Legal and IP News Technology Media Telecoms

EU Data Act requires smart contracts to have kill switch, not be permissionless

smart contract

Today the EU voted to pass the ‘Data Act’, which has a single clause directly addressing blockchain smart contracts. Many in the crypto community object to the requirement for a kill switch in smart contract code to stop the smart contract from functioning, mainly if there’s a problem. This impacts immutability. Oddly, there isn’t massive pushback against the other key requirement for access control mechanisms which goes against the permissionless nature of public blockchains.

However, the core of the Act is primarily targeted at the Internet of Things and data sharing for industrial purposes. The text was passed with 500 votes approving it and 23 against it. For the legislation to be finalized, it has to go through Europe’s cumbersome trilogue negotiations between Parliament, the Commission and the European Council that represents the individual states. So there’s still time for amendments.

Professor Thibault Schrepel, Co-Director of the Amsterdam Law & Technology Institute at VU Amsterdam, noted that the smart contract clause doesn’t define ‘smart contracts for data sharing’. If this is cleared up to apply for example to machine to machine (M2M) data sharing, then some of the other aspects of the clause might be less concerning.

He notes on Twitter that a key issue is who should have control over a smart contract kill switch. It could be the smart contract creator, some public authorities, or the courts. Our take is that, in practice, it makes sense to be the creator because the whole point is to be able to act in an emergency. This would have the side effect of making it hard to argue that the creator doesn’t control the smart contract, something protocol creators prefer not to have to argue they are decentralized. However, if the scope is M2M data sharing, control might not be as contentious. On the other hand, if it applied to DeFi, it could raise additional concerns.

Smart contracts and smart legal contracts are not necessarily one and the same, but the clause makes them equivalent. The legislation limits the scope stating that the smart contracts are “in the context of an agreement to make data available”. So it doesn’t necessarily imply that all smart contracts are smart legal contracts.

Text of Article 30:

Essential requirements regarding smart contracts for data sharing

The party offering smart contracts in the context of an agreement to make data available shall comply with the following essential requirements:

(a) robustness and access control: ensure that the smart contract has been designed to offer rigorous access control mechanisms and a very high degree of robustness to avoid functional errors and to withstand manipulation by third parties;

(b) safe termination and interruption: ensure that a mechanism exists to terminate the continued execution of transactions: the smart contract shall include internal functions which can reset or instruct the contract to stop or interrupt the operation to avoid future (accidental) executions; in this regard, the conditions under which a smart contract could be reset or instructed to stop or interrupted, should be clearly and transparently defined. Especially, it should be assessed under which conditions non-consensual termination or interruption should be permissible;

(ba) equivalence: a smart contract shall afford the same level of protection and legal certainty as any other contracts generated through different means.

(bb) protection of confidentiality of trade secrets: ensure that a smart contract has been designed to ensure the confidentiality of trade secrets, in accordance with this Regulation.

Image Copyright: artinspiring / 123rf