The Impact of Data Protection Regulations on the Blockchain … · 2020. 11. 10. · 3 The impact...

The Impact ofData ProtectionRegulationson the BlockchainEcosystem

NOVEMBER 2020

REPORT ON SURVEY RESULTSBy the Privacy Working Group of INATBA

1

The impact of data protection regulations on the blockchain ecosystem Report on survey results | November 2020

Contents

Authors and Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Goal of the Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Questions Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

I. Description of the respondents (Questions: 1–9) . . . . . . . . . . . . . . . . . . . . . 8

Size of the organisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Jurisdiction of residence/business registration . . . . . . . . . . . . . . . . . . . . . . . . . 9

Jurisdictions of operational activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Primary field of operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Position in the organisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Main focus of the Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Types of Blockchain Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Type of the blockchain protocol used for the project . . . . . . . . . . . . . . . . . . 13

II. Other Questions (10–28) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Q10 Awareness of privacy regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Q11 Primary responsibility for privacy compliance . . . . . . . . . . . . . . . . . . . . . . 15

Q12 Efforts to meet privacy requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Q13 Strategic priority of privacy compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Q14 Conducting formal data protection assessments . . . . . . . . . . . . . . . . . . 16

Q15 Main privacy issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Q16 Off-chain personal data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Q17 Personal data on-chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Q18 Methods of storing personal data on-chain . . . . . . . . . . . . . . . . . . . . . . . . 19

Q19 Use cases for storing personal data on a blockchain . . . . . . . . . . . . . . .20

2


Further conclusions of the responses to Q15–Q19 . . . . . . . . . . . . . . . . . . . . . . 21

Q20 Defining controllership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Q21 Reasons for not defining controllership . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Q22 Joint-controllership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Q23 Data protection agreements in place . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Q24 Is regulation helpful? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Q25 Are existing publications helpful? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Q26 What would be most helpful when working on the compliance of a blockchain project? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Q27 Impact on non-yet-developed projects . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

Q28 Privacy vs . innovation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

List of respondents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

Annex. List of Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Q1 Please specify the name of your organisation . . . . . . . . . . . . . . . . . . . . . . 31

Q2 Please tell us the size of your organisation . . . . . . . . . . . . . . . . . . . . . . . . . 31

Q3 Please tell us the jurisdiction of residence/business registration of your organisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Q4 Please tell us the jurisdictions of operational activity of your organisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Q5 Primary field of operations of your organisation . . . . . . . . . . . . . . . . . . . .34

Q6 What is your position in the organisation? . . . . . . . . . . . . . . . . . . . . . . . . . 35

Q7 What is the main focus of your Project? . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

Q8 What is the blockchain type your project is based upon? . . . . . . . . . . 37

Q9 What type of blockchain protocol is your Project based upon? . . . .37

Q10 Are you aware of the privacy regulations applicable to your Project(s)? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38

Q11 Who in your organisation is primarly responsible for meeting the requirements as set forth in the applicable privacy regulation(s)? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Q12 Have you made efforts to meet the requirements of the applicable privacy regulation(s)? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

3


Q13 Is meeting the requirements of applicable privacy regulation(s) a strategic priority (e .g . addressed and prioritized at C-level)? . . . . . 40

Q14 Have you conducted any kind of formal data protection assessment on your Project (e .g . DPIA)? . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Q15 What were the main privacy issues related to your Project? (Please include as many issues as you’d like) . . . . . . . . . . . . . . . . . . . . . . 40

Q16 Do you store personal data off-chain in your Project? . . . . . . . . . . . . . . 41

Q17 How do you store or refer to personal data on-chain? . . . . . . . . . . . . . .42

Q18 If possible, please provide additional details about the methods of storing or referring to personal data on chain . . . . . . . . . . . . . . . . . . .43

Q19 Do you think any use cases inside or outside of your Project could benefit from having personal data directly (not just hashes) on a blockchain, either encrypted or in clear text? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Q20 If you deal with personal data (also pseudonimised personal data) on public permisonless blockchain, how have you defined controllership of that data?(the ‘controller’ alone or jointly with others, determines the purposes and means of the processing of personal data) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Q21 If you have not defined data controllership, what are the reasons for that decision? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Q22 Do you argue for joint controllership? If yes, provide information on how (who are considered joint controllers)(Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers) . . . . . . . . . . . . . . . . . . . . . . . .45

Q23 Do you have data processing agreements in place for the participants of your blockchain network? . . . . . . . . . . . . . . . . . . . . . . . . . 46

Q24 Do you perceive the applicable regulation(s) to be helpful or limiting for your business? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

Q25 Have you found existing, official publications, guidances etc . as sufficient for making your Project compliant with applicable data privacy regulations? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

Q26 Which of the following would be most helpful when working on data privacy compliance of your Project? . . . . . . . . . . . . . . . . . . . . . . 48

Q27 What other projects or technologies would you have developed or implemented if you weren’t bound by applicable privacy regulations? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Q28 With which of the following statements do you agree most . . . . . . .49

4


Q29 Can we disclose that you/your organisation participated in this survey (without disclosing what particular answers were given)? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

Q30 Can we contact you to clarify your answers? . . . . . . . . . . . . . . . . . . . . . . .50

Q31 Can we contact you for the purpose of further analysis of the results of the survey? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Q32 Please provide us an email address where we can contact you . . . . . 51

5


Authors and Contributors

Privacy Working Group:

Marcin Zarakowski Lisk Foundation (co-chair)

Silvan Jongerius TechGDPR (co-chair)

Ismael Arribas Kunfud

Jed Grant KYC3

Eusebio Felguera Garrido Telefonica

Nathan Vandy Blockchain Helix

Academic Advisory Board support:

Frank Pallas Technical University of Berlin

Ivan Visconti Università degli Studi di Salerno

6


Executive SummaryThe application of blockchain tech-nology and the need to adhere to privacy regulations, particularly the GDPR, seem to conflict .

These opinions typically originate from experts and regulators, but how do those ultimately developing and implementing the technology per-ceive the interplay between the tech-nical and regulatory spheres? The survey, answered by respondents from organisations in this space, aims to answer this question . This report is the analysis of the responses by the Privacy Working Group of INATBA .

Presumably, one of the most relevant findings from our study regards the perceived uncertainty of legal/reg-ulatory definitions and obligations, particularly from the GDPR, when applied to blockchain use-cases and scenarios . Simultaneously, a certain

proportion of respondents found ex-isting guidance to be sufficient and findable .

Beyond calling for more transpar-ent and comprehensible guidance and providing more legal certainty in general (e .g ., through an indica-tive opinion or guideline of the Eu-ropean Data Protection Board), this suggests an intensified effort for making such guidance known and perceived by active players in the blockchain ecosystem .

