European Union should dismantle GDPR regulations inconsistent with blockchain technology to avoid missing out on opportunities

European Union should dismantle GDPR regulations inconsistent with blockchain technology to avoid missing out on opportunities

The European Data Protection Board (EDPB) has quietly released Guidelines 02/2025 on the processing of personal data through blockchain technologies, raising concerns within the web3 community. Buried in paragraph 63, a controversial statement suggests that deleting entire blockchains may be necessary when deletion has not been factored into their design – a stipulation that could pose a significant threat to permissionless networks, including Bitcoin and Ethereum.

This statement could effectively render such networks non-compliant with the General Data Protection Regulation (GDPR), the European Union's (EU) privacy gold standard. If implemented, this could have far-reaching implications for the trillions of dollars that flow through cryptocurrency networks annually.

The EDPB's draft guidelines propose that deleting every node is the most effective approach to forgetting a transaction, making permissionless networks potentially difficult to reconcile with GDPR's requirements. This hardline stance has raised eyebrows among blockchain enthusiasts, who argue that decentralized ledgers were never designed with centralized data erasure in mind.

The 2018 GDPR authors assumed that data could be erased from centrally controlled servers, but public blockchains rely on thousands of independent nodes spread across the globe. Changing a single block would compromise the integrity of the chain, potentially clashing with GDPR's "right to be forgotten."

Techniques such as salted hashes, zero-knowledge proofs, and off-chain data pointers are designed to minimize or obfuscate personal information on public blockchains, but the new draft barely addresses these methods. Instead, it emphasizes the need for a "data controller" – an approach criticized for undermining decentralization and permissionless network integrity.

The EU's desire for digital sovereignty and the development of a sovereign cloud could also be at risk. Brussels aims to triple the EU's data-center capacity within seven years and promote the use of cloud-edge technology among businesses. However, if the EDPB deems public blockchains illegal by design, it could inadvertently perpetuate reliance on the U.S.-based cloud giants currently dominating the European market.

Critics claim that the draft guidelines fundamentally threaten the existence of public blockchains across Europe. Removing these networks could stifle innovation, impede mass adoption, and undermine projects that are vital to Europe's digital future.

A more nuanced approach may involve recognizing cryptographic deletion alongside physical erasure, treating validators as processors rather than controllers, and acknowledging that a simple 32-byte on-chain hash is not considered personal data under GDPR. By taking these measures, the EU could align its privacy regulation with the technical realities of blockchain while preserving its sovereign cloud ambitions.

The public-comment portal for the EDPB's draft guidelines is set to close on June 9. Unless the controversial paragraph 63 is reconsidered, there is growing concern that Europe could freeze its digital future, potentially spending the next decade relying on U.S. hyperscalers for its 'sovereign' data, while the rest of the world builds on more auditable, privacy-preserving rails beyond Brussels' reach.

As the clock ticks down, stakeholders across the blockchain ecosystem, policymakers, and investors are encouraged to weigh in on the guidelines, ensuring that Europe's future remains a leader in digital innovation rather than a follower.

1. The EDPB's Guidelines 02/2025 on blockchain technologies could pose a significant threat to permissionless networks like Bitcoin and Ethereum.
2. If implemented, these guidelines could make such networks non-compliant with the GDPR, the European Union's privacy gold standard.
3. The controversial stance suggests that deleting entire blockchains may be necessary for compliance, which could have far-reaching implications for the trillions of dollars that flow through cryptocurrency networks annually.
4. Techniques such as salted hashes, zero-knowledge proofs, and off-chain data pointers are designed to minimize or obfuscate personal information on public blockchains, but the new draft barely addresses these methods.
5. A more nuanced approach may involve recognizing cryptographic deletion alongside physical erasure, treating validators as processors rather than controllers, and acknowledging that a simple 32-byte on-chain hash is not considered personal data under GDPR.
6. Stakeholders across the blockchain ecosystem, policymakers, and investors are encouraged to weigh in on the guidelines before June 9 to ensure Europe remains a leader in digital innovation.

Read also: