Europe Tightens the Screws on Blockchain Privacy—New Rules Could Reshape Crypto’s Transparency
EU regulators unveil strict data access controls for blockchain networks, forcing developers to rethink decentralization. Critics warn the guidelines may clash with crypto’s ethos—while banks quietly cheer another compliance hurdle for their upstart rivals.
The guidelines come amid ongoing concerns about the security of blockchain technology. GDPR outlines a list of rights for individuals to protect their personal information.
The guidelines advised organizations to implement technical and structure-wide measures early in the design stages of data processing, and emphasized the importance of transparency, rectification, and erasure of personal data.
This includes accounting for the various roles of actors involved in separate stages of blockchain processing of personal data.
The EDPB said that organizations should conduct Data Protection Impact Assessments (DPIAs) before processing any personal data using blockchain technology. This is presuming that processing is likely to result in a high risk to the rights and freedoms of individuals.
The board urged organizations to focus on ensuring individuals’ personal data is not made available to an "indefinite number of persons by default."
Data privacy experts have mixed opinions about blockchain’s role in data privacy and the new guidelines.
Bryn Bennett, Senior BD at Hacken, a Ukrainian Web3 security firm, told Decrypt that "the EDPB’s guidelines are a timely reminder that decentralization doesn’t mean deregulation.”
“We see privacy as part of CORE infrastructure—not a post-launch add-on,” Bennet said. “Projects that treat user data casually risk both legal blowback and security breaches. Privacy-by-design, off-chain storage, and proper governance aren’t just best practice—they’re survival tools.”
However, in an interview with Decrypt, Harry Halpin, the founder and CEO of decentralized privacy firm Nym Technologies, said that “it’s a mistake to put personal data on the blockchain.”
“The use-cases I have seen, such as digital identity systems, or worse, COVID passports, inherently violate privacy and lead to authoritarianism,” Halpin said. “Personal data should use zero-knowledge proofs off-chain and have network privacy via mixnets, as we use with payment information on Nym."
He added: "It is also a mistake to apply data protection laws to data on the blockchain, as the ’right to be forgotten’ would effectively require decentralized blockchains to be mutable and censored by regulators. If this is the goal, then just use normal centralized databases.”
Edited by Sebastian Sinclair