As experts in the field of data pro-tection and blockchain, the analysts of the surveys and authors of this re-port have observed some inconsist-encies in the answers of the survey and some rather apparent miscon-ceptions about privacy regulations . These will be explained further in this report .

IntroductionThe Privacy Working Group of INAT-BA initiated a broad survey amongst users and developers of blockchain technology to understand their challenges to meet privacy stand-ards and regulatory privacy require-ments .

This survey investigates many mis-conceptions, unclarities, and past discussions about how the require-ments of the GDPR and other priva-cy regulations are to be dealt with in the blockchain space . It addresses concrete questions from regulators and the general public about the balance between regulation and innovation, how sufficient existing regulations and guidance are, and

what other resources could help blockchain innovators succeed .

This survey aims to provide a snap-shot of the situation during the sum-mer of 2020, give a broad overview to the general public, further aid pol-icy-making and guidance efforts by regulators, and help decision-mak-ing for companies in this space .

The survey was initially open from 15 July until 15 August and was pro-longed briefly to allow for addition-al responses . Of the 78 responses, we found 68 meeting the require-ments, and these have thus been analysed . The survey was conducted using the survey tool Survey Monkey (www .surveymonkey .com) .

https://www.surveymonkey.com/

7


AboutThe International Association for Trusted Blockchain Applications (INATBA) brings together industry, startups and SMEs, policymakers, inter-national organisations, regulators, civil society, and standard-setting bodies to support blockchain and Distributed Ledger Technology (DLT) to be main-streamed and scaled-up across multiple sectors (inatba .org) .

The Privacy Working Group of INATBA gathers experts in privacy and blockchain from various jurisdictions . The Working Group’s goals are follow-ing: (i) analysis of the applicability of privacy regulations to blockchain tech-nology, (ii) advocating for blockchain-friendly interpretation of privacy regu-lations, and (iii) educating the industry about privacy regulations applicable to blockchain technology .

Goal of the SurveyThe survey’s goal was to identify better the specific challenges in privacy reg-ulations that organisations developing or implementing blockchain-based solutions will face . It was also essential for this study to determine how these organisations perceive applicable privacy regulations and if these regulations currently pose a limitation to the projects in progress . Finally, we were keen to learn how they have overcome problems with privacy compliance, what de-sign choices they made based on the legal requirements, and what further guidance or support would be most helpful for them to meet the privacy laws’ goals .

MethodThe survey was arranged by the co-chairs of INATBA’s Privacy Working Group, supported and reviewed by other members of INATBA’s Privacy Working Group .

The survey was publicly communicated and was designed to allow any organ-isation involved in the development or implementation of blockchain-based solutions to take part .

The survey was circulated among the members of INATBA via email and through INATBA’s Slack channels . In addition, information about the survey, along with a link to it, was published on INATBA’s official accounts on Twitter and Linkedin . Since the intention behind the survey was to reach out to the broader audience, members of the Privacy WG were encouraged to also circu-late the Survey using their contact networks .

While the survey was promoted on public channels such as social media, in special interest groups and by direct message, the greatest promotional ef-fort came through the INATBA channels, and as such, it is to be expected that a large portion of the respondents are also members or otherwise related to INATBA .

https://inatba.org/organization/

8


Questions AnalysisI. Description of the respondents (Questions: 1–9)

Questions 1–9 of the survey were dedicated to defining the respondents as well as their blockchain-based projects. The respondents were asked about the organisation’s size, business sector, jurisdictions of registration (seat of business), and operational activity. It was also requested to provide information concerning types of blockchains used in the developed projects and the project’s main focus (sectorial). Finally, we asked about the role of that particular person who completed the survey on behalf of his/her organisation.

Microcompanies

32.35%

20.59%

11.76%

17.65%

11.76%

2.94% 2.94%

Smallenterprises

Largeenterprises

Mediumenterprises

Not forprofit

Government Freelancers

Please tell us the size of your organisation

Size of the organisationPossible answers:

a) Micro company, startup

(50M turnover, €>43M balance sheet total)

d) Large enterprise (

9


More than half of all respondents (52 .94%) represented micro-companies/start-ups or small enterprises . What is also worth mentioning is that large enter-prises accounted for more respondents than medium enterprises — 17 .65% and 11 .76%, respectively . Only two respondents described themselves as freelancers (2 .94%) or representatives of governmental organisations (2 .94%) .

Jurisdiction of residence/business registrationThe vast majority of respondents — 83 .83% — came from Europe (EU member states, Great Britain or Switzerland were either their jurisdiction of residence or business registration) . From the EU member states dominant were Germa-ny (12 respondents — 17 .65%), Spain, Netherlands and Italy (all with six respond-ents — 8 .82%) and Luxembourg (5 respondents — 7 .35%) .

Jurisdictions of operational activityNote: Respondents could choose more than one jurisdiction .

EuropeanUnion

Europe(non-EU)

MiddleEast

NorthAmerica

CentralAmerica

SouthAmerica

Asia Africa Australiaand Oceania

88.24%

22.06% 20.59%27.94%

11.76%20.59%

27.94%

13.24% 10.29%

Please tell us the jurisdictionsof operational activity of your organisation

USA 5.58%UK 2.94%

Switzerland 4.41%

Spain 8.82%

Slovenia 1.47%

Singapore 2.94%

Poland 4.41%

Netherlands 8.82%

Luxembourg 7.35%

Austria 1.47%

Belgium 4.41%

Brazil 4.41%Denmark 1.47%

Estonia 1.47%France 4.41%

Germany 17.65%

Greece 1.47%India 1.47%

Ireland 4.41%

Israel 1.47%Italy 8.82%

Please tell us the jurisdiction of residence/business registration of your organisation

10


The most important outcome of the respondents’ answers is that almost 90% of the organisations operate in the EU . Not surprisingly, this corresponds with the results of the previous questions concerning the jurisdiction of residence/business activity . Only seven organisations out of 60, which chose the EU as its jurisdiction of operational activity, also chose all other regions (thus have a truly global scope) . Of all organisations that operate in Asia and North America, 89 .47% and 94 .74% of them, respectively, operate in the EU as well . The large number of EU-based participants can be explained by the primary reach of the promoting organisations and individuals .

Primary field of operationsThe majority of respondents were either entities active in the field of Technol-ogy, Media, Telecommunications (19 .12%), or more specifically in the field of blockchain development (39 .71%) . It is noteworthy that a relatively small num-ber of respondents represented crypto exchanges and other crypto services (2 .94%) or organisations providing financial services (8 .82%) .

