Clifford Chance

The European Data Protection Board's (EDPB) draft guidelines on processing personal data through blockchain are open for consultation until June 9, 2025. These Draft Guidelines aim to clarify how the EU General Data Protection Regulation (GDPR) applies to blockchain-based processing of personal data and provide recommendations to data controllers in relation to some aspects of GDPR compliance. While they acknowledge the data protection challenges arising from the fundamental characteristics of public blockchains, including their distributed nature and immutability, the Draft Guidelines emphasise that "technical impossibility cannot be invoked to justify non-compliance with GDPR requirements". The Draft Guidelines have caused significant concerns  for various actors operating through the public blockchain ecosystem, in particular a concern that if the guidelines are adopted as proposed, this could have a stifling impact on financial innovation and the growth of digital asset markets.  

Blockchain and GDPR

GDPR imposes (differing) requirements on data processors and data controllers. These are defined as:

• 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
• ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Issues in reconciling data protection laws and blockchain technology have been a focal point of academic and regulatory debate for some time. Challenges include:

• Assigning accountability in a decentralised public network, including identification of controllers, joint controllers and processors and putting in place agreements and protective measures required by the GDPR (such as controller-processor terms and, for certain international data transfers, standard contractual clauses for data transfer)
• Application of certain GDPR requirements in distributed ledger's "immutable" architecture, including how to adhere to principles of time-limited storage of personal data and data accuracy, and how to give effect to the right to data rectification and the (qualified) right to data erasure.   

In respect of all the issues listed above, other broad GDPR requirements also apply – such as "Privacy by Design and by Default", which requires controllers to implement context-specific measures to implement data protection principles and secure the rights of data subjects.

The Draft Guidelines – some key issues and concerns

The Draft Guidelines discuss the issues above, alongside other points such as legal bases for data processing, data security, data protection impact assessments and rights to object to solely automated decisions. They include recommendations on how certain GDPR requirements might be addressed, including recommendations that data controllers:

• Carry out and document an assessment of whether data on the blockchain will contain personal data, whether the use of a blockchain is a necessary and proportionate means of data processing, what level of decentralisation of a given blockchain (public vs private) should be used and what data protection measures will be taken; and
• Ensure:  the data stored directly on-chain (including transaction metadata) does not allow the direct identification of the data subject (i.e. the individual connected to the blockchain transaction); and  that it is possible to erase all copies of any additional off-chain data that would, with means reasonably likely to be used, allow for indirect identification of the data subject – thereby rendering anonymous the data that remains on-chain.   

For many node operators and entities deploying applications on blockchain (together referred to here as blockchain participants), concerns arising from the Draft Guidelines include:

• The Draft Guidelines fall short of representing the nuanced diversity of blockchain participants and their interactions within the blockchain environment. For example, the Draft Guidelines state that they "aim to provide practical guidance to controllers planning to use blockchain technology", but unavoidably the Draft Guidelines impact potential processors too, without providing direct guidance to them. Additionally, the Draft Guidelines provide limited guidance on controller/processor identification in the blockchain context, largely referring to other guidelines on this topic. While this will be welcomed by some as allowing for greater flexibility in fact-specific analysis, others will consider it a missed opportunity to build consensus on roles in multi-layered blockchain ecosystems.
• Several parts of the Draft Guidelines are written with the intention of guiding an organisation that is deciding what type of blockchain to design or use. In this respect, the Draft Guidelines recommend selection of permissioned blockchains (as opposed to public permissionless blockchains) for clearer allocation of responsibilities from a data protection perspective. The Draft Guidelines leave a gap in terms of practical recommendations for compliance in the context of existing use of permissionless blockchain. Indeed, statements in the guidelines discouraging use of permissionless blockchain have re-surfaced discussions around the GDPR in the context of European competitiveness and innovation.
• The Draft Guidelines maintain a broad interpretation of "personal data": "If the user is a natural person and those public keys can be used to identify the individuals by means reasonably likely to be used, for example in case of a data breach, then those identifiers qualify as personal data." This suggests that very few actors involved in blockchain activities would escape being considered a controller or processor of personal data – with resulting compliance challenges e.g. around the putting in place of controller-processor agreements, standard contractual clauses for data transfer and the like between the various actors in multilayered blockchain ecosystems.

What constitutes personal data within the blockchain and does that vary for different actors?

For certain participants in the blockchain ecosystem a fundamental discussion point in the Draft Guidelines is likely to be a basic one: what constitutes personal data within the blockchain and does that vary for different actors? The answer to this will determine the applicability of the GDPR to specific blockchain activities. In particular, it will be relevant to the processing of on-chain data by a person or entity who may not have reasonable means of accessing other data that is needed to link this information to a natural person – as may be the case for node operators, for example. The query comes at an interesting moment, when the definition of "personal data" is under discussion in a case that is currently awaiting judgement of the Court of Justice of the European Union (CJEU) and in relation to which Advocate General Spielmann has recently given an opinion (Advocate General Spielmann's Opinion in the Court of Justice of the European Union (CJEU) case C-413/23 EDPS v. SRB).

Summary of the case and appeal:

• Advocate General Spielmann's opinion relates to an appeal of the judgment in case C-413/21 which was delivered by the General Court of the CJEU in 2023 regarding an enforcement decision by the European Data Protection Supervisor (EDPS) under Regulation 2018/1725, which governs personal data processing by EU institutions, bodies etc. As this regulation is largely aligned with the GDPR and the definition of personal data under it is the same as that provided under GDPR, the line of reasoning set out in the Opinion would be equally relevant under the GDPR.
• In the 2023 decision, the General Court held that it is necessary to consider the data recipient's perspective in order to assess whether pseudonymized data disclosed to that recipient relates to 'identifiable persons' and thus constitutes personal data. To that end, it must be determined whether the recipient had reasonable means to combine the information that has been disclosed to it (and which does not in itself allow the recipient to identify the data subject) with additional information to identify the data subject. (For more, see our article on this case here.) The EDPS, supported by the EDPB, has appealed this decision. The CJEU is expected to deliver its judgment on this case later this year.

What did the AG say?

Consistent with the General Court's view, Advocate General Spielmann's opinion supports an interpretation of personal data that is based on the perspective of the data recipient. The Advocate General states: "…it seems to me disproportionate to impose on an entity, which could not reasonably identify the data subjects, obligations arising from Regulation 2018/1725, obligations which that entity could not, in theory, comply with or which would specifically require it to attempt to identify the data subjects." (para 58). However, the Opinion does not contain substantive analysis of what would constitute "reasonable means" for identifying data subjects.

What could that mean for blockchain?

Many blockchain operators only process data which cannot be directly linked to an individual (with the link to identify individuals held uniquely by other blockchain operators). Therefore, the impact of the CJEU case cited above could be significant for parts of the blockchain community if it provides further clarity on what would fall within the scope of "reasonable means likely to be used" to access data held by another entity. (This point has been examined in other cases, notably Patrick Breyer v Bundesrepublik Deutschland, in which the CJEU held that if available means require a disproportionate effort in terms of time, costs and manpower, or if the identification of the data subject is prohibited by law, the risk of identification is insignificant and data shall not be considered 'personal data'.)

Next Steps

Comments on the guidelines are invited by the EDPB until 9 June. Thereafter, the EDPB will consider the comments it receives and may make amendments to the Draft Guidelines before adopting them in final form. In addition to considering whether and how to provide feedback on the consultation, organisations operating blockchains or running applications on blockchain should review their GDPR compliance approach, including in light of the final form of the EDPB blockchain guidelines (once adopted) and any relevant clarifications on the scope of personal data that may emerge from the CJEU in Case C-413/23.