One must imagine blockchain paper. A detail of shredded domestic documents and paperwork in a waste … More paper bin lined with green polythene bag. (Photo by Richard Baker / In Pictures via Getty Images)
In Pictures via Getty Images
On April 14, 2025, the European Data Protection Board (EDPB) opened a consultation on Guidelines 02/2025 that address the processing of personal data through blockchain technologies. Open for stakeholder comments until June 9, 2025, the Guidelines have sparked controversy in the blockchain community by highlighting a long-standing tension: how to reconcile the EU’s data protection requirements with blockchain’s core principle of immutability?
What Is The EDPB And Why These Guidelines Matter
The EDPB is an independent European legal body responsible for ensuring consistent application of EU data protection rules, including the General Data Protection Regulation (GDPR), as well as the Data Protection Law Enforcement Directive. Its opinions and guidelines are non-binding but influential. These often shape enforcement and precedent across the EU’s 27 member states, as well as Norway, Liechtenstein and Iceland.
Through general guidance such as the 02/2025 Guidelines, the EDPB aims to clarify how blockchain technology should comply with European data protection rights, particularly the right to erasure, known as the right to be forgotten, and data rectification requirements under GDPR. These Guidelines could determine whether the use of blockchain technology by controllers or processors of personal data within the EU is legal and compliant.
Erasing The Blockchain To Protect Privacy
Everyone is fighting over our data. Some want more of it, some want less. The picture is muddled. On one hand, building privacy tools meets moral and legal imperatives. On the other, such tools have been criminalized for allegedly breaching other sets of moral principles and laws. Technologists increasingly find themselves choosing which rules and whose values to design for. Who gets to decide what matters more: privacy or the lack thereof?
Florian Glatz, co-founder of EUCI, comments on the Guidelines
Screenshot from X
According to blockchain’s foundational principle, anyone should be able to verify all blocks, view their data, and nobody should be able to unilaterally alter or erase previous blocks. However, the EDPB’s Guidelines state in paragraph 63 that if selective deletion of data is not possible, “this may require deleting the whole blockchain”. Practically unenforceable given the decentralized nature of blockchains, some fear the interpretation may render the technology non-compliant in Europe, with nodes potentially illegal to run within the territory.
Marina Markezic, executive director and co-founder of the European Crypto Initiative (EUCI), a nonprofit advocacy group dedicated to shaping pro-industry crypto regulation since 2020, comments on the underlying absurdity of deleting blockchains: “This is like asking to delete the internet to enforce privacy”.
Reality Is An Illusion
I can grant to the EU that nothing aligns more with privacy than the absence of data. I can also imagine multiple paths leading to this absence that do not necessarily entail the actual erasure of the source data itself, but of its trace. It is however unclear whether these means will be enough to satisfy the EDPB.
Just as Google removes links from search results while leaving the underlying content untouched to comply with GDPR, blockchain explorers or indexers might be designed to censor some on-chain information in a similar fashion. The data would still exist but it wouldn’t be discoverable as easily.
Fork, Worcester, circa 1760.
Heritage Images via Getty Images
Blockchains can technically be altered by a mechanism called forking, although traces of their past realities will remain as long as someone keeps a copy of their historical state. Altering the chain is far from straightforward and is hardly a good candidate for a routine compliance tool. Let’s not try to change the past in the future to comply with present-day rules.
The Guidelines acknowledge this complexity and suggest in paragraph 103 that blockchain systems should be designed to allow personal data to be “effectively rendered anonymous” if erasure is requested by an individual. The recommendation, if taken literally, pushes the technology toward privacy-preserving architectures, and away from entirely see-through blockchains. If giving your data to a centralized private entity is bad, giving your data to the entire world sounds arguably worse.
An Opportunity For Privacy Innovation
Most blockchains were not built with privacy in mind. But the ecosystem around them has changed. Surveillance and discovery tools, some powered by AI, have dramatically increased the ease of linking on-chain and off-chain data. The same address that once looked innocuous may now reveal social ties, location patterns, and financial behavior. In this context, the absence of privacy becomes not just a technical gap, but a legal vulnerability.
Still, developers of privacy tools have often faced hostility. Alexey Pertsev, a developer involved in the Tornado Cash protocol, is currently being prosecuted in the Netherlands for creating software that enables on-chain privacy. Now, the EDPB appears to suggest that privacy features may be necessary for compliance.
Protest in support of Alexey Pertsev, Netherlands
#freealexey
This contradiction shouldn’t go unnoticed, nor should the resulting opportunity. For once, a regulatory body isn’t just acknowledging privacy tech; it’s naming it as essential to the viability of blockchain.
Markezic notes, “While it is important to engage and respond to the Guidelines, we believe that the real change could happen in the possible future revision of the GDPR, on which we should have more clarity in a few weeks. To be continued.”
That revision may become the real battleground. The Guidelines raise hard questions for blockchain developers but also open the door to recognizing privacy as a legal requirement and a design mandate. GDPR’s influence extends far beyond Europe; it has become a global template for data protection, and so may these Guidelines, and the revision to come.
This article is not legal advice, investment advice, or any other form of advice for that matter.