EU Data Act smart contract ‘kill switch’ brings uncertainty

On June 28, the European Council and Parliament achieved a political consensus on the Data Act, which moves the legislation regarding non-personal data closer to fruition.

Thierry Breton, European Union commissioner for the internal market, described the agreement in an X post as a “milestone in the reshaping the digital space.”

The Data Act complements the Data Governance Act of November 2020 by clarifying who can create value from data and under which conditions. It stems from the European Strategy for Data, announced in February 2020, which also aims to position the EU as a regulatory frontrunner in the era of data-driven society.

The Data Act is part of the European Commission’s wider data strategy aimed at making Europe a global leader in the data-agile economy. In simple terms, the Data Act proposes new rules on who can access and use data generated in the EU across all economic sectors.

For the Data Act to become law, it must be approved by a vote of the European Parliament and the Council, which represent the bloc’s 27 member states. And once again, as with the Markets in Crypto-Assets (MiCA) regulation, the crypto sector is facing a major challenge. The problem raised by the new EU data law could permanently change the use of smart contracts in the European Economic Area (EEA) –– and not for the better.

Smart contract “kill switch”

The blockchain community is largely concerned about one provision in the Data Act, namely that automated data-sharing agreements contain a “kill switch” by which they could be terminated or halted in the event of a security breach.

Many blockchain experts contend that the current definition of smart contracts in the Data Act is broad, fearing it may lead to unintended consequences for existing smart contracts on public blockchains. For example, the text of the upcoming law doesn’t distinguish between just digital contracts and smart contracts utilizing distributed ledger technology.

But above all, the Data Act supposedly doesn’t give clear details about the conditions under which safe termination or interruption kill switch should occur, and it is hard to predict the potential outcomes with a higher degree of certainty. The smart contract architecture often doesn’t allow for termination or interruption, as blockchain technology is praised for being immutable and irreversible.

Recent: Crypto P2P scams in India show digital asset education is needed

The Data Act also doesn’t say exactly what a “data sharing agreement” is, and it doesn’t explain if the smart contracts currently ubiquitous in Web3 applications follow these kinds of agreements.

“By design, most of smart contracts don’t offer a termination or interruption feature and are often un-upgradable to ensure higher levels of protection from abusive behaviors,” Marina Markežič, executive director and co-founder of European Crypto Initiative, told Cointelegraph.

“The fact that smart contracts lack such features puts their use and development at risk. They may be perceived as inconsistent with regulatory requirements.”

“The problem is if the scope of Article 30 were to be extended beyond the application of smart contracts in this narrowly defined context, and on public permissionless networks. It becomes not only problematic but almost impossible for such protocols to comply,” he said.

Per Voloder, another concern is whether these rules could spill over into decentralized finance (DeFi). “As we do not have a DeFi regulation, this is a question that will need an answer over the next 18 months as the EC prepares its position on DeFi.”

Moreover, kill switches can have errors because of human mistakes and, in smart contracts in general, “as they are rigid, bounded information environments.” This rigidity, plus an automatic feature that triggers a certain outcome following strict rules, could lead to issues like locking up assets, shutting down protocols or even losing funds and important data, said Voloder.

A lot of uncertainty

The Data Act has rules for vendors of an app using smart contracts, or for people whose business involves deploying smart contracts.

According to Markežič, the Data Act might cause such vendors and deployers to be more cautious and consider whether their smart contracts in any way contain a data-sharing agreement. Apps might need to change how they work to meet these rules if their smart contracts share data.

But first, it’s crucial to understand who exactly needs to follow these rules, Markežič said:

Erwin Voloder, head of policy at the European Blockchain Association, told Cointelegraph that Article 30 of the Data Act applies when parties agree to share data using a smart contract, and this contract follows the rules. It should be fine if it’s only for that situation, especially when used on a controlled network where the Data Act’s safety stop can be used. 

“Is the regulation even targeted toward DeFi platforms and protocols? […] It should be clarified under what circumstances the ‘access control’ is provided, what, who, why and how the ‘safe termination or interruption’ measure is triggered and how protocols prevent further abusive behavior thereof.”

Markežič stated that, in the past, some changes and terminations were made on a protocol layer as part of the overall governance mechanisms. 

A kill switch on the level of a smart contract might lump projects and individuals into “a single point of failure, prescribed by the regulators.”

Therefore, it’s critical that regulators clarify who has the power to use this kill switch.

Crypto community across the globe reacts

The crypto community has already proposed some alternative solutions to bring more legal clarity to smart contracts.

In April 2023, Polygon had already penned an open letter suggesting how to improve Article 30, sating that lawmakers could apply these rules to enterprises only, excluding software and developers, and make clear that smart contracts aren’t “agreements” in and of themselves.

More recently, the European Crypto Initiative and numerous organizations, such as Stellar, Iota, Polygon, Near, Coinbase, Cardano and ConsenSys, have signed an open letter voicing their concerns regarding the Data Act and calling on lawmakers to reconsider and clarify certain aspects.

They argued that the Data Act could potentially clash with the recently agreed MiCA regulation. MiCA, which will come into force in 2024, provides a license for crypto exchanges and wallet providers to operate throughout the EU. 

They further claim that European lawmakers deliberately sidestepped the more complex issue of decentralized financial regulation –– an issue the Commission will need to revisit in the coming years.

More harm than good?

The trialogue on the Data Act has been completed, and this means that the text has reached its final version and is likely to be enacted in its current form.

According to Markežič, the new law could affect the European crypto industry and businesses that want to operate in the EU, stating that the Data Act doesn’t give clear details about what use cases the new rules apply to, and that makes the whole industry unsure about what to expect. And this is just the first step in the direction of regulating smart contracts, setting a precedent for forthcoming actions, she said.

Magazine: Should we ban ransomware payments? It’s an attractive but dangerous idea

The next important step for the community is to work closely with European standardization groups. These groups are responsible for creating the standards that vendors and developers of smart contracts should follow when making agreements to share data, especially given that these vendors will need to make sure their smart contracts broadly align with the scope of Article 30.

According to Voloder, if the Data Act is extended to public networks, it could mean companies leaving the EU, at worst, and “otherwise being pigeonholed into a narrow development trajectory of smart contracts in the best case.”

“The result is capital flight, stifled innovation and a floundering blockchain industry in Europe. At a time when Europe is at the vanguard of the regulatory apex, the timing of such an outcome would be most inopportune.”