Position in the organisationThe vast majority of the respondents representing Micro companies / Startups were either board members/owners or held a C-level position . On the other hand, for large enterprises, only 15% of the respondents were represented by the Board member/Owner or a C-level executive . For Medium enterprises, al-most 40% of the responses were given by IT specialists or developers and 25% by project managers — thus by people directly involved in the works on the blockchain-based solution implemented in the organisations they represented .

Primary field of operations of your organisation

TMT (Technology, Media,Telecomunications)

19.12%Crypto exchanges andother crypto services

2.94%

Financial Services 8.82%

Energy and resources 1.47%

Consumer products 1.47%

Travel, hospitalityand services

1.47%

Higher education(private)

1.47%

Agricultural productsand food processing

1.47%

Retail, wholesaleand distribution

1.47%

Other (please specify) 1.47%

Professional services 11,76%

Government andpublic services

7.35%

Blockchain development(platforms, protocols,

blockchain-based applications)

39.71%

11


No DPO answered the questions (irrespective of the size of the organisation) . Other categories do not show any strong tendency .

Main focus of the ProjectAlmost a third of all respondents (32 .14%) were working on the project, mainly focused on a blockchain protocol/platform . A significant number of respond-ents represented projects whose primary focus was fintech and cryptocurren-cies (21 .43%) . It is also worth mentioning that 10 .71% of respondent’s projects focused mainly on blockchain solutions in the supply chain and 7 .14% in data sharing .

Boa

rd m

emb

er/

Ow

ner

/Fou

nd

er

C-le

vel

exec

uti

ve

Mem

ber

of a

leg

ald

epar

tmen

t

Dat

a P

rote

ctio

nO

ffice

r

IT S

pec

ialis

t/d

evel

oper

Pro

ject

Man

ager

Mem

ber

of a

com

mu

nic

atio

ns/

mar

keti

ng

/bu

sin

ess

dev

elop

men

t d

epar

tmen

t

Res

earc

h fe

llow

/in

nov

atio

n d

epar

tmen

t

Oth

er(p

leas

e sp

ecify

)

35.29%

10.29%

0.00%4.41%

10.29%

17.65%

8.82% 7.35% 5.88%

What is your position in the organisation?

Pro

toco

l/pla

tfor

m

Fin

tech

Cry

pto

curr

enci

es

Sup

ply

ch

ain

s

Loya

lty p

rog

ram

s

Cro

wd

fun

din

g

Dat

a sh

arin

g

Inte

rnet

of T

hin

gs

Com

mod

itie

s

Rea

l Est

ate

Hea

lth

care

En

erg

y

Gam

ing

Au

tom

otiv

e

Man

ufa

ctu

ring

Pu

blic

ser

vice

s

Inte

llect

ual

Pro

per

ty ri

gh

ts

Dig

ital

vot

ing

Oth

er

32.14

%

17.8

6%

3.57

%

10.7

1%

0.0

0%

1.79%

1.79%

1.79%

1.79%3.57

%

3.57

% 8.9

3%

5.36

%

7.14

%

0.0

0%

0.0

0%

0.0

0%

0.0

0%

0.0

0%

What is the main focus of your Project?

12


Types of Blockchain ProjectsMost of the projects represented in the survey were based on either public per-missionless blockchains (28 .57%) or a hybrid of different types of blockchains (30 .36%) . Public permissioned blockchains constituted 21 .43% and private per-missioned 17 .86% of all respondents .

One organisation identified the blockchain type upon which its project is based as private permissionless blockchain . Such choice might be considered either as a mistake or misunderstanding since it is now commonly recognized that there is no such category of blockchain types as private permissioned (see: the works of the ISO TC307 committee, in particular the project TS23635 or the WEF report on Supply-Chain and Framework for Blockchains under interoper-ability 2020) .

Additional comment to blockchain types and data control:

Public and private variants of blockchain are distinguished by the visibility of data on the ledger . The private variants are limited to authorized participants . Public blockchains can either be “permissioned” or “permissionless”, which re-fers to the right to attach blocks to the chain .

Essentially, the controllers’ activity is automated by the governance of the blockchain, which means that the controllership provides a new dimension to the administration of rights, corporate management, and auditing . Accounta-bility is a key factor, hence the approach to the blockchain or DLT types would be more accurate for users and consumer protection facets .

Out of all the presented blockchain types in the survey (i .e . public permission-less, public permissioned etc .), only one blockchain company claimed that they were a private permissionless network (Question 8) . This highlights a common

Hybrid/other 30.36%

Public permissionlessblockchain

28.57%

Public permissioned 21.43%

Private permissioned 17.86%

Private permissionless 1.79%

What is the blockchain type your project is based upon?

https://www.iso.org/committee/6266604.htmlhttp://www3.weforum.org/docs/WEF_A_Framework_for_Blockchain_Interoperability_2020.pdfhttp://www3.weforum.org/docs/WEF_A_Framework_for_Blockchain_Interoperability_2020.pdf

13


issue in blockchain networks’ typology, which claim that it is impossible to have a private permissionless network .

It is important to clarify the blockchain types, as it is a prerequisite to clarifying the different participants’ roles on the network . For example, it is harder to hold a decentralised autonomous organisation accountable than a company that is part of (or owns) a private permissioned blockchain network .

Despite the recently released EDPB’s Guidelines 07/2020 (EDPB — Guidelines 07/2020 on the controller and processor concepts in the GDPR), additional clarification is needed on the controllership specifically relating to blockchain . Over 50% of respondents failed to assign controllership roles, with the majority attributing this to a lack of guidance . Some companies had such a lack of clar-ification that they were even afraid to choose any options at all (Question 21) . This is a clear indication of why almost half of the respondents have failed to complete data processing agreements (Question 23) . There is a strong prob-ability that this lack of guidance would mean that even the concluded data processing agreements could include legal errors .

Type of the blockchain protocol used for the projectPossible answers:

7.14%

39.29%

0.00%

21.43%

1.79%

30.36%

0.00% 0.00% 0.00% 0.00%

Bes

pok

e,ta

ilor-

mad

ep

roto

col

Eth

ereu

m

Rip

ple

Hyp

erle

dg

er

R3’

s C

ord

a

Stel

lar

EO

S

Tezo

s

Cos

mos

Oth

er

What type of blockchain protocol is your Project based upon?

a) Bespoke, tailor-made protocol;

b) Ethereum;

c) Ripple;

d) Hyperledger;

e) R3’s Corda;

f) Stellar;

g) Cosmos;

h) EOS;

i) Tezos;

j) Other .

