On April 8, 2025, the European Data Protection Committee (EDPS) published crucial guidelines on the use of blockchain in relation to the General Data Protection Regulation (GDPR). This text, which is regularly updated and open for consultation until June 9, 2025, highlights the importance of framing emerging technologies while respecting the fundamental rights of individuals.
Indeed, the inherent characteristics of blockchain, such as its immutability and decentralization, pose major challenges for compliance with the RGPD, particularly with regard to data retention and erasure rights. Thus, the issue of data protection within this technical infrastructure also raises questions of digital sovereignty in Europe. The EDPS's ambition is to establish an ethical and practical framework enabling innovation without giving up citizens' rights.
In this article, we'll explore the challenges blockchain poses to data protection regulation, the EDPS's recommendations for ensuring RGPD compliance, and the interplay between digital sovereignty and technological advances.
If you would like to hire a RGPD lawyer, contact me!
What challenges does blockchain pose to the RGPD?
Blockchain is often celebrated for its technical features, such as decentralization and immutability. Yet these very traits raise significant challenges for compliance with the General Data Protection Regulation (GDPR). The EDPS guidelines identify several major sticking points between blockchain and the requirements of the GDPR.
First of all, limiting data retention is a central challenge. Under Article 5(1)(e) of the GDPR, personal data must be kept for no longer than is necessary for the purposes for which it is processed. However, once a piece of data is registered on a blockchain, its immutable nature makes it difficult, if not impossible, to delete it in isolation. This directly contradicts the temporal limitation requirement.
- Right to erasure and rectification: The immutability of transactions makes it particularly difficult to exercise the right to erasure (right to be forgotten) and rectification. Inaccurate personal data recorded on the blockchain cannot be modified without compromising the integrity of the register.
- Identifying the data controller: The decentralized nature of blockchain makes it difficult to identify a data controller. On so-called permissionless blockchains, is it possible to define who makes decisions concerning data processing? This raises important questions.
- Data minimization and confidentiality: The very nature of blockchain, which operates with great transparency, can lead to tensions with the principle of data minimization, as prescribed by Article 5(1)(c) of the RGPD. Consequently, it is crucial to Strictly control the information put on-chain.
- International data transfers: A blockchain network by definition has no borders. This characteristic poses serious compliance issues with the requirements for transferring data outside the EU set out in Chapter V of the RGPD, especially in the case of public blockchains.
The EDPS insists that the absence of an obvious controller or the technical irremediability of data does not exempt blockchain players from their responsibility towards the RGPD. The need to adopt technical and organizational solutions to manage these challenges therefore becomes essential.
The question therefore arises as to how industry players can navigate this complex environment and what recommendations can be implemented to achieve effective RGPD compliance while continuing to innovate.
What recommendations does the EDPS have for reconciling blockchain and RGPD?
As part of the challenges outlined above, the European Data Protection Committee (EDPS) has issued recommendations aimed at enabling compliance between blockchain and the RGPD. These guidelines, while still under consultation, offer valuable insights for industry players looking to navigate this complex legal landscape.
First of all, the EDPS stresses the importance of integrating data protection principles right from the design stage of blockchain solutions. This approach, known as Privacy by Design, requires systematic consideration of how personal data is collected, processed and stored. For example:
- Minimal data collection: limit data collection to that which is strictly necessary for the intended purpose.
- Explicit consent: Ensure that the consent of data subjects is clearly and unambiguously obtained before any processing of personal data.
- Information notice: to inform users about how their data will be used, and about their data protection rights.
In addition, the EDPS recommends the use of emerging technologies to enhance data protection, such as :
- Advanced encryption: Protect sensitive data with encryption methods, ensuring that even in the event of unauthorized access, data remains unintelligible.
- Smart contracts: Using smart contracts to automate compliance processes, making the management of individual rights more efficient while preserving the integrity of the blockchain.
It is also essential to maintain good data governance. This involves:
- Identifying responsibilities: Appoint a manager within the organizations involved in blockchain to manage RGPD compliance.
- Audit and documentation: Set up regular audit mechanisms to assess the compliance of blockchain solutions with data protection legal requirements.
These recommendations, while technical, address crucial issues of digital sovereignty and fundamental rights. As Europe strives to balance innovation and the protection of individuals, it is imperative that blockchain players adopt these guidelines.
We'll now explore how digital sovereignty is shaping the future of blockchain technologies in Europe and the implications that flow from this.
How is digital sovereignty shaping the future of blockchain technologies in Europe?
The notion of digital sovereignty has become a central issue in European politics, directly affecting the development and application of blockchain technologies. As the world becomes increasingly interconnected, concerns about data protection, security andtechnological independence have soared. The EU aims to build a digital space that respects the fundamental values it promotes, and blockchain is seen as a key tool in this quest.
One of the key aspects of digital sovereignty is data governance. The EU seeks not to leave European citizens' data exposed to outside legislation. Consequently, blockchain infrastructures should be located and controlled by trusted entities within the EU. This framework is essential to ensure that the rules of the GDPR are fully complied with, particularly with regard to the international transfer of data mentioned in Chapter V of the GDPR. A blockchain registry located outside the EU could potentially expose data to a risk of non-compliance.
- Permissioned blockchains: The EDPS recommends the use of permissioned blockchains, where access and write rights are regulated. This maintains the responsibility of the actors participating in the network, while facilitating the identification of the person responsible for data processing.
- Interoperability: Promotinginteroperability between different blockchain solutions within the EU is also essential. This would avoid vendor lock-in and enable the circulation of information while keeping data under European control.
- Transparency and traceability: with digital sovereignty comes the need for transparency in data management. Blockchain-based solutions, by their very nature, enable reliable traceability, essential for restoring user confidence.
In addition, initiatives such as the EBSI (European Blockchain Services Infrastructure) project aim to create reliable and secure digital services, thus strengthening the foundations of digital sovereignty. By adopting a solid legal framework and promoting technologies that respect fundamental rights, Europe aspires to become a leader in the field of ethical blockchains.
In conclusion, how the EU shapes its digital sovereignty will have a decisive impact not only on RGPD compliance but also on the future of blockchain technologies in its entirety. In doing so, the EU could set the course for a model to follow globally, combining innovation and respect for human rights.
