Is Europe Killing or Protecting the Blockchain?

The European Data Protection Board (EDPB) Guidelines 02/2025 on processing of personal data through blockchain technologies (the “Guidelines”) emphasise the need for organisations to ensure compliance with the General Data Protection Regulation (GDPR) when integrating blockchain technology, highlighting that wallet addresses are considered personal data even when encrypted. These Guidelines could threaten years of regulatory progress in Europe, particularly with initiatives like the Markets in Crypto-Assets (MiCA) Regulation. The potential for increased compliance burdens may deter innovation, leading to a migration of talent, jobs and investments away from Europe. As China and the United States accelerate their efforts to be leaders in cryptocurrency, European companies may find themselves at a competitive disadvantage, struggling to navigate the complex regulatory landscape while trying to innovate. In this context, this article aims to summarise the key points of the guidelines while highlighting the actions to be taken to measure and anticipate risks.

Enhanced Summary of EDPB Guidelines on Blockchain and Personal Data Processing

The EDPB has released above-mentioned Guidelines regarding the processing of personal data through blockchain technologies for public consultation. The Guidelines are open for comments until 9 June 2025 and provide essential directions for organisations aiming to ensure compliance with the GDPR as they consider integrating blockchain into their data management practices. The Guidelines focus on significant concerns related to individual rights, data minimisation, and the right to erasure, highlighting the complexities introduced by the decentralised nature of blockchain technology.

Understanding Blockchain Technology

Blockchain is characterised as a distributed ledger technology that records transactions without intermediaries, utilising cryptographic methods to ensure data integrity and accessibility. While blockchain offers notable benefits such as increased transparency and security, its immutable nature poses challenges to specific GDPR requirements.

The key characteristics of blockchain are as follows.

• Decentralisation: no single entity controls the data.
• Immutability: once data is recorded, it cannot be altered or deleted.
• Transparency: all transactions are visible to participants.

Those key characteristics pose challenges to GDPR compliance.

Compliance issues emerge, particularly concerning data rectification and the right to deletion. Organisations are required to conduct thorough risk assessments to identify and mitigate challenges associated with their blockchain projects. Evaluating the blockchain’s architecture is essential, accounting for how responsibilities are shared and what data protection mechanisms are instituted.

However, fundamental principles of blockchain appear to conflict with GDPR obligations. As a result, organisations will need to manage this risk; see the examples below.

• Blockchain is designed to be immutable, meaning that once data is recorded, it cannot be altered or deleted. This poses significant challenges when it comes to GDPR requirements, particularly the right to erasure. For example, if a user requests the deletion of their personal data, an organisation that has stored that data directly on a blockchain would be unable to comply without compromising the integrity of the blockchain.
• Organisations are strongly advised to avoid storing personal data directly on blockchains due to the unique characteristics of blockchain technology that can conflict with data protection regulations, such as the GDPR.
• Validators are subject to GDPR obligations. Validators, who play a crucial role in maintaining the integrity of blockchain networks, must implement strict data protection measures. Failure to comply can result in liability for data breaches, resulting in financial penalties and reputational damage. For example, a validator could be fined for not adequately securing user data, leading to a loss of business partnerships.

Recommendations for Organisations

To navigate these challenges, the EDPB recommends several best practices.

Prefer permissioned blockchains

In permissioned blockchains, access and the rules for validating and recording transactions are managed by one or more entities. The EDPB favours this model because it provides a clearer delineation of roles and facilitates the allocation of responsibility, which is essential for safeguarding individuals’ rights and freedoms. Any departure from this governance structure should only be considered if there are well-justified reasons, and organisations must assess whether blockchain is genuinely suitable for their requirements.

Avoid direct storage of personal data

Organisations should refrain from storing personal data directly on blockchains. Instead, they are advised to implement protective measures, including encryption and off-chain storage, to lower risks associated with personal data processing. It should be noted that the wallet addresses are classified as personal data, even when encrypted. For instance, if a business inadvertently exposes wallet addresses during a transaction, it could face hefty fines under GDPR for failing to protect personal data.

Take for example a healthcare organisation that decides to use blockchain to store patient records, including personal identification information (PII) such as names, addresses and medical histories. If this sensitive information is stored directly on the blockchain, it becomes permanently accessible and immutable. If a patient later requests that their data be deleted, the organisation would be unable to comply, violating GDPR. Instead, the organisation should use off-chain storage for sensitive data and store only non-sensitive references or hashes on the blockchain.

Conduct Data Protection Impact Assessments (DPIAs)

Data Protection Impact Assessments (DPIAs) are a crucial tool for organisations to evaluate the potential impact of their data processing activities on individuals’ privacy. Given the immutable and transparent nature of blockchain, it is essential to understand how data will be stored, accessed, and potentially exposed. For example, if a company plans to use blockchain to store customer transaction data, a DPIA can help identify risks related to unauthorised access or data breaches. Conducting a DPIA ensures that organisations comply with GDPR requirements. It provides a structured approach to evaluating how a project aligns with data protection principles, such as data minimisation and purpose limitation. For instance, if a financial institution intends to use blockchain for transaction verification, a DPIA can help ensure that only necessary data is recorded and that personal data is adequately protected.

Establish a strong governance framework

A governance framework should delineate roles and responsibilities among relevant parties, ensuring that the decentralised nature of blockchain does not absolve them from GDPR obligations.

Implement technical and organisational safeguards

Organisations must establish robust safeguards to protect personal data from unauthorised access, including encryption and hashing techniques.

Key safeguards are as follows.

• Encryption: protects data by converting it into a secure format.
• Hashing: ensures data integrity by creating a unique identifier for data.