More than 60% of the respondents based their blockchain projects either on Ethereum or on Hyperledger . Interestingly, more than 30% of the respondents claimed to use blockchain types other than those depicted in the available an-swers . Only four respondents of the survey use bespoke, tailor-made protocols .

14


II. Other Questions (10–28)

Q10 — Awareness of privacy regulationsQuestion: “Are you aware of the privacy regulations applicable to your Project(s)?”

78.57%

21.43%

0.00%

Yes NoYes, but onlyto some extent

Overall, 68% of respondents stated that they are knowledgeable on privacy regulations, 18% stated that they had limited knowledge and 14% provided no answer to the question . The breakdown by organisation type and size shows results across the groups within the same statistical norms, leading to the con-clusion that enterprise size and dodoes not significantly impact knowledge of regulation among the respondents .

Breaking this down by organisation size and type:

Government (2 responses) showed at 50/50% split across knowledge and limited knowledge

Large Enterprise (11 responses) showed 64% being knowledgeable, 27% with limited knowledge and 9% with no response

Medium Enterprise (8 responses) showed 63% being knowledgeable, 13% with limited knowledge and 25% with no response

Small Enterprise (14 responses) showed 86% being knowledgeable, 7% with limited knowledge and 7% with no response

Micro/Startups (8 responses) showed 59% being knowledgeable, 23% with limited knowledge and 18% with no response

Non-profits (8 responses) showed 75% being knowledgeable, 13% with lim-ited knowledge and 13% with no response

Questions 10–28 concentrated on the respondents’ efforts to comply with applicable privacy regulations, their knowledge about the appli-cable data privacy regulations, and potential limitations imposed on their projects by the applicable privacy regulations.

15


Q11 — Primary responsibility for privacy complianceQuestion: “Who in your organisation is primarily responsible for meeting the requirements as set forth in the applicable privacy regulation(s)?”

C-level Management 41.07%

IT Management 8.93%Legal department 19,64%

Data Protection Officer 12.50%

Other 17.86%

The results show that the primary responsibility for privacy compliance in more than 40% of the organisations participating in the survey was on C-level man-agement . In more than 30% of the organisations, it was either a DPO or a Legal department which took care of the privacy compliance (12 .50% and 19 .64%, re-spectively) .

When comparing the answers to this question with the size of the organisa-tions of particular respondents, it is usually C-level Management which is re-sponsible for meeting the privacy requirements within micro-companies/startups and within small enterprises (72 .22% and 58 .85% respectively) . On the other hand, the situation changes in medium and large enterprises where such matters are usually dealt with by DPOs or legal departments .

Q12 — Efforts to meet privacy requirementsQuestion: “Have you made efforts to meet the requirements of the applica-ble privacy regulation(s)?”Have you made efforts to meet the requirements of the applicableprivacy regulation(s)?

Yes No

89.29% 10.71%

Fewer projects incorporating public permissionless blockchains have made such efforts, than those with other types . All private blockchain projects indi-cated they have made efforts .

Overall 77% of respondents stated that regulatory compliance is a strategic pri-ority for their organisation, 9% stated that it was not a strategic priority and 14% declined to provide any answer . The breakdown by organisation type and size shows results across the groups within the same statistical norms, leading to

16


the conclusion that enterprise size and type does not have a significant impact on the efforts made to comply .

Further breakdown by organisation size and type:

Government (2 responses) 100% indicated a strategic priority Large Enterprise (11 responses) showed 82% having a strategic priority, 9%

not having one and 9% declining to answer Medium Enterprise (8 responses) showed 50% having a strategic priority,

25% not having one and 25% declining to answer Small Enterprise (14 responses) showed 86% having a strategic priority, 7%

not having one and 7% declining to answer Micro/Startups (8 responses) showed 82% having a strategic priority and

18% with no response Non-profits (8 responses) showed 63% having a strategic priority, 25% not

having one and 13% declining to answer

Q13 — Strategic priority of privacy complianceQuestion: “Is meeting the requirements of applicable privacy regulation(s) a strategic priority (e.g. addressed and prioritized at C-level)?”Is meeting the requirements of applicable privacy regulation(s)a strategic priority (e.g. addressed and prioritized at C-level)?

Yes No

89.29% 10.71%

For the prevailing number of organisations (89 .29%), meeting the requirements of applicable privacy regulations is a strategic priority . That is essential informa-tion, primarily because all types of organisations, irrespective of their size, pri-mary business, or the kind of protocol their blockchain projects are based upon, consider privacy compliance as a serious matter that has to be taken into ac-count in the process of developing or implementing blockchain-based solutions .

Q14 — Conducting formal data protection assessmentsQuestion: “Have you conducted any kind of formal data protection assess-ment on your Project (e.g. DPIA)?”Have you conducted any kind of formal data protection assessment on your Project (e.g. DPIA)?

No Yes, the most important focus pointsfor such an assessment were:

55.36% 44.64%

As it was mentioned before (Question 10), 68% of the respondents stated that they are aware of the applicable privacy regulations . Furthermore, for almost 90% of the organisations, meeting the applicable privacy regulations’ require-ments is a strategic priority (Question 13) . Taking all that into account, one may be surprised that only 44 .64% of all the respondents conducted any kind of formal data protection assessment on their projects (e .g . DPIA) . Having in mind

17


the potential consequences of using blockchain technology for storing or refer-ring to any form of personal data, such results may show that either:

There’s not enough awareness of the existing requirements for conducting formal data protection assessment, especially among organisations devel-oping or implementing blockchain projects;

Conducting a formal data protection assessment requires too much effort from the organisations developing or implementing blockchain projects; or

Advantages of formal data protection assessments are either considered not precise enough, or they are not overruling the costs involved .

Less public permissionless-focussed projects have done a DPIA compared to other blockchain types .

Q15 — Main privacy issuesQuestion: “What were the main privacy issues related to your Project? (Please include as many issues as you’d like)”

Possible answers:

a) Storage of personal data (on chain, off-chain)

b) Anonymization techniques

c) Consideration of public keys as personal data

d) Data Subject rights

e) Defining roles and responsibilities (processors/controllers)

f) Cross-border data transfers

g) Legal basis for processing of the personal data

Con

sid

erat

ion

of p

ub

lic k

eys

as p

erso

nal

dat

a

An

onym

izat

ion

tech

niq

ues

Dat

a Su

bje

ctrig

hts

Defi

nin

g ro

les

and

resp

onsi

bili

tes

(pro

cess

ors/

con

trol

lers

)

Cro

ss-b

ord

erd

ata

tran

sfer

s

Leg

al b

asis

for

pro

cess

ing

of t

he

per

son

al d

ata

Stor

age

of p

erso

nal

dat

a(o

n c

hai

n, o

ff-ch

ain

)

Info

rmin

g d

ata

sub

ject

sof

th

eir

righ

ts

Oth

er(p

leas

e sp

ecify

)What were the main privacy issues related to your Project?(Please include as many issues as you'd like)

48.78%53.66%

41.46%36.59% 34.15% 34.15%

68.29%

21.95%14.63%

18


h) Informing data subjects of their rights

i) Other (please specify)

For more than half of the respondents, or very close to 50%, issues like storage of personal data (on-chain/off-chain), anonymization techniques, and consid-eration of public keys as personal data pose the most critical issues in privacy compliance . Interestingly, the same pattern can be observed when analyzing replies collected only from micro-companies / startups and small enterprises .

