Overview of EDPB Guidelines 02/2025
In an unexpected move last month, the European Data Protection Board (EDPB) released Guidelines 02/2025, focusing on how personal data is managed in relation to blockchain technologies. One particular statement, nestled in paragraph 63, has raised significant alarm within the web3 community: it suggests that if a blockchain is not designed to allow data deletion, it may necessitate the removal of the entire blockchain. This chilling line transforms the General Data Protection Regulation (GDPR) into a potential threat to all decentralized networks, including notable cryptocurrencies like Bitcoin (BTC) and Ethereum (ETH), both of which process vast sums of money annually in the trillions.
Implications of the Guidelines
The implications of such a ruling are profound, as completely erasing every node is currently the only method to ensure that a transaction is forgotten. The guideline effectively renders public blockchains non-compliant by default with GDPR regulations. With public consultations drawing to a close on June 9, the draft guidelines are set to become a foundation for enforcement throughout Europe, potentially shaping the future of digital transactions on the continent.
Historically, GDPR was conceived with the assumption that data was stored on centrally managed servers where operators could delete files as needed. In stark contrast, today’s blockchain systems are decentralized, immutable, and not confined by borders. They depend on numerous independent nodes to maintain their historical integrity, making it virtually impossible to comply with Article 17’s stipulation for a “right to be forgotten” without compromising the very trustworthiness of these networks.
Although there are advanced methods available, like salted hashes and zero-knowledge proofs, to obscure personal data, the new draft overlooks these techniques and erroneously assumes the existence of a singular data controller—an idea that runs counter to the tenets of decentralization.
Challenges to Digital Sovereignty
For the past two years, European officials have been envisioning a sovereign cloud infrastructure designed to prioritize digital autonomy within the EU landscape. Key objectives include:
- Ensuring that by 2030, a significant majority of EU businesses adopt cloud-edge technologies,
- Establishing 10,000 climate-neutral edge nodes.
Moreover, the upcoming Cloud and AI Development Act aims to expand the EU’s data-centre capacity substantially. However, such digital sovereignty is challenged by existing dependencies on dominant providers like Amazon Web Services, Microsoft Azure, and Google Cloud, which control roughly 70% of the EU’s cloud ecosystem.
The Risk to Decentralization
Decentralized cloud architectures, which leverage blockchain to manage incentive-driven infrastructure while ensuring that data remains within European data centers, present a viable alternative to breaking away from this reliance. However, if the EDPB’s guidelines render these blockchain ledgers illegal, it will indeed solidify the dependence on external cloud services that Brussels seeks to overcome.
This draft presents an existential challenge not only to European blockchain initiatives but also poses a significant barrier to future investment in the sector. By designating volunteer validators as data controllers, the risks increase for these individuals and may deter participation in the nodes, undermining the overall security of the networks. Additionally, treating every peer-to-peer connection as a regulated transaction could fracture international consensus and complicate collaborative digital efforts.
Moreover, imposing human intervention on smart contracts threatens to undermine vital innovations in decentralized finance and Environmental Social and Governance (ESG) initiatives—areas that many energy firms are exploring.
Stakeholder Responses and Proposed Solutions
A coalition of stakeholders, including the European Crypto Initiative (EUCI) and Web3Privacy Now, has expressed serious concerns, declaring that these proposed guidelines jeopardize the existence of public blockchains within Europe.
The EU must recognize the consequences of such an inclusion, which may unintentionally stifle its own technological developers. A rational approach would be to accommodate both privacy and decentralization. Solutions could involve:
- The secure destruction of an encryption key, or
- Demonstrating through zero-knowledge proofs that the key cannot be accessed,
which would fulfill Article 17’s requirements while preserving the blockchain’s integrity. The guidelines should also clarify that a 32-byte on-chain hash does not constitute personal data and should categorize validators as processors, not controllers.
Past initiatives, such as the Markets in Crypto-Assets Regulation, have demonstrated that tailored regulations for emerging technologies can be developed without resorting to prohibitive measures. Therefore, eliminating the proposed deletion clause, validating effective key management, and refining the role of validators can help align GDPR with the realities of blockchain technology, all while supporting Europe’s sovereign cloud vision.
Conclusion
As the public-comment period approaches its end, it is crucial that stakeholders push for a reevaluation of paragraph 63. Otherwise, Europe risks facing an era of dependence on U.S. cloud providers to store its so-called sovereign data, while other parts of the world advance with privacy-respecting blockchain innovations. To avoid such a scenario, involvement from developers, investors, and political figures is essential before the EU inadvertently sidelines its potential digital future.
