The European Data Protection Board (EDPB) has taken a significant step towards bridging the gap between blockchain technology and established data protection regulations by approving draft guidelines on how personal data should be stored and shared on blockchains. This move is crucial amid ongoing debates about the compatibility of decentralized technologies with the General Data Protection Regulation (GDPR).
As the EDPB emphasizes, the new guidelines aim to align decentralized technology with GDPR rules, which are designed to protect individuals' personal information. The draft guidelines, which are currently open for public comment until June 9, 2025, highlight the need for organizations to adopt robust measures to ensure compliance with data protection laws.
According to the EDPB, "Blockchains have certain properties that can lead to challenges when dealing with the requirements of the GDPR." The guidelines specifically advise organizations to avoid storing personal data on blockchains if it risks breaching core data protection principles. This recommendation underscores the importance of Data Protection by Design and by Default, as well as the need for adequate organizational and technical measures.
Organizations are urged to implement technical and structural measures early in the design stages of data processing. The EDPB stresses the significance of transparency, rectification, and erasure of personal data, which must be accounted for at various stages of blockchain processing.
In addition to these guidelines, the EDPB has advised organizations to conduct Data Protection Impact Assessments (DPIAs) before processing any personal data using blockchain technology. This precaution is particularly essential when processing is likely to result in high risks to individuals' rights and freedoms.
As the guidelines were published, there has been a notable divide among experts regarding the implications of these regulations. Some view the EDPB's guidelines as overdue guardrails for blockchain technology, while others argue that they threaten the very essence of decentralization and privacy innovation.
Bryn Bennett, Senior BD at Hacken, a Ukrainian Web3 security firm, commented on the guidelines, stating, "The EDPB’s guidelines are a timely reminder that decentralization doesn't mean deregulation." He emphasized that privacy should be considered a core part of infrastructure rather than an afterthought, warning that projects treating user data casually risk facing legal repercussions and security breaches.
Conversely, Harry Halpin, the founder and CEO of decentralized privacy firm Nym Technologies, expressed strong opposition to the idea of storing personal data on blockchains, stating, "It's a mistake to put personal data on the blockchain." He elaborated that certain use cases, such as digital identity systems or COVID passports, inherently violate privacy and could lead to authoritarianism.
Halpin further argued that personal data should ideally be managed using zero-knowledge proofs off-chain, complemented by network privacy via mixnets. He cautioned against applying data protection laws to blockchain data, asserting that the "right to be forgotten" would necessitate making decentralized blockchains mutable and subject to censorship by regulators. In his view, if regulatory compliance is the goal, then centralized databases would be a more suitable option.
The EDPB's guidelines come at a time when concerns about the security of blockchain technology are growing. While many organizations are aware of the risks associated with blockchain, there is an urgent need to comply with GDPR requirements. Experts have highlighted the necessity of conducting DPIAs to assess the potential risks to individuals' personal data rights and freedoms before engaging in blockchain data processing.
Despite the mixed opinions on the guidelines, the EDPB's statement reflects a broader recognition of the challenges posed by blockchain technology regarding data privacy. The guidelines serve as a crucial reminder that while blockchain offers numerous benefits, it also presents significant risks that must be managed carefully to uphold data protection standards.
As the public comment period progresses, stakeholders across the blockchain and data privacy sectors will likely continue to voice their opinions on the EDPB's proposed guidelines. The outcomes of this dialogue could shape the future of blockchain technology, particularly concerning its relationship with data protection regulations.
In summary, the EDPB's draft guidelines represent a pivotal moment in the ongoing effort to reconcile blockchain technology with GDPR compliance. The emphasis on transparency, data protection by design, and conducting DPIAs underscores the need for a balanced approach that recognizes both the potential of blockchain and the necessity of safeguarding individuals' rights. As the debate unfolds, it remains to be seen how these guidelines will influence the development and adoption of blockchain technology in the years to come.
