Recommendations were presented for complying with the European General Data Protection Regulation (GDPR) in public blockchains. The technological foundation is based on Ethereum’s developments.
The European Blockchain Association (EBA) submitted a consultative document to the European Data Protection Board (EDPB) outlining how Ethereum’s modular architecture and associated technologies can be used to ensure compliance with the General Data Protection Regulation (GDPR).
GDPR requires that personal data be stored with the capability of deletion, controlled by specific data subjects, and properly anonymized. This conflicts with the fundamental properties of public blockchains, such as immutability, transparency, and decentralization.
The proposed framework clearly delineates the roles of data controllers and processors at different transaction processing layers, namely:
- Execution Layer, where transactions originate from dApps and wallets;
- Consensus Layer, responsible for block finalization;
- Data Availability Layer, providing scalable data storage.
Within this structure, dApp providers remain responsible as data controllers, while block builders and validators operate on encrypted or abstracted data without access to personally identifiable information (PII). Storage nodes adopt a model of temporary fixation of anonymous data fragments.
The document also highlights extensive use of privacy-enhancing technologies (PET):
- zk-SNARKs and Fully Homomorphic Encryption (FHE) enable transaction verification without data disclosure;
- Proto-Danksharding and PeerDAS provide short-term, fragmented, and anonymous data storage;
- Proposer-Builder Separation (PBS) separates access to transaction contents from block finalization processes.
This proposal demonstrates how currently implemented architectural solutions and PET tools can serve as a foundation for GDPR compliance in open decentralized environments. As a result, the framework doesn’t require sacrificing core principles of public blockchains but shows that Ethereum and similar distributed ledger technologies (DLT) can potentially align with GDPR, given appropriate technical transformations. This approach may be especially relevant as Ethereum positions itself as a foundational infrastructure for online projects and the global economy.
