The Collision Between Privacy Law and Immutable Code
In April 2025, a legal interpretation by the European Data Protection Board (EDPB) ignited a new wave of The European Data Protection Board (EDPB), the EU’s leading authority on GDPR enforcement, has reaffirmed a long-standing concern: if personal data is permanently recorded on a blockchain and cannot be deleted, such a system may conflict with core principles of European privacy law.
This issue has resurfaced in recent regulatory discussions, highlighting a tension between blockchain’s defining feature — immutability — and the General Data Protection Regulation’s (GDPR) cornerstone principle: the individual’s right to erasure.
Blockchain’s Strength Meets Legal Limits
Since Bitcoin’s inception in 2009, blockchain technology has offered a new model for secure, decentralized transactions — free from central control or intermediaries. It is precisely this transparency and permanence that gives the blockchain its unique value.
However, these features raise questions when examined through the lens of privacy law. While Bitcoin itself does not store names, emails, or direct identifiers, metadata or arbitrary information can technically be recorded on-chain — sometimes even unintentionally. Functions like Bitcoin’s OP_RETURN or similar features on other networks can embed data that may, in theory, fall under GDPR’s broad definition of personally identifiable information (PII).
Because blockchain data is replicated across thousands of nodes and cannot be modified or erased, regulators have rightly questioned how such systems can accommodate a legal framework built on reversibility and user control.
The Compliance Challenge for Blockchain Platforms
The EDPB’s position suggests that if a blockchain contains even a small amount of undeletable personal data, the system could be considered non-compliant — a potentially wide-reaching interpretation.
For blockchain-based services operating in the EU, this raises pressing questions:
- Can a public, permissionless blockchain ever fully comply with GDPR?
- Should services avoid running full nodes within EU jurisdiction?
- Is it necessary to restrict the use of smart contracts or decentralized apps that could store sensitive data?
These are not theoretical concerns. In 2018, France’s CNIL already highlighted the challenges blockchain poses to data minimization and erasure. The EDPB’s recent guidance adds weight and urgency to these questions, especially for businesses building infrastructure on public blockchains like Ethereum, Solana, or Avalanche.
A Global Ripple Effect: Brazil and Beyond
Europe’s leadership in digital privacy has inspired similar laws around the world — including Brazil’s Lei Geral de Proteção de Dados (LGPD). Although Brazil’s legal context differs, the underlying logic is consistent: individuals must retain meaningful control over their personal data, including the right to have it removed.
If Brazilian regulators follow the EU’s interpretation, blockchain-based projects offering services in Brazil may face the same regulatory uncertainty. This could have implications even for government-backed projects like DREX, Brazil’s proposed central bank digital currency built on blockchain principles.
What Can Regulators Realistically Do?
Importantly, regulators cannot “ban” Bitcoin or other public blockchains in any practical sense. These networks are decentralized, global, and run independently of any one jurisdiction or company. However, regulators can and do influence the businesses that interact with these networks — such as exchanges, custodians, and financial service providers.
Restrictions on these entities could limit access, increase compliance burdens, or discourage innovation — even if the underlying networks continue to operate unaffected.
Legal Tensions, Not Technological Failures
Immutable data systems are not new. Enterprises already use:
- Write-once storage formats (e.g. CD-ROMs)
- Tamper-proof audit logs
- Cloud archives that preserve records for legal and regulatory reasons
In many cases, immutability is a feature, not a flaw — designed to ensure data integrity and prevent fraud. Blockchain simply applies this concept at a decentralized, trustless scale.
The real challenge lies not in the technology, but in applying a legal framework designed for centralized databases to distributed systems with no single point of control.
Looking Ahead: Toward a Smarter Regulatory Approach
To support both innovation and privacy, policymakers may need to reconsider how laws like the GDPR are interpreted or applied to decentralized technologies. Possible approaches include:
- Differentiating between on-chain and off-chain data
- Promoting privacy-preserving architecture and zero-knowledge technologies
- Clarifying the role and obligations of data “controllers” in decentralized systems
These solutions require nuance and collaboration — not only between regulators and developers, but also with privacy experts, civil society, and the public.
Conclusion: Evolve with the Technology
At RockBridge, we believe that digital privacy and blockchain innovation can and must coexist. The EDPB’s latest guidance reflects an evolving legal conversation — one that must keep pace with emerging technologies while upholding individual rights.
The conversation is far from over. But one thing is clear: decentralized systems are here to stay, and our legal frameworks must evolve to meet them.