TL;DR
South Korea's Personal Information Protection Commission states that a cryptocurrency wallet address is personal information if it can be combined with other information to identify an individual. This means that while wallet addresses by themselves are not classified as personal information, the classification may change when combined with additional information.
The classification of wallet addresses as personal information in Web3 services depends on the type of service, but in most cases, wallet addresses are likely to be classified as personal information. Unless you use a non-custodial wallet and don't collect any other personal information, wallet addresses will be treated as personal information in most cases.
In South Korea, cryptocurrency wallet service providers are classified as VASPs, but many companies currently avoid filing for a license due to the ambiguity in definition and high cost. However, if regulatory oversight is strengthened in the long-term, having a VASP license may become a decisive factor in choosing a wallet service.
Web3 services and personal information
Collecting and using data is an integral part of running a service. Among the many types of data, information that can be used to identify individuals is classified as sensitive data. Each country has established regulations related to the management and supervision of personal information to prevent misuse. Korea also strictly manages and supervises personal information under the Personal Information Protection Act.
Web3 services are no exception to the rule. However, some Web3 services that rely on “decentralization" lack a clear consensus and management system regarding the scope of personal information. While this may seem harmless in the short term, Web3 services may also become the subject of regulatory sanctions which can lead service quality to deteriorate in the long term.
Is a wallet address personal information?
The "Standard Interpretation of the Personal Information Protection Act 2023" published by the Personal Information Protection Commission of South Korea contains 30 frequently asked questions, one of which is "Is the address of a cryptocurrency wallet that stores crypto considered personal information?”
The answer to this question is clear: "Even if a cryptocurrency wallet address does not identify an individual by itself, it is personal information if it can be used to recognize a specific individual through trading accounts, name, etc."
However, many people believe that a wallet address is not personal information. According to a Supreme Court case (Supreme Court Decision 2020도9789, dated December 16, 2021) regarding erroneous remittances, a wallet address alone does not reveal the personal information of the person using the address, nor does it establish a trust relationship. The case leads us to conclude that as it is not possible to identify an individual using only the 'wallet address', it cannot be considered personal information.
Yet, Article 2(1) of the Personal Information Protection Act in South Korea defines "personal information" as information about a living individual, such as a name, resident registration number, and/or image, which can be used to recognize an individual. This includes information that cannot be used to recognize a specific individual by itself but can do so in conjunction with other types of information. Therefore, if a wallet address can be used to identify a specific individual when combined with other information such as an IP address, it can be considered personal information.
What services classify wallet addresses as personal information?
Whether wallet addresses become classified as personal information depends on the type of service. In most cases, they are likely to be classified as personal information. Only if 1) the service does not directly manage non-custodial wallet addresses, and 2) the service does not collect any other personal information, will wallet addresses not be classified as personal information.
1) Not classified as personal information: non-custodial wallets, not other personal information collected
Services that do not store non-custodial wallet addresses directly and do not collect any other personal information are those that do not verify or store your identity, such as decentralized finance (DeFi) services or NFT marketplaces.
These services only use your wallet address to conduct transactions, so the wallet address itself does not reveal your real identity. In this case, there is no legal obligation to include a privacy policy because the service does not handle personal information at all. Nonetheless, it is recommended to present a privacy policy to properly inform users of the nature of the service and to build transparency and trust.
2) The rest is classified as personal information
For Web3 services that collect other personal information, the wallet address is also classified as personal information because the collected personal information can be used to identify an individual by their wallet address. Custodial wallets cannot avoid this because of the management of private keys and wallets by a centralized exchange (CEX) or a specific organization, so wallet addresses are also classified as personal information. These services must specify their privacy policy and obtain the user's consent in the process of collecting, using, and storing personal information such as the user's wallet address.
Considerations when choosing a wallet service
In general, wallet addresses are treated as personal information in Web3 services, but the entity that manages them is often an external wallet service. Currently, there are various local and global wallet services, and choosing one can be difficult as they all provide different functions and convenience. For example, if you are running a game service as described in the previous report, you will need to choose a wallet that suits those needs.
The South Korean regulatory body considers "cryptocurrency wallet service providers" as a whole to fall within the scope of virtual asset service providers (VASP). This suggests that wallet services also fall within the regulatory umbrella.
However, as mentioned above, if the provider does not hold or directly control the private cryptographic keys, it is not required to report as a VASP. As the definition of "control" is ambiguous, there is a lot of confusion among wallet service providers as to whether they are required to report for a VASP license. This is further exacerbated by the fact that acquiring a VASP license requires high administrative costs such as ISMS certification, so many wallet providers do not report in practice.
However, this may change in the future if supervisory oversight is strengthened. For example, if authorities clarify the definition of what needs to be reported under the AML laws and strictly enforce compliance by wallet service providers, the licensing status of a wallet service may become an important factor in choosing a wallet service. In this situation, the criteria for choosing a wallet service will go beyond functionality and convenience to include compliance.
What should stakeholders be aware of?
The use of wallets is increasing with the rise of Web3 services, but users are not yet aware of the importance of wallet addresses. The transaction history of all Web3 service users can be found on-chain, permanent and tamper-proof. If someone can identify your wallet address as yours, all of your transactions can be identified by everyone online. Especially in recent years, this risk has become more severe as many people are using multiple services with one wallet address. Users of Web3 services should be fully aware of the classification of personal information in wallet addresses.
Furthermore, when selecting a wallet service for service development, it is necessary to consider not only functionality and ease of use but also whether the wallet service has a VASP license. This is especially the case if the service operates in a country with strict privacy regulations, such as South Korea. Users should check whether the service has the necessary license as a VASP and whether its privacy policy is transparently disclosed.
Service providers must strictly comply with privacy laws when handling personal information such as users' wallet addresses, and ensure that users are fully informed when giving their consent. This is not just about meeting legal obligations, but also about gaining the trust of users and providing sustainable services over the long term.
Take a quick, 1-minute survey to enhance the weekly insights we provide. In return, get immediate access to the updated "2024 Country Crypto Matrix" by Tiger Research, featuring the latest global virtual asset market trends. Your participation helps us provide valuable content while you gain cutting-edge analysis.
Disclaimer
This report is the result of a collaborative effort with blockchain company Hexlant; no financial transactions have occurred between the two companies. This report has been prepared based on materials believed to be reliable. However, we do not expressly or impliedly warrant the accuracy, completeness, and suitability of the information. We disclaim any liability for any losses arising from the use of this report or its contents. The conclusions and recommendations in this report are based on information available at the time of preparation and are subject to change without notice. All projects, estimates, forecasts, objectives, opinions, and views expressed in this report are subject to change without notice and may differ from or be contrary to the opinions of others or other organizations.
This document is for informational purposes only and should not be considered legal, business, investment, or tax advice. Any references to securities or digital assets are for illustrative purposes only and do not constitute an investment recommendation or an offer to provide investment advisory services. This material is not directed at investors or potential investors.