Blockchain is ‘simply a technology like any other’, according to the European Data Protection Board, and so it is not exempt from privacy laws. This stance, reiterated in the board’s April 2025 guidelines, has put public blockchains on a collision course with the European Union’s General Data Protection Regulation.
The GDPR assumes identifiable entities who can control, rectify or erase personal data on request. Public, permissionless blockchains – decentralised ledgers that anyone can join and where data, once added, are immutable – don’t fit neatly into that paradigm. Therefore, tensions have been rising between Europe’s privacy guardians and the blockchain community.
The EDPB’s guidance makes clear there’s no free pass for blockchains under GDPR. Even pseudonymous data count as personal data if it can be linked to an individual. Blockchain’s celebrated features, such as transparency and immutability, become liabilities under GDPR. For example, GDPR prohibits retaining personal data longer than necessary, yet blockchains by design can store data indefinitely.
Likewise, the right to erasure – the famous ‘right to be forgotten’ – clashes with the permanence of blockchain records. GDPR’s principle of data minimisation – collecting only what’s necessary – would also sit awkwardly with globally replicated chains where data is copied across thousands of nodes.
Who is responsible?
A seemingly basic question becomes fiendishly complex on public blockchains. In a traditional database, a company (controller) decides what data to collect, and a processor might handle it on the company’s behalf. But on bitcoin or Ethereum, no central authority orchestrates the network.
The EDPB acknowledges that permissioned blockchains with a governing entity are easier to fit into GDPR’s roles. For truly permissionless systems, however, the governance model is ‘case-by-case’ as some blockchain nodes ‘do not take instructions from any controller’ and ‘pursue their own objectives’. In other words, miners or validators aren’t just obedient processors but independent actors.
As a remedy, the EDPB suggests that a legal consortium be formed to govern the nodes, effectively acting as the GDPR controller for the chain. Failing that, regulators might deem every node operator a joint controller for the data on the chain. Having thousands of hobbyist node-runners and validators worldwide, all potentially on the hook for GDPR compliance is a startling proposition. To this, the blockchain community’s answer may lie in an architectural evolution.
From monolithic to modular architectures
Early blockchains like Ethereum were originally monolithic, and each node handled every task (transactions, consensus, data storage) in a single, rigid system. This design was robust but hard to scale or upgrade without disrupting the whole.
Modular blockchains break this model by separating functions across specialised layers. Typically, the architecture includes transaction execution: smart contracts and transactions running on secondary networks (Layer-2s/rollups); data availability, ensuring transaction data is published and verifiable; consensus, the base layer orders transactions and secures the network and settlement, which finalises results from secondary layers, with the base chain often acting as the settlement layer.
This modularity boosts performance and adaptability as different layers can be upgraded independently. Critically, it aims to solve the ‘blockchain trilemma’ achieving better scalability without sacrificing decentralisation or security.
Ethereum’s evolution illustrates this shift towards modular blockchains, beginning its pivot with The Merge in 2022, then moving to proof-of-stake and laying the groundwork for modular scaling. Its roadmap now embraces a ‘rollup-centric’ model where most transactions will be processed on Layer-2 networks (like ‘Optimism’ or ‘ZKsync’), then posted to Ethereum for final security and settlement. In effect, Ethereum is becoming the secure backbone of a modular ecosystem, while smart contract execution happens on specialised sub-networks. This kind of architecture offers more sophisticated functionality and allows for the kind of throughput and low fees that make DeFi and asset tokenisation feasible.
Challenging the traditional notion of the data controller
GDPR’s concept of a ‘data controller’, the entity determining why and how personal data are processed is central to accountability. But on public blockchains, this model breaks down. If a DeFi app processes personal data, who is the controller? The code, its anonymous developer, users or all validators? The EDPB’s draft guidelines warn that in permissionless blockchains, all node operators might be joint controllers, an unworkable notion when thousands of nodes are involved.
However, a pathway for compliance is possible. Should we force-fit decentralised networks into GDPR’s categories or adapt the law for decentralisation? Resolving this is key to scaling blockchain’s role in finance without regulatory deadlock.
Policy innovation to avoid overregulation
Rather than tie blockchain in impossible GDPR knots or ban certain uses, experts are seeking a pragmatic third way – as with Alexander the Great’s approach to the Gordian knot – to rethink the problem entirely. The European Blockchain Association recently published recommendations in response to the EDPB’s guidance, proposing privacy-preserving design that supports innovation.
Our approach centres on the principle that personal data should be kept off-chain wherever possible. User-facing services (wallets, dApps) would store identifiable data off-chain, while the blockchain itself would only contain references, hashes or encrypted proofs. For example, an age verification would yield a cryptographic proof, never the person’s name or birthdate on-chain.
A new legal interpretation of blockchain’s roles under GDPR is essential. Application layer actors may decide how personal data is processed, while lower-level infrastructure – validators, nodes and Layer-2 networks – should be viewed like postal workers delivering sealed letters and not liable for the content they cannot see. Clear role definitions would help prevent decentralised networks from being burdened with compliance obligations they cannot meaningfully meet, while preserving the accountability that users rightly expect.
Together, these measures form a pragmatic vision for privacy-aware public blockchains – minimising data exposure through technical design while adapting legal frameworks to reflect decentralised architectures. Crucially, this does not require new legislation, but rather a thoughtful application of GDPR’s existing principles in this new context.
Whether European regulators embrace this balanced path remains to be seen amid growing recognition that heavy-handed approaches could drive innovation offshore. Striking this balance demands finesse and reflects the broader challenge around modernising 20th century legal frameworks for 21st century decentralised technologies.
For GDPR, this means adapting enforcement to technical realities rather than forcing technology into legacy legal structures. Public blockchains, increasingly supported by modular architectures and privacy-preserving techniques, can align with GDPR’s goals if regulation evolves in parallel.
Ultimately, the challenge is not to force compliance through blunt means, but to ensure that privacy and innovation can coexist. The opportunity is there for Europe to lead provided regulators and technologists work together to get it right.
Read the full consultation reply from European Blockchain Association.
Erwin Voloder is Head of Policy and Eugenio Reggianini is Head of Growth at the European Blockchain Association.
Interested in this topic? Subscribe to OMFIF’s newsletter for more.