Image: Dolce & Gabbana

From DKNY’s newly reimagined logo, which exists purely as a non-fungible token – or “NFT” – to Dolce & Gabbana’s recent debut of NFTs that digitally embody a number of pieces that went down the runway during its Collezione Genesi couture show last month, luxury brands have not let up on the tech craze that is readily “drawing the crypto community,” including “deep-pocketed cryptocurrency investors, who spend large sums” on these digital assets in the fashion sphere, per British Vogue. In fact, NFTs – which consist of sets of data stored on a blockchain that can be tied to physical or digitals assets – have taken the fashion industry by storm. 

As NFTs have begun gaining in general visibility and in some cases, have given rise to eye-wateringly expensive displays of demand, an array of legal questions have come into fruition – from inquiries about ownership of the intellectual property rights in the underlying work (usually, the creator retains those rights) and infringement-related issues in cases when a brand’s trademark rights, for instance, are used in a third-party-created NFT without authorization to questions about whether NFTs will be treated as digital asset securities and thus, be subject to regulation by the U.S. Securities and Exchange Commission. 

These issues and many others – which are largely novel in nature given that “NFTs do not necessarily fit neatly into existing regulatory frameworks and neither does the blockchain they live on,” according to Versteeg Wigman Sprey attorney Jetse Sprey – have been covered by the media (and this site) with quite a bit of frequency. 

One legal angle that has not been considered with quite as much frequency to date is what the General Data Protection Regulation (“GDPR”) means for the burgeoning field of NFTs. Implemented across the European Union in May 2018, the GDPR is a sweeping privacy and security law that requires businesses to “protect the personal data and privacy of EU citizens for transactions that occur within EU member states.” To date, a lot of the discussion around the GDPR, at least when it comes to fashion brands and retail entities more generally, has centered on their use of consumer data in connection with their personalized marketing efforts, including email ad campaigns. 

However, GDPR is “technologically neutral, which means that compliance must be ensured whenever personal data of natural persons is processed in a structured manner” (assuming one of the parties has an establishment within the EU, or personal data of data subjects located in the EU is processed by the blockchain), and given that “the material scope of the GDPR is also applicable to the blockchain whenever personal data of a natural person is processed.” As such, Schoenherr attorneys Veronika Wolfbauer and Peter Ocko assert that brands need to ensure that they are in compliance with the robust privacy law in furtherance of their practice of offering up NFTs.  

Interestingly, Wolfbauer and Ocko assert that over the last couple of years, before The Fabricant’s nearly-$10,000 dress, Gucci’s film, Rimowa travel-inspired objects, and “Baby Birkin” NFTs took the market by storm, “Certain tensions between blockchain technologies and the GDPR have been discussed,” tensions that very well could apply to the enduringly relevant market for NFTs. One such tension stems from the core benefit inherent in the operation of blockchain: immutability – or in other words, the ability for a blockchain ledger by virtue of its construction to remain a permanent, indelible, and unalterable history of transactions, including the parties to such transactions. 

(According to researchers/academics Raja Jurdak, Ali Dorri, and Salil Kanhere, “The blockchain ledger is organized into blocks, where each block is linked to the previous block through cryptographic hash functions. These functions create a short code based on the content of the previous block, and it is not possible to guess this code without trying all possible codes. Chaining the blocks in this manner ensures that the data stored in them cannot be altered, as any changes made would break the blockchain consistency.”)

While blockchain ensures immutability, article 17 of the GDPR generally mandates the so-called “right to be forgotten,” in which an individual has the right to have his/her data deleted (or corrected) in certain situations. Hence, the seeming clash, which, at least some experts assert may be an unavoidable conflict between blockchain (and thus, NFTs) and the GDPR. 

Not all experts share this same view. Mr. Sprey, for example, says that “at first glance, the right to be forgotten seems to be fully incompatible with blockchain” – and NFTs by extension. However, he aptly notes that “the right to be forgotten is not an absolute right.” If that was the case, he says, “That would have meant the end of all blockchains storing personal data, which is the vast majority of them.” 

Silvan Jongerius, who is the Managing Partner of privacy consultancy TechGDPR, echoes this notion, stating that while there is a potential problem in terms of blockchain compliance with the GDPR, it is not without nuance – or potential solutions. Among other things, he notes that “blockchain is not always strictly immutable, [as] even in the first-generation protocol of Bitcoin, there is a technical method to delete certain data from the chain” without destroying the blockhain as a whole. So far, this has not been implemented, “but there is a methodology to achieve this without breaking the system.” 

Still yet, Jongerius asserts that “definition of personal data is still not 100 percent clear,” thereby, making it difficult to establish if, for example, “hashed information is pseudonymous or anonymous from the perspective of the GDPR.” Wolfbauer and Ocko contend that this is one of the “classic” debates that comes with the GDPR, which defines “personal data” as “any information relating to an identified or identifiable natural person.” 

Ultimately, where these does appear to be a consensus is that there are still many legal questions to be clarified given the relative novelty of NFTs. Further legislative developments – such as a digital asset-focused reform that is currently being crafted by the Law Commission of England and Wales, and the European Union’s proposed Markets in Crypto-Assets Regulation – paired with inevitably impending case law will certainly provide clarity. To date, The Commission Nationale de l’Informatique et des Libertés (CNIL), the French data protection regulator, has shed some light on this potential clash. In a 2018 report, which was the first guidance issued by a European data protection regulator on this topic, the CNIL analyzed a number of fundamental questions regarding the interaction between blockchain technology and the GDPR’s requirements, but ultimately left it up to blockchain practitioners and and other EU data protection regulators “to find creative solutions for reconciling blockchain technology with the strict requirements of the GDPR.”

In the meantime, Jones Day attorneys have cautioned companies dealing in the dynamic and very-much-evolving NFT space to monitor the market “as the asset class evolves, markets develop, and the law and regulations begin catching up” – as they certainly will – in furtherance of their efforts to “develop careful plans for exploring potential opportunities in this space.” This includes oversight by fashion brands and retailers as the NFT market continues to find favor, and more look to tap into this budding opportunity to connect with eager digital asset-buying consumers.