The European Union’s data protection board (EDPB) has issued new guidelines on how blockchain technology must comply with the General Data Protection Regulation (GDPR). This could mean the complete erasure of entire blockchain histories in certain cases.
Tough Questions for Blockchain Projects
The EDPB’s guidance raises several key questions that blockchain projects need to address:
- Does your blockchain store personal data? If so, why is blockchain necessary? What are the alternatives?
- What type of blockchain are you using? Is a private or permissioned blockchain sufficient? Could you use a zero-knowledge architecture?
- What security measures are in place? Where is the data stored (on-chain or off-chain)? Are you using privacy-enhancing technologies? If not, why not?
GDPR Compliance Could Mean Deleting the Whole Chain
The EDPB makes it clear that blockchains are not exempt from GDPR. To comply with the regulation’s data deletion requirements, a blockchain might need to be completely wiped if the original design didn’t account for GDPR-compliant data removal. The board states that deleting data at the individual level on a blockchain is difficult and may require deleting the entire chain.
Concerns for Public Blockchains
James Smith from the Ethereum Foundation expressed concerns that these guidelines could threaten the very existence of public blockchains like Ethereum. He argues that the regulations fundamentally misunderstand decentralized technology and could make it illegal for public blockchains to operate in Europe. He’s calling for a strong pushback against these potentially restrictive regulations.