by Matteo Piccinali[1]
- Proposed integration of blockchain and consumer loyalty schemes based on NFTs
What we are going to address in this analysis is a proposal on the possibility to exploit blockchain technologies and consumer loyalty tokens to leverage a system for implementing an integrated promotion of the three economic sectors of tourism, agri-food and art & culture.
The blockchain technology and, more generally, the technologies of Distributed Ledger Technology (or DLT) are now defined as computer technologies and protocols that use a shared, distributed, replicable, simultaneously accessible, architecturally decentralized registry on a cryptographic basis that enables the recording, validation, updating and storage of data both in clear text and further protected by encryption verifiable by each participant, non-alterable and non-modifiable.
In other words, it is a digital, public and permanent register which allows to record, validate, store and transmit computer evidence chronologically linked in an unchanging chain, in the absence of a centralized validation authority, through a distributed consensus system based on algorithms.
The information recorded and exchanged between nodes is non-duplicable by virtue of the cryptographic technique and ensures a high degree of reliability and transparency, as it is visible to each component of the network and cannot be deleted or changed.
A token is a programmable digital unit of value that is recorded on a blockchain. There are various types of tokens and they can represent anything. The most popular token standard is found in the Ethereum infrastructure, with the deployment of tokens using a specific type of standard that sets out the rules for fungible tokens.
The main type of digital property developed and transferable using blockchain technology is the non-fungible token, or NFT, which is a certified copy of a digital asset that is different from all other copies (both certified and uncertified) of the same item. The asset can be any form of digital content and it can even contain access to physical content.
When an NFT is made or a transaction occurs, a block will eventually need to be added to the pre-existing chain of transactions. Once the conditions are met, the action takes place (such as providing a digital file to a buyer) and the blockchain is updated with the transaction.
It means that it is possible to prove the provenance of a given NFT at any moment in time and trace the history of prior ownership; moreover, it is easy to transfer NFTs from one person to another and it is very hard to counterfeit them. Given that NFT ownership is easy to certify and transfer, it is useful to create markets in a variety of different goods.
Blockchains are also programmable, therefore it is possible to endow NFTs with features that enable them to expand their purpose over time, or even to provide direct utility to their holders. In other words, NFTs can do things or let their owners do things in both digital spaces and the physical world.
In this sense, NFTs can function like membership cards or tickets, providing access to events, exclusive merchandise, and special discounts, as well as serving as digital keys to online social spaces where holders can engage with each other. The consequence is that the owner of the NFT may be an investor, a member of a club, a brand shareholder and a participant in a loyalty program all at once.
This all means that NFT-based markets can emerge and gain traction quickly, especially relative to other crypto products. These benefits make owning the associated NFTs more valuable and this increase in the value of ownership comes in a form that helps separate the value of ownership from the purely financial opportunity of reselling.
- Integration of economic sectors and NFTs
The use of these technologies can be profitable for the development of loyalty programs in the touristic, agri-food and art sectors. The innovation would consist in the development of an integrated system for the marketing of products and services consumer loyalty programs between companies operating in a specific geographical context (“Geographical Context”) in the tourism, cultural and agri-food sectors based on the use of blockchain technology
The objective of the project is the creation of a digital ecosystem that allows companies in the Geographical Context in the above-mentioned sectors to share data, information and digital services useful to transform the territory concerned into a smart destination, i.e. a territory with respect to which it is possible to offer tourist packages tailored to the specificities of the individual tourist/consumer, customized by artificial intelligence algorithms based on data made available by the processing of data entered into the digital ecosystem.
In the framework described, a first phase of the project involves the participation of companies in the above ecosystem through the following methodologies:
(i) Agri-food Area: adoption of a certification system based on blockchain technology within the agri-food and wine supply chain that aims at ensuring the origin and traceability of products, food safety, monitoring of environmental conditions, etc.;
(ii) Tourism-Hotel Area: adoption of a self-executing model of smart legal contract that allows the conclusion of the hotel contract in digital form, through the simple data input by the customer. Through the adoption of this model, at the beginning of the tourist stay (check-in) and at the end of the same (check out) the smart contract would produce automatic effects (crediting of sums as a deposit, communication of user data to the competent authorities, etc.. ), thus overcoming the problems related to the phase of performance of the contract and ensuring a constant exchange of data between the company, the tourist and any third parties (oracles) to which activity is automatically correlated the production of predetermined effects (for example, activation – in favor of both the user and the operator – of insurance coverage for cancellation, adverse weather events, medical expenses, hospitalization and quarantine, repatriation, etc.; reporting the beginning and end of the stay to the police authorities; credit/debit of deposits and balance amounts; etc.);
(iii) Art & Culture Area: in this case it could be hypothesized that the technological convergence between cryptocurrencies, blockchain and smart contracts would operate as follows:
– donations (possibly also integrated in an additional portion of the price associated with the purchase of the entrance ticket or the price paid for a purchase at the gift shop or for one’s membership to the museum institution) could be made through the giving of amounts of money or cryptocurrencies, so as to support the use of the same on official and legal channels, as well as to support their use by those (especially the younger cyber-generations) who will increasingly have these means of payment;
– in exchange for donations, tokens would be issued to donors that incorporate a bundle of rights (e.g., certification of cultural heritage supporters; the right to dispose of the tokens as an object of exchange; tax credits, etc.), including the right to access benefits attributable to membership in a club: for example, obtaining free tickets for entry to the museum that is the direct beneficiary of the original donation; access to discounts and promotions on tickets, merchandising and ancillary services of the provincial, regional or national museum circuit; obtaining and accumulating « loyalty » points that grant discounts and other benefits at facilities and tourist services that have agreements at the local or national level (hotels, restaurants, means of transport, other cultural facilities, etc.. ), so as to encourage and promote at the same time the tourism system and the national territory.
The management of the above mechanisms would be entrusted to innovative technologies represented, for example, by Internet of Things, Artificial Intelligence, Blockchain and Smart Contracts.
In particular, the blockchain would go on to record (and immutably certify) the liberalities, to issue tokens incorporating the bundle of rights listed above, as well as to record the transfers of ownership of those tokens that are made the subject of economic transactions.
The smart contracts, on the other hand, would be the computer tool to perform automatically, to the satisfaction of certain conditions, the various effects related to the conduct described above such as, for example: the effects of the circulation of tokens, the reversal of a percentage of the value of the economic transaction involving the tokens to be conveyed to the Culture Fund, the association of loyalty points to the donor and the redemption mechanisms of the same points accumulated once they are spent for goods and services related to them, etc.
As briefly mentioned above, the project is expected to create a transversal system that involves a number of operators belonging to the various sectors – agri-food, tourist-hotel and artistic-cultural – of the Geographical Context, as well as a loyalty system that introduces a bonus logic for local tourism.
In particular, each operator belonging to the digital ecosystem will be able to develop (or join) a loyalty program that allows the tokenization of reward points accumulated by the tourist/consumer through the use of goods and services offered by the consortium of companies operating in the digital ecosystem.
These « homogeneous » tokens (in the sense that they are issued by several operators active in different sectors and therefore necessarily exchangeable in the context of the digital ecosystem in question) can then be exchanged by users as real crypto assets through the use of an open source blockchain protocol or used indifferently at any company belonging to the ecosystem to benefit from the rewards and/or discounts of the loyalty campaigns of interest from time to time.
The beneficial effects deriving from the model examined may concern:
(i) The sector operators, through the automation and standardization of processes, the simplification of the legal activity, the accessibility to and certainty of data; the possibility of tracking transactions during the entire journey of the tourist/consumer on the territory and elaborate a personalized offer; the secure management of loyalty programs and reward schemes (points/tokens);
(ii) Supply Chains and Consumers, through the control of the origin and traceability of products; food safety control; environmental monitoring; promotion of supply chain operators;
(iii) the Geographical Context, through the creation of an integrated and personalized offer, the accessibility of the smart destination to new generations of consumers through the creation of a digital ecosystem; the enhancement of the territory through the development of integrated loyalty campaigns that encourage exchange processes and consequent value creation.
