The European Commission has released its proposal for the union's new Data Act, with some concerning fine print for the future of smart contracts.
The February 23 draft legislation focuses on overall data protection and privacy within the European Union. In that context, it identifies smart contracts as:
"Computer programs on electronic ledgers that execute and settle transactions based on pre-determined conditions. They have the potential to provide data holders and data recipients with guarantees that conditions for sharing data are respected."
Smart contracts indeed play a surprisingly big role in the European Commission's vision for data protection. The proposal nonetheless puts forward requirements for smart contract developers that would impose startling new legal standards for their use in data-sharing and protection applications — which could end up being the bulk of applications for smart contracts that exist. As Thibault Schrepel, a tech and law professor noted, this particularly threatens oracles.
Notably, article 30 as currently written would mandate that applications using smart contracts include a kill switch. The section on "[S]afe termination and interruption" would require those selling or using smart contracts in their applications to:
"[E]nsure that a mechanism exists to terminate the continued execution of transactions: the smart contract shall include internal functions which can reset or instruct the contract to stop or interrupt the operation to avoid future (accidental) executions."
The provision is likely a reaction to a few notable failures of smart contracts that have facilitated a number of hacks. Recently, this included Ethereum-Solana bridge Wormhole, but another infamous example was the 2016 hack of the smart contract behind the DAO, which recently returned to headlines.
However, kill switches on smart contracts by their nature threaten the promise of immutability: with the ability of a single source to make a change, the contract is no longer autonomous. In the case of the DAO, the decision to undo the damage on the Ethereum network was controversial enough that die-hards in favor of immutability forked the network into Ethereum Classic. In that network, the hacker kept their funds.
The aggregate effect of the EU requiring kill switches on smart contracts is hard to conceptualize as smart contracts also cross borders so readily. But while the European Commission's version of this Data Act is still far away from actually becoming law, the EC is the most powerful force in making such regulations. The European Parliament and Council will eventually weigh in before this becomes law, but even if they challenge these provisions, the Commission will have the chance to restate their case later on as well.