Berlin 3.0

The Berlin 3.0 DARTE session took place on June 13th, 2025, at HTW Berlin. Organized with the support of the European Commission, Project Catalyst, and HTW Berlin, this roundtable continued the series’ mission of fostering legal clarity around MiCAR and adjacent regulatory frameworks. This session also served as a bridge to wider discussions on fundamental rights, criminal law, and decentralized governance models, reflecting Berlin’s role as a thought hub for Europe’s Web3 legal evolution.

The session began with a welcome note from Nina-Luisa Siedler (siedler legal), followed by a keynote from Prof. Dr. Katarina Krüger (HTW Berlin). The program featured three high-level expert contributions: Judith de Boer (Hertoghs advocaten) opened with a discussion on the criminal liability risks for developers of autonomous protocols like Tornado Cash. Joachim Schwerin (European Commission – DG GROW) then explored the design of compliant legal frameworks for DAOs. Finally, Gustav Hemmelmayr (Parity Technologies) concluded with a deep dive into the treatment of blockchain infrastructure data under GDPR.

Download the Report

Coding as a Criminal Act?

This session examined whether developers of decentralized protocols can be held criminally liable for the consequences of autonomous code they create. Using recent court rulings as a reference point, participants discussed how traditional criminal frameworks, centered around control and intent, struggle to accommodate decentralized systems where no single actor has operational authority. The group emphasized the need to distinguish between the publication of open-source code and deliberate facilitation of criminal activity, especially as privacy-enhancing tools face increased scrutiny.

DAOs as Compliant Web3 Communities

The second topic focused on the legal and operational challenges faced by Decentralised Autonomous Organisations (DAOs). While DAO activity is growing rapidly, participants noted the absence of fit-for-purpose legal wrappers and the fragmentation of compliance requirements across jurisdictions. The discussion highlighted the potential of cooperative models, sandbox frameworks, and EU-level experimentation to establish a more coherent regulatory environment. There was broad consensus that DAOs require clear classification systems and guiding governance principles to gain regulatory legitimacy without compromising their decentralized ethos.

Call to Actions

Develop ex-ante legal guidance distinguishing neutral code publication from criminal facilitation.
Modernize liability frameworks to reflect the decentralized nature of infrastructure and the limitations of developer control.
Ensure enforcement practices respect due process and the legitimate role of privacy-enhancing technologies.

Call to Actions

Create a standard classification and governance model for DAOs across Member States, providing a shared language for regulatory engagement.
Launch a cross-jurisdictional regulatory sandbox to test DAO legal structures in real-world scenarios, with support from participating NCAs.
Explore the development of a modular, innovation-friendly EU legal framework (e.g., a “28th regime”) tailored to digitally native communities.

Check our work on DAOs

Personal Data and Blockchain

The final session addressed the growing tension between GDPR and public, permissionless blockchain systems. Participants questioned the European Data Protection Board’s expansive interpretation of personal data, arguing that infrastructure-level elements—such as hashes and public addresses—should not automatically fall under GDPR if no off-chain linkage exists. The group stressed the importance of maintaining technological neutrality in regulatory application, and the need to protect privacy-by-design blockchain systems from overreach.

Call to Action

Reinterpret GDPR to exclude infrastructure-level blockchain data from personal data classification, provided no off-chain identification occurs.
Shift the regulatory burden to off-chain intermediaries—such as custodians and exchanges—who collect and process identifiable user data.
Recognize and protect decentralized privacy-preserving technologies, ensuring that GDPR enforcement aligns with its original intent and avoids disproportionately penalizing blockchain-based innovations.