For the respondents developing blockchain projects focusing on protocols/platforms, the most important issues were (in the following order): consider-ation of public keys as personal data (66%); data subject rights (60%); defin-ing roles and responsibilities (processors/controllers) (53%) and anonymization techniques (53%) .

Q16 — Off-chain personal dataQuestion: “Do you store personal data off-chain in your Project?”Do you store personal data off-chain in your Project?

Yes No

82.93% 17.07%

A substantial fraction of the projects needs to store personal data off-chain; therefore it is natural to need some forms of encoding to refer to them on-chain, and the answers to Q15 show that a major clarification is needed de-fining what a GDPR-compliant encoding of personal data is . Having just an answer “No” does not show the full picture because the respondents may not store the personal data off-chain but store it on-chain instead, or they may not store any personal data at all .

Q17 — Personal data on-chainQuestion: “How do you store or refer to personal data on-chain?”

Possible answers:

a) No personal data is stored on-chain neither does any reference is made to it

b) Encrypted

c) Hashed

d) With the use of Zero-knowledge proofs

e) Hashed with salted hashes

f) Hashed with peppered hashes

g) With ring-signatures

h) With noise addition

i) In plain text

j) Other (please specify)

19


52 .50% of all respondents claim that no personal data is stored on-chain in their projects, nor is any reference made to it . Nevertheless, all other blockchain pro-jects developed or implemented by the respondents refer to personal data in one way or another . Interestingly, 20% uses zero-knowledge proofs when storing or referring to personal data on-chain . Finally, there was no clearly distinguisha-ble pattern found when interpreting the answers to this question in the context of a blockchain type used or the project’s primary focus . It deserves recognition that none of the respondents stored personal data on-chain in plain text .

Q18 — Methods of storing personal data on-chainQuestion: “If possible, please provide additional details about the methods of storing or referring to personal data on-chain”

Some examples of the given answers:

“Registered databases in legal institutions” “Data Control Platform like: https://ironcorelabs .com/products/data-con-

trol-platform/” “Hash is the simplest way at this stage, to be compliant with privacy require-

ments .” “Use Hyperledger Indy to create and manage DIDs for use in blockchain

systems .” “Use https://github .com/ReCheck-io/recheck-sdk”

No

per

son

al d

ata

is s

tore

d o

n c

hai

nn

eith

er d

oes

any

refe

ren

ce is

mad

e to

it

In p

lain

text

En

cryp

ted

Has

hed

Has

hed

wit

hsa

lted

has

hes

Has

hed

wit

h w

ith

pep

per

ed h

ash

es

Wit

h t

he

use

of

Zero

-kn

owle

dg

e p

roof

s

Wit

h n

oise

add

itio

n

Wit

h ri

ng

-sig

nat

ure

s

Oth

er(p

leas

e sp

ecify

)

52.50%

0.00%

25.00% 22.50%

15.00%

5.00%

20.00%

2.50%5.00%

12.50%

How do you store or refer to personal data on-chain?

20


“We usually use a perfectly hiding commitment scheme like Pedersen91 . This hides the personal data in full, even a quantum computer would not be able to get access to it . Whenever personal data on-chain must be used, we use zero-knowledge proofs referring to the committed data . Additionally, when data are encoded on-chain we also use designated-verifier non-inter-active zero-knowledge proofs in order to also guarantee that the encoded data is well formed, and moreover protecting data owners from coercion .”

Interestingly, personal data are not stored on-chain in some projects because of concerns about compliance with privacy requirements, following best prac-tices, and/or illogical operations . Q17 and Q18 together show that there are or-thogonal opinions about encoding personal data on-chain . It could depend on lack of knowledge of advanced, blockchain-specific cryptographic techniques in some cases (mostly because they are not standardized), a lack of respec-tive well-established and easily utilizable programming abstractions and tool-chains, or too conservative or too flexible interpretations of privacy regulations .

Q19 — Use cases for storing personal data on a blockchainQuestion: “Do you think any use cases inside or outside of your Project could benefit from having personal data directly (not just hashes) on a blockchain, either encrypted or in clear text?”

Do you think any use cases inside or outside of your Project could benefitfrom having personal data directly (not just hashes) on a blockchain,either encrypted or in clear text?

No Yes, please providedetailed examples

68.29% 31.71%

While a prevailing number of respondents consider storing personal data on-chain as not advisable, almost a third of them think exactly the opposite . Exam-ples provided by them are the following:

“Edge Device with Device ID blockchain — Digital and physical connect .” “In cases of publicly available data — legal proceedings, land registry, etc .” “Possibly, where personal identity is also a brand eg influencer, YouTuber,

etc . Where online footprints can be monetised as a sort of tokenized social capital . Also, in organic farming — the farmer, their land and their produce are all certified organic . The farmer and the farm are publicly identified on the organic certificate . If this is already in the public domain, for correct business purposes, it should therefore also be available on relevant supply transparency platforms .”

“Certainly . When smart contracts need to make computation on personal data and such computation are triggered by other events, there is no other choice than having personal data on chain, even encrypted, to then allow the smart contract to use them .”

“Universal Online-Judicial for humankind crimes so data or metadata should be resolvable from the owner as well as collateral data produced for the owner” .

“E-Invoice” . “DRM Storing of certificates” .

21


Further conclusions of the responses to Q15–Q19

There are two orthogonal opinions about personal data appearing on the blockchain . The former strongly discourages the use of public data on the blockchain, considering it dangerous or illogical unless data is encoded through a cryptographic hash . The latter instead takes advantage of per-sonal data appearing on a blockchain even when using more explicative encodings . For example, encryption, along with a zero-knowledge proof as-sessing some properties about the encrypted message, can appear on the blockchain in order to preserve the privacy of the message and, at the same time, guaranteeing possession of a credential .

According to the answers, we can identify two main reasons explaining the gap between those two diverging opinions .

