Ethereum Community Member Eugenio Reggianini Proposes GDPR Compliance Through Modular Architecture and Privacy-Enhancing Technologies
On June 9, Ethereum community member Eugenio Reggianini published a new proposal on EthResear.ch. In the proposal, Reggianini suggests that through a modular architecture and privacy-enhancing technologies (PETs), it is possible to meet the data protection requirements of the EU’s General Data Protection Regulation (GDPR) while maintaining Ethereum’s decentralized characteristics.
The ultimate goal is to centralize the responsibility for personal data management at the application layer, ensuring that the underlying infrastructure only processes anonymous or pseudonymized data, thus safeguarding user privacy while preserving Ethereum’s vision of decentralization.
Modular Architecture: Redefining Data Management Roles
The core of Reggianini’s proposal is Ethereum’s modular architecture, which divides the network into execution, consensus, and data availability layers, clearly distinguishing between “controllers” (those who determine the use of data) and “processors” (those who merely handle data). Personal data is pushed to the edge (wallets and decentralized applications), employing off-chain storage and metadata elimination techniques to reduce the risk of on-chain data exposure.
Reggianini believes that this approach limits the responsibilities of GDPR controllers to a few entities (such as application developers), allowing most network nodes to operate only as processors or remain completely unregulated, thereby reducing compliance burdens.
Privacy-Enhancing Technologies: Core Tools for Data Protection
The proposal introduces several privacy-enhancing technologies (PETs), including:
- Proto-Danksharding (EIP-4844): Trimming transaction data blocks stored off-chain after approximately 18 days, achieving data minimization.
- zk-SNARKs: Verifiers only validate concise cryptographic proofs rather than the original transaction content, reducing data visibility.
- Homomorphic encryption and Trusted Execution Environments (TEEs): Performing computations on encrypted data to ensure nodes cannot see plaintext.
- Multi-Party Computation (MPC) and Proposer-Builder Separation (PBS): Decentralizing data processing authority to reduce single node access to personal data.
- PeerDAS: Temporarily storing data using erasure coding, where nodes only hold incomprehensible fragments that automatically expire.
Reggianini explains that these technologies will significantly reduce the risk of on-chain personal data exposure, meeting GDPR’s data minimization and appropriate technical measures requirements while preserving the decentralized characteristics of blockchain.
Layered Role Allocation: A Compliance Strategy with Defined Responsibilities
The proposal divides Ethereum’s transaction processing into three layers, with GDPR compliance strategies suggested for each layer:
- Execution Layer: Wallets and application front-ends act as controllers submitting encrypted data; relay nodes and block builders only handle concealed data, becoming processors.
- Consensus Layer: Verifiers only process proofs and commitments, not involving personal data, thus becoming neutral verifiers outside the scope of GDPR.
- Data Availability Layer: Through PeerDAS, nodes only temporarily store anonymous data fragments, adhering to the principle of data minimization.
Reggianini states that through layered design, personal data is transformed or abstracted before entering the blockchain, ensuring privacy protection and compliance.
Collaborative Governance: The Key to Achieving Compliance
Finally, Reggianini emphasizes that the success of the proposal relies on widespread adoption of privacy-enhancing technologies by the community, support from developers, and potential alignment with EU regulatory bodies. Through a collaborative governance model, Ethereum can establish voluntary conduct guidelines, further clarifying role divisions and reducing compliance risks.
Effect: Collaborative governance ensures consistency between technology and regulatory requirements, promoting the sustainable development of the Ethereum ecosystem.
The EU’s General Data Protection Regulation (GDPR) is a regulation that came into effect in May 2018, aimed at protecting the personal data and privacy rights of EU citizens, regulating organizations’ behavior in processing personal data. It requires data processing to be lawful and transparent, ensuring data minimization, security, and accountability, granting individuals rights to access, correct, and delete their data, and applies to entities processing EU citizens’ data globally, with substantial fines for noncompliance. For public permissionless blockchains like Ethereum, GDPR poses challenges, as its immutability and decentralized features conflict with GDPR’s rights to deletion and data minimization principles. All nodes processing data may be seen as “controllers,” increasing compliance responsibilities; personal data, if placed on-chain, becomes difficult to delete or anonymize.
Related Reports
- Ethereum Spot ETF Sees Net Inflows for 15 Consecutive Days; Meanwhile, Bitcoin ETF Sees Over $1 Billion Outflows in the Same Period
- Commentary: Why Goldman Sachs’ Judgment on Ethereum is Incorrect
- “Superpower” Sovereign Fund Prepares to Invest in Ethereum Infra! ConsenSys CEO Joe Lubin Reveals