- Some legal implications of this proposal
The main legal implications raised by this operation model include, amongst others, the laws of contracts, consumers, data protection and anti-money laundering.
In particular, we wish to herein explore some of the implications relating to smart contracts and data protection.
3.1 Smart Contracts
According to the E-Commerce Directive, Member states have to ensure that their legal systems allow the contracts concluded by electronic means. However, there is no subsequent regulation on smart contracts and there are still issues with legal validity and legal enforceability of blockchain-based smart contracts.
Moreover, as in smart contracts the execution is done automatically, there is no possibility for a party to breach the contract and there is no possibility to undo an executed smart contract[2], thus, any dispute may not apparently restore the rights to the same condition, as it was before the execution.
On a national regulatory level, this technology and, more generally, the Distributed Ledger Technology (or DLT) [3] technologies now find a definition in art. 8-ter, paragraph 1, of the Italian Law nr. 12/2019 of conversion, with amendments, of the legislative decree n. 135/2018 (so-called Simplification Decree).
This norm defines technologies based on distributed registers as « technologies and computer protocols that use a shared, distributed, replicable, simultaneously accessible, architecturally decentralized register on cryptographic bases, such as to allow registration, validation, updating and storage of data both in clear text and further protected by cryptography verifiable by each participant, which cannot be altered and cannot be modified »[4].
In other words, the term blockchain indicates a digital, public and permanent register in which it is possible to record, validate, store and transmit computer evidence chronologically connected in an immutable chain, in the absence of a centralized validation system.
Further to that, the enforcement of Italian Law nr. 12/2019 regulates the formal value of an agreement concluded through a smart contract, in the following terms: « a smart contract is defined as a computer program that operates on technologies based on distributed ledgers and whose performance automatically binds two or more parts on the basis of predefined effects” [5].
However, considering the absence of a transnational regulation of smart contracts, not only the enforceability of blockchain based smart contracts, but also certain specific legal issues should raise the attention of the international community, for example, consumer protection issues in smart contracts from the perspective of a standard form contract.
3.2 Privacy
Legislation on data protection is also relevant when it comes to analyzing the flow of personal data generated from the interaction with a digital ecosystem represented by a video streaming service, a video game or a metaverse platform. Apparently, blockchain may seem to provide a technological ecosystem that is consistent with the principles of the GDPR. For instance, according to art. 25 of GDPR, the controller must implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR Regulation and protect the rights of data subjects. The blockchain is apparently consistent with the requirements outlined above, as it would be more resistant to cyber-attacks or malfunctions because it does not have a single point of data aggregation (as in centralized systems). Moreover, the blockchain could curb the uncontrolled way in which the gatekeepers collect the user’s personal data, far beyond what is necessary to bring about a given transaction that is performed on the web. With blockchain, on the other hand, asymmetric encryption would ensure selective access to data, respecting what users have consented to on the basis of the purpose of the processing, consistently with the principle of minimization
However, some important conflicts between blockchain technology and data privacy requirements to consider include[6]:
- blockchain implementations that expressly record personal data on the blockchain are clearly subject to laws regarding personal data. However, whether the data some blockchains record, process, or use to manage transactions qualifies as personal data varies (e.g., blockchains may expressly include personal data as “payload” if they aim to create a record of ownership or other assigned rights that require sufficient identifying information; blockchains tout anonymity or at least some level of privacy by using public-private key pair encryption).
- Identification of data controllers and data processors: the distributed peer-to-peer network architecture means that it is often unclear which party determines the purposes and means of processing. Private blockchains present a simpler case, since here a central operator or consortium likely qualifies as a controller or joint controllers. Other actors that help operate the blockchain specifically for the central operator, such as nodes or miners, can take the processor role. The private blockchain operator or consortium must implement appropriate data processing agreements or other contracts to hold these service providers accountable and meet regulatory obligations. Public blockchains typically lack a central operator, making it difficult to assign traditional controller and processor accountability.