In some cases, the former is that the available expertise on cryptographic tools is limited to the basic/standardized schemes, and they are often insuf-ficient to perform computations on personal data appearing on the block-chain in some encrypted form . Knowledge of advanced cryptographic tools (e .g ., zero knowledge proofs, homomorphic encryption, secure multi-par-ty computation) allows one to perform publicly verifiable computations through a blockchain, still preserving data confidentiality, thus offering ad-ditional power to system designers .

The latter is that there still are misunderstandings on how measures like encrypting data and proving properties of the encrypted data can be used to implement on-chain functionality on personal data while still meeting legal requirements / without revealing the data itself . However, uncertainty still exists concerning the conclusive legal assessment of some core issues of such approaches (such as, for instance, whether or in what cases the use of public keys as references implies applicability of the GDPR) .

Whenever there is a conservative interpretation, personal data on the block-chain is considered risky and discouraged . Instead, when there is a more flexible/liberal interpretation, personal data available on the blockchain gives system designers more options .

Finally, it is clear that a lack of communication on the existing clarifications (or perhaps the non-existence of such clarifications) of the definition of per-sonal data (in particular for GDPR compliance) is slowing down DLT pro-jects .

Many projects deal with personal data. Personal data are kept only off-chain, wholly disconnected from what appears on a blockchain in some cases. Instead, in many other cases, personal data appear on a blockchain, using some specific encoding.

22


Q20 — Defining controllershipQuestion: “If you deal with personal data (also pseudonymised personal data) on a public permissionless blockchain, how have you defined con-trollership of that data? (the ‘controller’ alone or jointly with others, deter-mines the purposes and means of the processing of personal data)”

Every nodeas a data controller

14.71%

I haven't definedcontrollership

52.94%

Full nodes asdata controllers

5.88%

Apps andsmart contracts

as data controllers

14.71%

Network user(Participant)

as a data controller

5.88%

Protocol andsoftware developers

as data controllers

5.88%

What is certainly interesting is that more than half of all respondents (approxi-mately 53%) have not defined controllership in their blockchain projects, even though this issue is crucial for privacy compliance under e .g . the GDPR . Re-spondents with projects based on Ethereum or “Other” protocol/platform have not defined controllership even more often (65% and 67% respectively) .

“Every node as a data controller” and “DApps and smart contracts as data con-trollers,” thus approaches considered as possible by various commentators, were also widely chosen by the respondents with approximately 15% attributed to each option .

Q21 — Reasons for not defining controllershipQuestion: “If you have not defined data controllership, what are the rea-sons for that decision?”

If you have not defined data controllership, what are the reasons for that decision?

No clearguidance

Afraid fromchoosingone option

Other(please specify)

56.00% 12.00% 32.00%

While most of the respondents (56%) who did not define data controllership did so due to a lack of clear guidance, some other respondents were basically

23


afraid of choosing one particular option (which may also confirm lack of clear guidance) .

32% of the respondents did not define controllership in their projects due to some other reasons . Some of them mentioned following reasons:

“We don’t specify, we leave that to developers” “We don’t use public blockchain - one of the reasons we decided not to use

public blockchain (not the only one) is that isn’t clear for us how to define controllership in our use case”

“No personal data” “We avoid to store privacy info on-chain in the first place” “Controllership cannot be “defined” by an agency but is defined by law . We

have analyzed the system to see who is the controller . But GDPR does allow to “define” a controller only for the EU and member states by law . (Art . 4 .7 GDPR)”

Q22 — Joint-controllershipQuestion: “Do you argue for joint controllership? If yes, provide information on how (who are considered joint controllers)(Where two or more control-lers jointly determine the purposes and means of processing, they shall be joint controllers.)”

Do you argue for joint controllership?If yes, provide information on how (who are considered joint controllers)(Where two or more controllers jointly determine the purposes and meansof processing, they shall be joint controllers.)

No 42.86%

Yes, with all nodesas joint-controllers

20.00%

Yes, with all full nodesas joint-controllers

5.71%

Yes, with other,specific type of nodes

as joint controllers

5.71%

Yes, with protocol andsoftware developers


8.57%

Yes, with other actorsas joint controllers

(please specify)

17.14%

Question 22 reveals an almost 50/50 divide between blockchain networks that base their projects upon joint controllership and those that do not .

Mapping the results from Question 8 to Question 22 revealed no consensus amongst the public permissionless blockchain networks on how to explain joint controllership .

Across all blockchain types, 24% of the blockchain networks said that all nodes were joint controllers .

24


Interestingly, only public permissionless and public permissioned blockchains categorised the protocol and software developers as joint controllers .

Approximately 17% chose the option “other actors as joint controllers” and pro-vided the following explanations:

“We can offer split control if desired”; “Issuers, attestors”; “Think there are situations of joint controllers . For example, when the service

belongs to the network as a whole (and not to a particular node) . For exam-ple, a public service of notarization .”;

“The data owner should be controller“; “Threshold secret sharing allows multiple parties to jointly store personal

data so that only when enough parties gather their secret data then per-sonal data can be reconstructed .”

Q23 — Data protection agreements in placeQuestion: “Do you have data processing agreements in place for the partic-ipants of your blockchain network?”

Surprisingly, almost half of the respondents (approximately 47%) do not have any data processing agreements in place in their blockchain-based projects — even though, in some cases, it may be required by the applica-ble data protection regulations . From those respondents who do have any data processing agreements in place, the majority (approximately 34% of all answers) integrated them in the current terms & conditions or the privacy policies .

25


Noteworthy, 76% of the respondents whose projects focus on fintech did have data processing agreements in place, either integrated or in a form of separate electronic agreements or integrated in the existing terms and conditions or privacy policies .

Q24 — Is regulation helpful?Question: “Do you perceive the applicable regulation(s) to be helpful or lim-iting for your business?”Do you perceive the applicable regulation(s) to be helpful or limitingfor your business?

Helpful Limiting

48.65% 51.35%

The majority of micro-companies/startups (64%) and not for profit organisa-tions (75%) find the applicable privacy regulations limiting for their businesses . Most of the small enterprises (78%) and large enterprises (83%), on the other hand, perceive such regulations as helpful .

Interestingly enough, 71% of the respondents developing projects based on public permissionless blockchains and 67% of those whose projects are based on public permissioned blockchains consider the existing privacy regulations as limiting for their businesses .

Answers provided by the respondents developing blockchain projects focusing on protocol/platform or fintech were almost evenly distributed (close to 50%/50%)

Q25 — Are existing publications helpful?Question: “Have you found existing, official publications, guidance etc. as sufficient for making your Project compliant with applicable data privacy regulations?”

