Author
Hongji Feng
Author
Hongji Feng
Share
Key Takeaways:
- Ethereum community member Eugenio Reggianini published a GDPR compliance proposal on June 9 as part of the European Blockchain Association’s consultation response.
- The proposal recommends keeping personal data off-chain and using privacy-preserving technologies to reduce exposure across Ethereum’s modular architecture.
- A new role classification framework would assign GDPR controller status only to front-end actors like wallets and dApps.
Ethereum community member Eugenio Reggianini (“EugeRe”) has outlined a set of privacy and data management practices to help align Ethereum’s architecture with European Union data protection rules.
The proposal was published on June 9 as part of the European Blockchain Association’s response to the General Data Protection Regulation (GDPR) consultations. It recommends assigning data controller status to front-end actors, such as wallets and dApps, while lower-layer infrastructure should only process encrypted or anonymized data.
Ethereum Roles Reclassified Under GDPR
According to the proposal, personal data should be kept off-chain, with blockchain nodes relaying only references or proofs rather than identifiable information.
To minimize exposure across the protocol, the proposal references a number of privacy-enhancing techniques. These include zk-SNARK execution, proposer-builder separation, data availability sampling, and homomorphic encryption.
Reggianini suggests that recent developments like proto-danksharding could help enforce data minimization through temporary storage and automatic pruning.
The document also proposes a new classification for blockchain participants under GDPR. Wallet providers and dApp developers would retain controller status, while mempool relays, validators, and data availability nodes would be treated as processors or considered out of scope if they handle only non-identifiable fragments.
The proposal calls for Ethereum’s modular structure to serve as a framework for compliance, reducing exposure by design. Role separation within the execution, consensus, and data availability layers is emphasized as a strategy to manage risk while maintaining Ethereum’s permissionless nature.
EU Rules Prompt Restructuring and Retreat
The summary concludes that GDPR compliance for Ethereum is technically achievable if personal data remains at the application level and never propagates to base-layer infrastructure. This, it argues, would allow compliance with existing law without imposing central controls on the network.
Several crypto projects have restructured to comply with GDPR by shifting identity checks and data storage off-chain. Others, lacking technical capacity or legal clarity, have withdrawn from the European Union altogether.
The law’s strict definition of controllership has drawn criticism for applying centralized assumptions to decentralized networks. Projects like Worldcoin have faced bans over biometric data use, stressing the tension between data rights and open protocols.
Reggianini’s proposal adds to growing calls for a more nuanced regulatory approach, one that recognizes the technical roles of blockchain participants rather than treating all nodes as data controllers.
Frequently Asked Questions (FAQs)
The GDPR was written for centralized systems with clear data controllers. Public blockchains, by contrast, distribute data processing across thousands of nodes, making it unclear who is responsible for compliance.
Entities processing personal data without a legal basis could face heavy fines, enforcement actions, or be forced to exit the EU market altogether.
Some policymakers and advocacy groups are calling for legal updates that better distinguish between active controllers and passive processors in blockchain networks, but no official changes have been made yet.
