Facing the Rapid Development of Blockchain and Artificial Intelligence (AI) Technologies
In response to the rapid development of blockchain and artificial intelligence (AI) technologies, the European Data Protection Board (EDPB) took action during its plenary meeting in April 2025, releasing new guidelines for the processing of personal data using blockchain technology. It also announced a collaboration with the AI Office to develop guidance on the interaction between the AI Act and EU data protection laws.
Compliance with GDPR: New Guidelines for Blockchain Data Processing Officially Released
Blockchain, as a decentralized digital ledger technology, can confirm transactions and prove ownership of digital assets (such as cryptocurrencies) at a certain point in time. It is also commonly used to securely manage and transmit data, ensuring its integrity and traceability.
As blockchain applications become increasingly widespread, the EDPB believes it is necessary to assist organizations using this technology to ensure compliance with the General Data Protection Regulation (GDPR). The new guidelines provide an in-depth analysis of how blockchain operates, various architectural types, and the potential impacts of these designs on personal data processing.
Data Protection Must Be Considered from the Design Stage
The EDPB emphasizes that appropriate technical and organizational measures must be introduced at the early design stage of data processing to prevent future data protection issues. Additionally, organizations should clarify the roles and responsibilities of all parties involved in the data processing process when designing blockchain processing workflows.
If the processing of personal data on the blockchain poses a high risk to individual rights and freedoms, organizations must conduct a Data Protection Impact Assessment (DPIA) in advance to proactively identify and mitigate potential risks.
Reducing the Risk of Data Breaches is Paramount
According to the guidelines, organizations should ensure that personal data on the blockchain is protected to the highest level, avoiding data being open by default to unrestricted populations.
The EDPB also provides various examples of data minimization techniques, illustrating how to properly handle and store personal data. In principle, if storing personal data on the blockchain could conflict with data protection principles, it should be avoided whenever possible.
Furthermore, the guidelines specifically highlight the need to safeguard individuals’ rights to data transparency, data correction, and data deletion, as these fundamental rights can be particularly easy to overlook within the blockchain framework, requiring additional attention.
Improper Design May Require Deleting the Entire Chain?
The guidelines state that personal data must be deleted after the processing purpose has been achieved and any legal retention period has expired to comply with the storage limitation principle. After the legal retention period has expired, personal data must be deleted to adhere to the storage limitation principle.
In blockchain, deleting individual data can be challenging and requires specially designed architectures. When deletion functionality has not been considered during the design phase, special engineering structures may need to be adopted to implement it, and it may even require deleting the entire blockchain.
If compliance design for on-chain and off-chain data has been considered and data protection has been accounted for in the design, it may be possible to prevent future identification of data subjects through the deletion of off-chain data, depending on the specific method chosen and the concrete facts. Regardless of which storage limitation method is chosen, compliance must be ensured. If this requires deleting a part of the blockchain, including deleting nodes or any copies held by other parties, controllers must ensure that sufficient technical and organizational measures are in place to execute this operation.
Public Consultation Open Until Early June
This blockchain data processing guideline is currently open for public consultation, with a deadline of June 9, 2025. The EDPB invites all stakeholders to provide feedback to make the final version more aligned with practical needs.
EDPB Collaborates with the AI Office to Develop New AI Regulations
In addition to releasing new guidelines for blockchain technology, the EDPB also announced during this plenary meeting that it would work closely with the recently established AI Office to jointly draft guidance on the integration of the AI Act and existing data protection regulations. In the future, as AI applications continue to expand, this interdisciplinary collaborative document will become an important reference for businesses and developers.
Risk Warning
Investing in cryptocurrencies involves high risks, and prices can fluctuate dramatically, resulting in a total loss of principal. Please assess risks carefully.