No Yes, in a form ofseparate written

agreements

Yes, in a formof separateelectronic

agreements

Yes, integratedin the existing terms

& conditions orin the privacy policy

Yes, in a formof smartcontracts

47.37%

10.53%7.89%

34.21%

0.00%

Do you have data processing agreements in place for the participantsof your blockchain network?

26


52.63%47.37%

0.00%

Have you found existing, official publications, guidances etc. as sufficient for making your Project compliant with applicable data privacyregulations?

Yes No No, because

A small majority (20 out of 38 respondents) found the existing official publica-tions and guidelines sufficient for making their projects compliant with appli-cable data privacy regulations . Respondents not finding the current publica-tions and guidance helpful (18):

a) Have indicated a lack of guidance (which also may point to non-awareness):

“Not found”; “Haven’t seen any guidance”;

b) Have stated that guidance came too late:

“Our GDPR position was developed before such publications”, or

c) Have mentioned guidance to date is confusing or conflicting

“Regulations are ambiguous” “We were unable to get final clarity on GDPR related questions . . .”)

Q26 — What would be most helpful when working on the compliance of a blockchain project?Question: “Which of the following would be most helpful when working on data privacy compliance of your Project?”Which of the following would be most helpful when working on data privacycompliance of your Project?

Clear interpretationof the applicable

regulation in termsof its applicability to

blockchain technology

39.47%

Official guidelines released by the

authorities orgovernmental bodies

39.47%

Guidelines and recommendations

published bynon-governmental

organisations,advisory bodies

5.26%

Changes to the existing applicable regulation

7.89%


27


When asked what would be most helpful when working on data privacy com-pliance, the respondents chose both official guidelines released by the au-thorities or clear interpretation of applicable regulations as the favorite options . Fewer than 20% was attributed to other options .

Q27 — Impact on non-yet-developed projectsQuestion: “What other projects or technologies would you have developed or implemented if you weren’t bound by applicable privacy regulations?”

Answers provided by the respondents do not show any general pattern - they refer to various potential projects that, in the opinion of respondents, cannot be developed in compliance with the existing privacy regulations .

Examples of the answers provided by the respondents:

“Cloud computing” “Identity solution” “It would be easier to include people in our use cases . Today we only deal

with legal entities” “SSI / TOIP” “AI, VR, AR and Multimedia in general” “Common certified physical address database” “DLT Farming land registry” “For managing ownership on blockchain” “KYC” “Projects dealing with personal data on permissionless blockchains”

Q28 — Privacy vs. innovationQuestion: “With which of the following statements do you agree most: 1) Guar-anteeing privacy is more important to me that the innovation that my Project brings; 2) Privacy can still be guaranteed when innovating; 3) Innovation that my Project brings is more important to me than guaranteeing privacy.”With which of the following statements do you agree most:

Guaranteeing privacyis more important

to me that theinnovation that

my Project brings

10.53%

Innovation that my Project brings is more important to me than guaranteeing privacy

2.63%

Privacy can still be guaranteed when

innovating

86.84%

28


Many respondents believed that privacy can still be guaranteed while inno-vating, while a small number of respondents (4) find privacy more important than innovation . Only one respondent finds innovation more important than privacy .

Respondents from all medium and large enterprises and not-for-profits an-swered that privacy can still be guaranteed when innovating . On the other hand, the percentage of respondents from micro-companies / startups and small enterprises claimed that guaranteeing privacy is more important than innovation was slightly higher than in the overall results (11% and 14%, respec-tively) .

29


List of respondentsRespondents that have agreed to be disclosed as participants of this survey:

Ironcore Labs KDPW Sp . z o .o . ReCheck BV KYC3 sarl DigitelTS Arianee De Volksbank SettleMint CargoX Ltd . Mangrovia Blockchain Solutions La Poste Enduringnet .org Origin Chain Networks Power of Chain Consultancy LLC Lisk Foundation Blockchain ITALIA, Srl Scorechain University of Geneva KUNFUD CERO SEIS S .L Europechain Brickblock Digital Services Gmbh SIA Infrachain The Blockchain Academy® Jolocom Difacturo GmbH University of Salerno Sedicii DLC Distributed Ledger Consulting GmbH

30


LimitationsThere were several limitations in the survey, some of which were known up-front, and others have been identified while collecting or analysing the results, including:

It is not possible to say that the group of respondents to the survey consti-tuted a representative sample of the blockchain industry and other organisa-tions involved in implementing blockchain-based solutions . Participation was self-selective, and the information about the survey might not have reached all potentially interested parties (i .e ., most likely organisations with a general interest in policy-related issues may have gotten aware of the survey through INATBA’s channels or those with interest in privacy-related questions may have participated in the survey) .

Within larger organisations, the responsibilities and insights needed to answer all questions in the survey are often spread between different roles or depart-ments, making coherent response difficult . This presumably resulted in an-swers of lower quality (with less precision), skipped questions or abandoned responses .

There were a relatively high amount of skipped questions, presumably because either the answers were not known or because the respondents were not con-fident revealing the information as it may indicate non-compliance or a very liberal implementation of the applicable regulations .

The survey indicated that results would be handled anonymously, yet asked for the company name (required at the beginning of the survey) to ensure there won’t be duplicate entries, and asked for the possibility to be mentioned and to be contacted for follow up questions, thus asking for an email address (at the end) .

There was relatively low participation (responses from only 68 respondents out of 78 were taken into consideration when analyzing the survey) .

These limitations notwithstanding, we deem the results presented herein to provide valuable indicators about privacy-related issues perceived particularly relevant and crucial in the relevant industry community . They may therefore serve as a helpful basis for shaping privacy-related policy discussions in the blockchain context .

31


Annex. List of Questions

Q1 Please specify the name of your organisation

Answered: 68 Skipped: 0

Q2 Please tell us the size of your organisation


Microcompanies

32.35%

20.59%

11.76%

17.65%

11.76%

2.94% 2.94%

Smallenterprises

Largeenterprises

Mediumenterprises

Not forprofit

Government Freelancers

Please tell us the size of your organisation

Answer choices Responses

Micro company/Startup (

32


Q3 Please tell us the jurisdiction of residence/business registration of your organisation


USA 5.58%UK 2.94%

Switzerland 4.41%

Spain 8.82%

Slovenia 1.47%

Singapore 2.94%

Poland 4.41%

Netherlands 8.82%

Luxembourg 7.35%

Austria 1.47%

Belgium 4.41%

Brazil 4.41%Denmark 1.47%

Estonia 1.47%France 4.41%

Germany 17.65%

Greece 1.47%India 1.47%

Ireland 4.41%

Israel 1.47%Italy 8.82%

Please tell us the jurisdiction of residence/business registration of your organisation


