EU’s EDPB issues strict GDPR guidelines for blockchain, urging off-chain storage, encryption, and protection of personal data across decentralized networks.
The European Data Protection Board (EDPB) has unveiled stringent new guidelines aimed at managing the processing of personal data within blockchain technologies. It emphasizes GDPR compliance amidst growing blockchain adoption.
In a new move that took effect on April 14, the EDPB highlights the significant complexities of integrating blockchain with GDPR principles. These guidelines underscore the challenges in balancing blockchain’s inherent immutability, on one hand, and decentralization with personal data protection requirements, on the other.
Off-Chain Data Storage
The EDPB stresses avoiding direct storage of personal data on blockchain, recommending off-chain storage coupled with robust cryptographic methods to protect privacy. Advanced techniques, such as encrypted storage, salted hashes, and cryptographic commitments, are suggested to ensure that personal data cannot be readily traced or misused.
The guidelines require thorough Data Protection Impact Assessments (DPIAs) to be conducted prior to implementing blockchain solutions. Controllers must rigorously document the necessity and proportionality of using blockchain over other technologies, detailing specific technical and organizational measures taken.
“Blockchain technology offers innovative solutions but presents unique risks to privacy rights,” the EDPB stated. “Compliance with data protection principles must be non-negotiable.”
Hard Time for International Transfers
Special attention is drawn to international transfers, particularly those involving public blockchains with nodes outside the EU, which necessitate mechanisms such as Standard Contractual Clauses to comply with Chapter V of the GDPR.
Moreover, the EDPB has explicitly reinforced obligations to uphold data subject rights, including rectification, erasure, and the right to object to automated decisions, despite the technical limitations of blockchain.
The guidelines, currently open for public consultation, represent the EU’s latest move towards ensuring responsible blockchain adoption that respects fundamental data protection rights, setting a precedent for global standards.
Crypto Companies’ Issues with GDPR
Several cryptocurrency companies have faced scrutiny and legal action for alleged violations of the European Union’s GDPR. Notable cases include:
Worldcoin (2024)
Sam Altman’s Worldcoin project, which involves scanning individuals’ irises in exchange for digital IDs and cryptocurrency, was temporarily banned in Spain for up to three months. The Spanish data protection regulator, AEPD, cited concerns over insufficient information provided to users, potential data collection from minors, and the lack of mechanisms for withdrawing consent. Other countries, like Spain and France, had also temporarily banned Worldcoin from operating in their countries due to privacy concerns. As a result, Worldcoin pivoted to Asia and Latin America as its core markets.
Crypto.com (2022)
Crypto.com experienced a security breach affecting approximately 483 user accounts, leading to unauthorized withdrawals totaling millions of dollars in various cryptocurrencies. Although the company reimbursed affected users and implemented additional security measures, the incident raised concerns about the adequacy of data protection and security protocols, potentially implicating GDPR compliance obligations.
Stake.com (2024)
Users of the crypto gambling platform Stake.com reported issues related to GDPR compliance, including difficulties in exercising their rights to data access and erasure. These allegations suggest potential non-compliance with GDPR provisions concerning user data rights and transparency.
next