EDPB's Blockchain Guidelines Spark Debate Over Data Protection
The European Data Protection Board (EDPB) has initiated a consultation on Guidelines 02/2025, which address the processing of personal data through blockchain technologies. This consultation, open until June 9, 2025, has sparked debate within the blockchain community due to the tension between the EU’s data protection requirements and blockchain’s core principle of immutability.
Ask Aime: What's the impact of EDPB's 02/2025 guidelines on blockchain and personal data processing in the EU?
The EDPB is an independent European legal body responsible for ensuring the consistent application of EU data protection rules, including the General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive. Its opinions and guidelines, while non-binding, are influential and often shape enforcement and precedent across the EU’s 27 member states, as well as Norway, Liechtenstein, and Iceland.
The Guidelines aim to clarify how blockchain technology should comply with European data protection rights, particularly the right to erasure, known as the right to be forgotten, and data rectification requirements under GDPR. These Guidelines could determine whether the use of blockchain technology by controllers or processors of personal data within the EU is legal and compliant.
According to blockchain’s foundational principle, anyone should be able to verify all blocks, view their data, and nobody should be able to unilaterally alter or erase previous blocks. However, the EDPB’s Guidelines state that if selective deletion of data is not possible, “this may require deleting the whole blockchain”. This interpretation has raised concerns that the technology may become non-compliant in Europe, with nodes potentially illegal to run within the territory.
Marina Markezic, executive director and co-founder of the European Crypto Initiative (EUCI), a nonprofit advocacy group dedicated to shaping pro-industry crypto regulation, comments on the underlying absurdity of deleting blockchains: "This is like asking to delete the internet to enforce privacy".
Just as google removes links from search results while leaving the underlying content untouched to comply with GDPR, blockchain explorers or indexers might be designed to censor some on-chain information in a similar fashion. The data would still exist but it wouldn’t be discoverable as easily.
Blockchains can technically be altered by a mechanism called forking, although traces of their past realities will remain as long as someone keeps a copy of their historical state. Altering the chain is far from straightforward and is hardly a good candidate for a routine compliance tool. The Guidelines acknowledge this complexity and suggest that blockchain systems should be designed to allow personal data to be “effectively rendered anonymous” if erasure is requested by an individual. This recommendation pushes the technology toward privacy-preserving architectures, and away from entirely see-through blockchains.
Most blockchains were not built with privacy in mind. However, the ecosystem around them has changed. Surveillance and discovery tools, some powered by AI, have dramatically increased the ease of linking on-chain and off-chain data. In this context, the absence of privacy becomes not just a technical gap, but a legal vulnerability.
Developers of privacy tools have often faced hostility. Now, the EDPB appears to suggest that privacy features may be necessary for compliance. This contradiction shouldn’t go unnoticed, nor should the resulting opportunity. For once, a regulatory body isn’t just acknowledging privacy tech; it’s naming it as essential to the viability of blockchain.
Markezic notes, “While it is important to engage and respond to the Guidelines, we believe that the real change could happen in the possible future revision of the GDPR, on which we should have more clarity in a few weeks. To be continued.” This revision may become the real battleground. The Guidelines raise hard questions for blockchain developers but also open the door to recognizing privacy as a legal requirement and a design mandate. GDPR’s influence extends far beyond Europe; it has become a global template for data protection, and so may these Guidelines, and the revision to come.
