EU Regulators Face Contradiction on Blockchain Privacy

Regulators in the European Union are tightening the focus on how blockchain networks handle personal data. The European Data Protection Board (EDPB) has published fresh guidance stressing that blockchain projects must follow the same General Data Protection Regulation (GDPR) rules as any other data processor.

Good to know

• EU regulators confirm that blockchain technology must comply with GDPR rules.
• Deleting a blockchain could be necessary if personal data cannot be removed individually.
• Privacy-enhancing technologies and permissioned chains may offer paths to compliance.

The report outlines specific criteria that blockchain operators should consider when evaluating GDPR compliance. The EDPB calls for a clear assessment of whether personal data is stored on the chain and, if so, why blockchain is the chosen method for processing that information. The board also asks whether other, less permanent solutions could work just as well.

A critical issue in the report revolves around data deletion. GDPR requires that personal information be erased once it no longer serves its original purpose or passes its legally allowed retention period. That poses a challenge for many blockchain systems, which are designed to be immutable.

The EDPB states,

“Personal data must be erased once the purposes of the processing has been achieved and any regulatory periods for retention have expired in order to conform to the principle of storage limitation.

Data deletion at the individual level in a blockchain can be challenging and requires ad-hoc engineered architectures. When deletion has not been taken into account by design, this may require deleting the whole blockchain.”

The board recommends examining the type of blockchain in use—whether a public, private, or permissioned network—and exploring options such as zero-knowledge architectures to improve privacy protection. Storing data off-chain and using privacy-enhancing technologies may also help developers stay compliant.

The guidance makes it clear that blockchain does not receive special treatment under EU law. Developers and companies using the technology must think carefully about its impact on data protection. That includes considering how technical and organizational measures are applied, and how those measures align with GDPR requirements from the start of the design process.

There seems to be a contradiction between the call for stronger data protection under GDPR and the surveillance-friendly approach taken under MiCA. Does the EU expect privacy on blockchain only when it suits its regulatory goals? Or will future policies confirm that the bloc is applying double standards?