The European Union’s latest technical updates to crypto data sharing rules expand reporting obligations under DAC8. They also tighten Transfer of Funds (TFR) and “Travel Rule” compliance for crypto-asset service providers. These changes have provoked strong criticism from privacy advocates, industry groups, and some member states. Regulators say the changes will improve tax transparency and AML/CFT (anti-money-laundering and counter-financing of terrorism) oversight. However, critics warn they risk mass collection and cross-border sharing of sensitive personal data without sufficient safeguards.
Under the updated framework, exchanges, custodial wallet providers, and other crypto firms will be required to submit standardized reports on customer holdings. They must also report transactions to national tax authorities, which will automatically share that data across EU member states. The rules are being rolled out alongside existing TFR amendments. These amendments force crypto firms to collect and pass on originator and beneficiary identifiers for transfers. This effectively extends the FATF “Travel Rule” into EU law. Regulators argue this closes enforcement gaps created by decentralized asset flows.
Privacy groups, including digital-rights NGOs and some data protection officials, say the speed and technical breadth of sharing create new risks. The European Data Protection Board has recently opened consultations on guidance for personal data processing in blockchain contexts. This underscores unresolved questions about proportionality, minimization, and cross-border access. Critics fear automated cross-border exchange could enable profiling and long-term retention of transaction histories. Moreover, there may be mission creep beyond tax and AML uses unless strict purpose-limitation and deletion rules are enforced.
Industry reaction is mixed. Larger regulated exchanges generally support harmonized rules. They believe these rules level the playing field and reduce fragmented national approaches. Contrarily, smaller custodians and decentralized finance (DeFi) actors warn that the reporting burden may push compliance costs up. This could further centralize market power. Compliance vendors and legal advisers note that firms should prepare for standardized technical reporting formats. Robust identity-verification workflows will be needed to meet the new obligations.
What’s next: Member states must implement the technical measures in their domestic systems. Tax authorities will need to build secure channels for automatic exchange. Lawmakers and privacy watchdogs will watch implementation closely, as challenges in balancing AML/tax enforcement with core EU data-protection principles may trigger legal tests before national courts or the European Court of Justice. Observers say transparent retention limits, strict access controls, and auditability will be essential to defuse the privacy backlash.
FAQs
Q: When do the new crypto reporting rules take effect?
A: Technical updates have been published, and member states are preparing for implementation. Many provisions are expected to be operational in stages through 2025–2026.
Q: Which firms must report under DAC8?
A: Crypto exchanges, custodial wallet providers, and other crypto-asset service providers that handle transactions or hold customer assets will generally fall within the reporting scope.
Q: Will personal transaction data be shared across borders?
A: Yes, the rules create mechanisms for automatic exchange of standardized reports between EU tax authorities, raising cross-border data-protection concerns.
Q: What protections exist for privacy?
A: Regulators point to purpose-limitation, security measures, and EDPB guidance. However, privacy advocates argue that specific retention and access safeguards must be strengthened during implementation.
Q: Could these rules face legal challenges?
A: Yes, if implementation conflicts with GDPR principles or lacks proportional safeguards, courts could be asked to adjudicate.
