EDPB Tackles Blockchain Privacy Challenges & Prepares to Weigh In on AI Act

Key Takeaways

• EDPB Adopts Blockchain Guidelines: The Board’s new guidance helps organisations understand how to comply with GDPR when using blockchain technologies.
• Privacy Must Be Baked In: The guidelines stress the importance of “privacy by design,” including DPIAs, role assessments, and technical safeguards from the start.
• Avoid Putting Personal Data on Chain: Storing personal data directly on a blockchain should generally be avoided to uphold data minimisation and erasure rights.
• Individual Rights Come First: Transparency, rectification, and erasure remain essential—even in decentralised systems.
• AI Guidance on the Horizon: The EDPB is teaming up with the AI Office to provide clarity on how the AI Act and data protection rules work together.

Deep Dive

The European Data Protection Board (EDPB) is stepping into the blockchain arena with new guidance aimed at helping organizations navigate the thorny intersection of distributed ledger technology and EU privacy law. In its April plenary, the Board officially adopted guidelines on the processing of personal data via blockchain, and signaled it’s ready to collaborate with the newly established EU AI Office on upcoming guidance around the AI Act.

If that sounds like a lot of acronyms and regulatory buzzwords, what it really means is that Europe is laying the groundwork to ensure that innovation doesn’t come at the expense of privacy.

A GDPR Reality Check for Blockchain

Blockchain has long been hailed for its ability to record transactions securely, track digital assets, and ensure the integrity of data. But for data protection professionals, it’s always been something of a puzzle. After all, how do you guarantee someone’s right to be forgotten on a system designed to be immutable?

The EDPB’s new guidelines don’t pretend to have a magic solution, but they offer something just as useful: a clear, structured way for organizations to approach GDPR compliance when experimenting with or deploying blockchain technologies. The guidance walks through different types of blockchain architecture, spells out who might be considered a controller or processor, and calls for proactive risk management.

A key message? Don’t wait until after you’ve deployed a blockchain system to start thinking about privacy. Organizations are expected to bake in technical and organisational safeguards from the design stage, and to carry out a Data Protection Impact Assessment (DPIA) if there's any chance the blockchain processing could put people’s rights at risk.

The Board also takes aim at a common (and risky) practice, storing personal data directly on-chain. While it might seem convenient, it could clash with several core GDPR principles, including data minimization and the right to erasure. In short, if you’re building a blockchain-based system, you need to think twice before immortalizing anything personal on the ledger.

Privacy by Design, Not as an Afterthought

The guidance urges developers and businesses alike to think critically about how personal data is collected, handled, and shared. Who can access it? Can it be modified or deleted? Are individuals being given the transparency they’re owed under the GDPR?

The EDPB doesn’t just point out the problems, it offers practical suggestions. Examples include ways to limit data exposure, design smart contracts more responsibly, and use off-chain solutions where necessary to strike the right privacy balance.

And while the guidance leans heavily into GDPR compliance, it never loses sight of the human impact. The rights of individual, especially their rights to transparency, rectification, and erasure are placed front and center, no matter how novel the tech.

The guidelines are now open for public consultation until 9 June 2025, giving privacy professionals, tech developers, and industry groups a chance to weigh in before they’re finalized.

Eyes on the AI Act

In the same meeting, the EDPB made it clear it’s not stopping with blockchain. The Board announced plans to work hand-in-hand with the EU’s AI Office to help shape forthcoming guidance on how the AI Act (Europe’s landmark new law on artificial intelligence) will interplay with existing data protection rules.

With the AI Act expected to significantly reshape how companies develop and deploy AI systems across the bloc, the need for clarity around data protection obligations is growing more urgent by the day.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.