Public Permissionless Blockchains

In public permissionless blockchains like Bitcoin and Ethereum, which are open and decentralised, nodes may sometimes alter the purposes or means of processing to serve their own interests during mining or validation. The EDPB recommends forming a consortium or legal entity among these nodes to take responsibility for processing. However, this idea is mostly theoretical due to the diverse nature of participants and the challenges in identifying or locating them.

Upholding Data Subject Rights

The Guidelines emphasise the importance of transparency regarding how personal data is accessed, corrected and deleted in blockchain transactions. Organisations must communicate clearly with data subjects about their processing activities and ensure that rights to access, erasure and rectification are upheld. In particular, organisations should respect the following rights.

• Right to access: individuals can request access to their personal data.
• Right to erasure: individuals can request the deletion of their personal data.
• Right to rectification: individuals can request corrections to their personal data.

As wallet addresses are classified as personal data ‒ even when encrypted ‒ this poses significant risks for companies and serves as a reminder that such data are subject to rights of data subjects under the GDPR.

Legal Basis for Processing

Organisations must validate the legality of processing personal data on a blockchain, ensuring that clear legal bases are established for all processing activities. Compliance with GDPR regarding any international data transfers resulting from blockchain operations is also crucial.

Data Protection by Design and Default

The Guidelines advocate for integrating data protection measures into the design of blockchain systems. Organisations should embed preventive measures within their processes, particularly in scenarios where traditional safeguards may be insufficient. Data Protection by Design and Default is a fundamental principle under the GDPR, emphasising the need for organisations to integrate data protection measures into the development and operation of their systems from the outset. This principle is particularly relevant in the context of blockchain technology, where the immutable and transparent nature of the system can pose unique challenges to data privacy. By embedding data protection measures into the design of blockchain systems, organisations can proactively identify and mitigate potential privacy risks before they materialise. This approach helps ensure that data protection is not an afterthought but a core component of the system. Organisations that prioritise data protection by design can build trust with users and stakeholders. By demonstrating a commitment to privacy, organisations can enhance their reputation and foster customer loyalty.

Example: permissioned blockchains

In a permissioned blockchain, access to the network is restricted to authorised participants. By designing the blockchain with access controls, organisations can ensure that only individuals with the necessary permissions can view or interact with personal data. For instance, a financial institution using a permissioned blockchain for transaction processing can limit access to sensitive customer information to authorised personnel only, thereby reducing the risk of unauthorised access.

Example: smart contracts

Smart contracts can be designed with privacy features that limit the visibility of personal data. For example, a smart contract used for a decentralised finance (DeFi) application could be programmed to only reveal transaction details to authorised parties while keeping sensitive information confidential. By incorporating privacy features into the smart contract’s logic, organisations can ensure that personal data is protected throughout the transaction process.

Example: encryption and anonymisation

Organisations can enhance data protection by incorporating encryption and anonymisation techniques into their blockchain systems. For instance, a healthcare provider using blockchain to store patient records could encrypt sensitive data before it is recorded on the blockchain. This way, even if the blockchain is accessed by unauthorised parties, the data remains unreadable without the decryption key. Additionally, the provider could use anonymisation techniques to remove personally identifiable information (PII) from the data stored on the blockchain, further protecting patient privacy.

Essential practices

An essential practice is to establish data retention periods, ensuring that data is deleted once its intended purpose is fulfilled.

Establishing data retention periods is a critical aspect of GDPR compliance, but it presents unique challenges when applied to blockchain technology. The immutability and transparency of blockchain can conflict with the requirement to delete personal data once its intended purpose is fulfilled. By adopting strategies such as off-chain storage, data minimisation and smart contracts, organisations can navigate these challenges and ensure that they meet their legal obligations while utilising blockchain effectively.

Example 1

Instead of storing personal data directly on the blockchain, organisations can store it in secure off-chain databases. The blockchain can then store only non-sensitive references or hashes that link to the off-chain data. This way, once the intended purpose is fulfilled, the organisation can delete the personal data from the off-chain storage while keeping the blockchain intact.

Example 2

Organisations can utilise smart contracts to automate data retention policies. For instance, a smart contract could be programmed to automatically trigger the deletion of off-chain data after a specified period or once the intended purpose is fulfilled. This approach helps ensure compliance with GDPR while leveraging the benefits of blockchain technology.

Example 3

Organisations should implement data minimisation practices by only recording the necessary information on the blockchain. For example, instead of storing full names and contact details of suppliers, the company could use unique identifiers or pseudonyms that do not directly reveal personal information. This reduces the amount of personal data retained on the blockchain.

Another key practice is to conduct regular assessments in order to evaluate specific risks related to blockchain implementations and their potential impacts on personal data rights.

Security Challenges and Solutions

Recognising the security challenges that blockchain technology presents, the Guidelines stress the importance of a layered security approach. This involves assessing participant behaviour, implementing cryptographic security measures, and managing access protocols.

Security strategies include the following.

• Detailed assessments: identify potential vulnerabilities and algorithm failures.
• Comprehensive security protocols: establish structured governance to manage security risks.

Conclusion

The EDPB Guidelines provide organisations with strategic methodologies for handling personal data in compliance with GDPR within the blockchain ecosystem. By aligning technological capabilities with legal obligations, these Guidelines aim to encourage responsible data practices that honour individual rights while leveraging the benefits of blockchain technology.

As organisations explore the potential of incorporating blockchain into their functions, a deep understanding of these Guidelines is essential for effectively harmonising GDPR compliance with the innovative capabilities of blockchain technology. By taking the following steps, organisations can navigate the complexities of blockchain while safeguarding personal data and maintaining regulatory compliance.

• Maintain compliance: organisations should proactively maintain compliance with GDPR principles.
• Select technologies wisely: ensure that technology choices do not hinder the exercise of data subjects’ rights.