ARTICLE
29 April 2025

EDPB Publishes Draft Guidelines On Personal Data In Blockchain And A Report On AI Privacy Risks & Mitigations In Large Language Models

AO
A&O Shearman

Contributor

A&O Shearman was formed in 2024 via the merger of two historic firms, Allen & Overy and Shearman & Sterling. With nearly 4,000 lawyers globally, we are equally fluent in English law, U.S. law and the laws of the world’s most dynamic markets. This combination creates a new kind of law firm, one built to achieve unparalleled outcomes for our clients on their most complex, multijurisdictional matters – everywhere in the world. A firm that advises at the forefront of the forces changing the current of global business and that is unrivalled in its global strength. Our clients benefit from the collective experience of teams who work with many of the world’s most influential companies and institutions, and have a history of precedent-setting innovations. Together our lawyers advise more than a third of NYSE-listed businesses, a fifth of the NASDAQ and a notable proportion of the London Stock Exchange, the Euronext, Euronext Paris and the Tokyo and Hong Kong Stock Exchanges.
On April 14 2025, the European Data Protection Board (EDPB) announced the outcomes of its plenary session that took place on April 8 2025...
United States Technology

On April 14 2025, the European Data Protection Board (EDPB) announced the outcomes of its plenary session that took place on April 8 2025, during which the EDPB adopted draft Guidelines on processing of personal data through blockchain technologies (Draft Guidelines).

The EDPB also published a research paper on AI Privacy Risks and Mitigations in Large Language Models, prepared by an external expert (Report). The EDPB also announced its decision to engage with the European AI Office to draft guidance on the interplay between the AI Act and EU data protection legislation.

Draft guidelines on data processing in the blockchain

The Draft Guidelines provide an overview of blockchain technology and its implications for the processing of personal data. They also address the unique challenges posed by the blockchain's distributed nature for compliance with the GDPR. The EDPB explains in detail how various concepts of data protection law apply to blockchain, including:

  • Determining the controller-processor roles of the parties involved in the blockchain;
  • The legal bases of processing (outlining challenges of obtaining compliant consents or relying on the legitimate interest processing ground);
  • Ensuring the data protection by design and by default approach to blockchain, which is likely to require a combination of different privacy enhancing technologies (PETs) to provide sufficient levels of data protection;
  • Establishing and properly documenting the retention periods (pointing out that a retention period for personal data in a blockchain that is equal to the lifetime of the blockchain will require justification of the necessity and proportionality to the purpose);
  • Carrying out a data protection impact assessment for blockchain projects, including the measures that could be taken to address the risks stemming from the use of blockchain technology;
  • Implementing security measures (e.g., the safeguards against unintended or unauthorized transactions, measures to limit the impact of potential algorithm failures, protections for the secret keys and the data stored on and off chain, and documenting software changes or protocols used in the blockchain);
  • Addressing data subject rights in respect of information on the blockchain, such as the rights to rectification, erasure, and objection to a solely automated decision-making.

An annex to the Draft Guidelines formulates 16 recommendations to organizations planning to set up blockchain-based processing. The Draft Guidelines are open for consultation until June 9 2025.

Report on AI privacy risks & mitigations large language models

The Report provides insights into the background of large language models (LLMs) and aims to assist providers and deployers of AI with identifying, evaluating and mitigating the privacy and data protection risks associated with LLMs. The Report includes various examples and use cases.

The Report includes numerous examples considering the roles of the parties under the AI Act (e.g. provider or deployer) and under the GDPR (controller, processor, or joint controller). The Report was commissioned by the EDPB through the external pool of experts so does not reflect the official position of the EDPB.

The press release about the Draft Guidelines and the Draft Guidelines are both available. The press release about the Report, the Report and the plenary agenda is available.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More