In brief
- The EDPB has published draft guidelines on how personal data should be stored and accessed on blockchains, aiming to align with GDPR rules.
- Storing personal data on-chain should be avoided if it risks breaching core data protection principles, the board warns.
- Experts are split on the impact—some see the rules as overdue guardrails, while others argue they threaten decentralization and privacy innovation.
The European Data Protection Board has approved draft rules governing how personal data is stored and shared on blockchains, marking another step toward aligning decentralized technology with existing standards.
The new guidelines limit access to stored information and comply with the General Data Protection Regulation (GDPR) protections, according to the EDPB, which ratified the rules this month and opened public comment until June 9.
“Blockchains have certain properties that can lead to challenges when dealing with the requirements of the GDPR,” the EDPB said in a version of the guidelines available online. “The guidelines highlight the need for Data Protection by Design and by Default and adequate organizational and technical measures.
The document added: “As a general rule, storing personal data on a blockchain should be avoided if this conflicts with data protection principles.”
The guidelines come amid ongoing concerns about the security of blockchain technology. GDPR outlines a list of rights for individuals to protect their personal information.
The guidelines advised organizations to implement technical and structure-wide measures early in the design stages of data processing, and emphasized the importance of transparency, rectification, and erasure of personal data.
This includes accounting for the various roles of actors involved in separate stages of blockchain processing of personal data.
The EDPB said that organizations should conduct Data Protection Impact Assessments (DPIAs) before processing any personal data using blockchain technology. This is presuming that processing is likely to result in a high risk to the rights and freedoms of individuals.
The board urged organizations to focus on ensuring individuals’ personal data is not made available to an “indefinite number of persons by default.”
Data privacy experts have mixed opinions about blockchain’s role in data privacy and the new guidelines.
Bryn Bennett, Senior BD at Hacken, a Ukrainian Web3 security firm, told Decrypt that “the EDPB’s guidelines are a timely reminder that decentralization doesn’t mean deregulation.”
“We see privacy as part of core infrastructure—not a post-launch add-on,” Bennet said. “Projects that treat user data casually risk both legal blowback and security breaches. Privacy-by-design, off-chain storage, and proper governance aren’t just best practice—they’re survival tools.”
However, in an interview with Decrypt, Harry Halpin, the founder and CEO of decentralized privacy firm Nym Technologies, said that “it’s a mistake to put personal data on the blockchain.”
“The use-cases I have seen, such as digital identity systems, or worse, COVID passports, inherently violate privacy and lead to authoritarianism,” Halpin said. “Personal data should use zero-knowledge proofs off-chain and have network privacy via mixnets, as we use with payment information on Nym.”
He added: “It is also a mistake to apply data protection laws to data on the blockchain, as the ‘right to be forgotten’ would effectively require decentralized blockchains to be mutable and censored by regulators. If this is the goal, then just use normal centralized databases.”
Edited by Sebastian Sinclair
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Source: https://decrypt.co/315856/europe-blockchain-data-access-new-privacy-guidelines