- A member of the Ethereum community has proposed a General Data Protection Regulation (GDPR)-aligned privacy model for the protocol
- Eugenio Reggianini outlined technical mechanisms that assign data controller roles to application edges in order to handle the GDPR’s right to be forgotten
- Reggianini highlighted off-chain storage, pseudonymization, and cryptographic splits to keep core layers data-processor-only
In a move aimed at aligning Ethereum with European privacy laws, an Ethereum community member has proposed a new framework for managing personal data under the General Data Protection Regulation (GDPR). Eugenio Reggianini’s design shifts responsibility for data protection to the outer layers of the ecosystem, including wallets, applications, and relayers, while preserving the decentralised and censorship-resistant properties of the base protocol. Through techniques like pseudonymisation, zero-knowledge proofs, and temporary off-chain data storage, the approach could allow Ethereum to remain open and compliant at once.
Blockchain and GDPR—Not a Happy Marriage
Public blockchains, by design, resist deletion, creating tension with GDPR rules that grant users the “right to be forgotten.” Reggianini’s proposal tries to resolve that contradiction by keeping personally identifiable information (PII) off-chain or obfuscated, and making sure only specific actors—like dApp operators or wallet providers—qualify as “data controllers.” That means Ethereum itself wouldn’t bear liability for personal data stored on-chain.
Ethereum’s architecture is modular: its execution, consensus, and data availability layers all play distinct roles. The proposal outlines how to contain privacy-sensitive processes at the edges:
- Execution Layer: Wallets encrypt user data before submitting it to the chain; smart contracts process only encrypted or hashed information
- Consensus Layer: Validators verify zero-knowledge proofs, avoiding exposure to raw user data
- Data Availability Layer: Nodes store only erasure-coded fragments for short durations, limiting reidentification risks
Reggianini points to upcoming and existing technologies like EIP-4844 (also known as protodanksharding), which limits the storage lifespan of large data blobs to roughly 18 days. Other tools include zero-knowledge proofs, secure enclaves (TEEs), multiparty computation, and proposer-builder separation—all of which reduce or fragment access to sensitive data across the network.
Acceptance is a Long Shot
Reggianini’s idea has been generally well received, with one respondent noting the preservation of “inclusion and permissionless access while leaving the bad actors out of the door.” However, the odds of a sole community proposition being accepted to tackle the thorny issue of GDPR are slim, although if his ideas do find favor, the proposal could act as a model for other open blockchains navigating data protection laws.