- Territorial implications for distributed blockchain networks and cross-border data transfers: according to art. 3 GDPR, this Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. The distributed nature of blockchain technology not only poses a challenge regarding the applicability of various jurisdictions’ laws, but it also raises tensions with those that restrict cross-border data transfers. Most notably, the GDPR permits personal data transfers to countries outside the EEA only under specific circumstances and requires specific safeguards in the recipient jurisdiction to ensure the same or an adequate level of protection.
- Criteria for legitimate reasons for processing personal data to blockchain use cases: GDPR only allows controllers to process personal data based on one or more lawful purposes, including data subjects’ consent or processing to the extent necessary for entering or performing a contract with the data subject; complying with the controller’s legal obligations; protecting vital interests of the data subject or another natural person; performing public interest or official tasks; or pursuing the controller’s or a third party’s legitimate interests unless the data subject’s interests or fundamental rights and freedoms override them. It is unclear whether these options encompass perpetual distributed blockchain storage. Blockchain participants may request consent from their users or data subjects, as applicable. That is why, in some instances, it may be preferable for controllers under the GDPR to depend on a basis other than consent because such consent must be freely given, specific, informed and unambiguous, and it can be withdrawn at any time without reason.
- Reconciling transaction immutability and data preservation in blockchain applications with individuals’ rights: rights of data correction and data erasure, also known as the right to be forgotten, present the most apparent conflict with blockchain technology’s transaction immutability characteristics. Blockchains, in particular implementations that provide ownership, supply chain, and other recordkeeping tools, including smart contracts, can likely address data updates by recording additional transactions. However, these later transactions do not technically delete data previously stored on the blockchain.
Alternative data encryption and destruction approaches may help address compliance concerns regarding personal data on blockchains and address individuals’ rights by using hashing or other irreversible data transformations, destruction of separately stored hashing or encryption keys and revocation of access rights.
Looking forward, privacy on blockchain technology may be improved by verifying and managing consent, providing individuals with clear notifications and records of personal data usage across distributed systems and minimizing data sharing between data controllers and their processors.[7]
[1] Andrea Polini, Italian lawyer and LLM in Tax Law, University of Trento, and Marika Lombardi, Italian lawyer and postgraduate research fellow, University of Brescia, contributed to this chapter.
[2] Werbach K. and Cornell N., Contract Ex Machina, Duke Law Journal, Vol.67, 2017, p.371, available at: https://scholarship.law.duke.edu/cgi/viewcontent.cgi?arti- cle=3913&context=dlj.
[3] PINNA – RUTTENBERG, Distributed ledger technologies in securities post-trading, in ECB Occasional Paper, 2016, 15 ss.
[4] Cfr. art. 8-ter, comma 1, l. n. 12/2019.
[5] Cfr. art. 8-ter, co. 2, primo periodo, l. n. 12/2019.
[6] Blockchain Technology: Data Privacy Issues and Potential Mitigation Strategies, Pritesh Shah and Daniel Forester, et. al, https://www.davispolk.com/sites/default/files/blockchain_technology_data_privacy_issues_and_potential_mitigation_strategies_w-021-8235.pdf; Privacy-Preserving Solutions for Blockchain: Review and Challenges, Bernabe, Canovas et al., October 31, 2019, Institute of Electrical and Electronic Engineers IEEE, https://ieeexplore.ieee.org/document/8888155/citations#citations; Gambino-Bomprezzi, Blockchain e Protezione dei Dati Personali, Il Diritto dell’Informazione e dell’Informatica, Anno XXXIV, Fasc. 3, 2019.
[7] Blockchain Technology: Data Privacy Issues and Potential Mitigation Strategies, Pritesh Shah and Daniel Forester, et. al, https://www.davispolk.com/sites/default/files/blockchain_technology_data_privacy_issues_and_potential_mitigation_strategies_w-021-8235.pdf.