“Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person”

Deciphering the identifiability criterion under MiCA by implementing the GDPR’s principles

With the abovementioned principles from the GDPR in mind, let’s now assess the identifiability criterion under MiCA and attempt to establish when one can be deemed to be unidentifiable as per Recital 22.

  1. Definition of Personal Data: Under the GDPR, personal data is defined as any information relating to an identified or identifiable natural person (data subject). This definition is intentionally broad and encompasses a wide range of information, both direct and indirect, that could be used to identify an individual.
  2. Identifiability Criteria: Identifiability depends on whether a person can be directly or indirectly identified from the data in question. Several factors contribute to identifiability:

a. Direct Identifiability: This occurs when information explicitly identifies an individual, such as their name, ID number, or contact details. For example, if a cryptocurrency issuer's (natural or legal person) full legal name and contact information are publicly available, this would constitute direct identifiability.

b. Indirect Identifiability: Even if data does not directly reveal a person's identity, it may still be considered personal data if it can be combined with other information to identify someone. This is often referred to as the "singling out" or "linkability" criterion. For example, if the cryptocurrency issuer's pseudonymous address can be linked to their identity through additional data sources, it may be considered indirectly identifiable. This could potentially be the case where the issuer uses pseudonyms to market or post updates in relation to the issuance of a crypto asset, with the pseudonym-account capable of being linked via an IP Address to the issuer’s physical location (for example).

c. Pseudonymous Data: The GDPR recognizes that data may be pseudonymous, meaning it is processed in a way that cannot be attributed to a specific individual without additional information. Pseudonymous data is still considered personal data if the additional information needed for identification is reasonably accessible or likely to be obtained.

Applying this understanding to the penultimate statement of Recital 22, it suggests that MiCA may not apply to crypto-assets where the issuer's identity cannot be established (directly or indirectly and taking into account different types of linkers such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons) or where the issuer is anonymous. However, this interpretation would depend on various factors:

  • If the issuers are truly anonymous, and their identity cannot be reasonably ascertained even with additional information, the GDPR's concept of identifiability may not be met, and MiCA might indeed not apply to the crypto assets issued by such an issuer. However, in line with the GDPR’s principles on the matter, the onus for one to be anonymous and thus, un-identifiable, is high given that there must be no information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
  • If the issuers are pseudonymous, and there are means to reasonably identify them through additional information or if they can be linked to individuals through their actions or transactions, the GDPR's criteria for identifiability would apply, and MiCA may still have relevance in relation to the crypto assets so issued by the person/s.

Conclusion

In conclusion, one cannot evade the applicability of the provisions of MiCA by simply utilizing pseudonyms via Discord, Telegram or X in issuing a particular crypto asset; especially one which would trigger legal and/or regulatory implications under Titles II {Crypto-Assets Other Than Asset-Referenced Tokens Or E-Money Tokens}, III {Asset-Referenced Tokens} or IV {E-Money Tokens}. It is thus my personal view (at this point in time without further clarification from ESMA or the EBA), that what the legislator potentially means by ‘no identifiable issuer’ is an anonymous issuer i.e. one who is not identified, or identifiable due to there being no additional information (list previously mentioned) relating to such issuer.

Where there is this additional information relating to the issuer of crypto assets, even if using a pseudonym, which would render the particular person to be identifiable (such as location data, name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural person), then it is my view that such a person is identifiable, albeit them using a pseudonym such as 0xCerealBox. This would thus result in MiCA still being applicable to the issuance of a crypto asset issued by 0xCerealBox and, correspondingly, result in a breach of MiCA should 0xCerealBox trigger any of MiCA’s regulatory implications without getting prior authorization (if applicable in light of the crypto assets to be issued).

The information provided in this legal blog post is intended for general informational purposes only and should not be construed as legal advice. The content is not intended to create an attorney-client relationship, and you should not rely on it as a substitute for professional legal advice tailored to your specific situation.