Austria 1 .47% 1

Belgium 4 .41% 3

Brazil 4 .41% 3

Denmark 1 .47% 1

Estonia 1 .47% 1

France 4 .41% 3

Germany 17 .65% 12

Greece 1 .47% 1

India 1 .47% 1

Ireland 4 .41% 3

Israel 1 .47% 1

Italy 8 .82% 6

Luxembourg 7 .35% 5

Netherlands 8 .82% 6

Poland 4 .41% 3

Singapore 2 .94% 2

Slovenia 1 .47% 1

Spain 8 .82% 6

33



Switzerland 4 .41% 3

United Kingdom 2 .94% 2

United States of America 5 .88% 4

TOTAL 68

Q4 Please tell us the jurisdictions of operational activity of your organisation


EuropeanUnion

Europe(non-EU)

MiddleEast

NorthAmerica

CentralAmerica

SouthAmerica

Asia Africa Australiaand Oceania

88.24%

22.06% 20.59%

27.94%

11.76%

20.59%

27.94%

13.24%10.29%

Please tell us the jurisdictionsof operational activity of your organisation


European Union 88 .24% 60

North America 27 .94% 19

Asia 27 .94% 19

Europe (non-EU) 22 .06% 15

Middle East 20 .59% 14

South America 20 .59% 14

Africa 13 .24% 9

Central America 11 .76% 8

Australia and Oceania 10 .29% 7

TOTAL 68

34


Q5 Primary field of operations of your organisation

Answered: 68 Skipped: 0Primary field of operations of your organisation

TMT (Technology, Media,Telecomunications)

19.12%Crypto exchanges andother crypto services

2.94%

Financial Services 8.82%

Energy and resources 1.47%

Consumer products 1.47%

Travel, hospitalityand services

1.47%

Higher education(private)

1.47%

Agricultural productsand food processing

1.47%

Retail, wholesaleand distribution

1.47%


Professional services 11,76%

Government andpublic services

7.35%

Blockchain development(platforms, protocols,

blockchain-based applications)

39.71%


Blockchain development (platforms, protocols, blockchain-based applications)

39 .71% 27

TMT (Technology, Media, Telecomunications) 19 .12% 13

Professional services 11 .76% 8

Financial Services 8 .82% 6

Government and public services 7 .35% 5

Crypto exchanges and other crypto services 2 .94% 2

Energy and resources 1 .47% 1

Consumer products 1 .47% 1

Travel, hospitality and services 1 .47% 1

Higher education (private) 1 .47% 1

Agricultural products and food processing 1 .47% 1

Retail, wholesale and distribution 1 .47% 1

Other (please specify) 1 .47% 1

Manufacturing (other than food) 0 .00% 0

Industrial products and construction 0 .00% 0

Life sciences and health care 0 .00% 0

35



Automotive 0 .00% 0

Aerospace and defence 0 .00% 0

TOTAL 68

Q6 What is your position in the organisation?


Boa

rd m

emb

er/

Ow

ner

/Fou

nd

er

C-le

vel

exec

uti

ve

Mem

ber

of a

leg

ald

epar

tmen

t

Dat

a P

rote

ctio

nO

ffice

r

IT S

pec

ialis

t/d

evel

oper

Pro

ject

Man

ager

Mem

ber

of a

com

mu

nic

atio

ns/

mar

keti

ng

/bu

sin

ess

dev

elop

men

t d

epar

tmen

t

Res

earc

h fe

llow

/in

nov

atio

n d

epar

tmen

t

Oth

er(p

leas

e sp

ecify

)

35.29%

10.29%

0.00%4.41%

10.29%

17.65%

8.82% 7.35% 5.88%

What is your position in the organisation?


Board member/Owner/Founder 35 .29% 24

C-level executive 10 .29% 7

Data Protection Officer 0 .00% 0

Member of a legal department 4 .41% 3

IT specialist/developer 10 .29% 7

Project Manager 17 .65% 12

Member of a communications/marketing/business develop-ment department

8 .82% 6

Research fellow/innovation department 7 .35% 5


TOTAL 68

36


Q7 What is the main focus of your Project?

Answered: 56 Skipped: 12P

roto

col/p

latf

orm

Fin

tech

Cry

pto

curr

enci

es

Sup

ply

ch

ain

s

Loya

lty p

rog

ram

s

Cro

wd

fun

din

g

Dat

a sh

arin

g

Inte

rnet

of T

hin

gs

Com

mod

itie

s

Rea

l Est

ate

Hea

lth

care

En

erg

y

Gam

ing

Au

tom

otiv

e

Man

ufa

ctu

ring

Pu

blic

ser

vice

s

Inte

llect

ual

Pro

per

ty ri

gh

ts

Dig

ital

vot

ing

Oth

er

32.14

%

17.8

6%

3.57

%

10.7

1%

0.0

0%

1.79%

1.79%

1.79%

1.79%3.57

%

3.57

% 8.9

3%

5.36

%

7.14

%

0.0

0%

0.0

0%

0.0

0%

0.0

0%

0.0

0%

What is the main focus of your Project?


Protocol/platform 32 .14% 18

Fintech 17 .86% 10

Cryptocurrencies 3 .57% 2

Supply chains 10 .71% 6

Loyalty programs 0 .00% 0

Crowdfunding 1 .79% 1

Data sharing 7 .14% 4

Internet of Things 0 .00% 0

Commodities 1 .79% 1

Real Estate 5 .36% 3

Healthcare 0 .00% 0

Energy 1 .79% 1

Gaming 0 .00% 0

Automotive 0 .00% 0

Manufacturing 0 .00% 0

Public services 3 .57% 2

Intellectual Property rights 1 .79% 1

Digital voting 3 .57% 2

Other 8 .93% 5

TOTAL 56

37


Q8 What is the blockchain type your project is based upon?


Hybrid/other 30.36%

Public permissionlessblockchain

28.57%

Public permissioned 21.43%

Private permissioned 17.86%

Private permissionless 1.79%

What is the blockchain type your project is based upon?


Public permissionless blockchain 28 .57% 16

Public permissioned 21 .43% 12

Private permissionless 1 .79% 1

Private permissioned 17 .86% 10

Hybrid/other 30 .36% 17

TOTAL 56

Q9 What type of blockchain protocol is your Project based upon?


7.14%

39.29%

0.00%

21.43%

1.79%

30.36%

0.00% 0.00% 0.00% 0.00%

Bes

pok

e,ta

ilor-

mad

ep

roto

col

Eth

ereu

m

Rip

ple

Hyp

erle

dg

er

R3’

s C

ord

a

Stel

lar

EO

S

Tezo

s

Cos

mos

Oth

er

What type of blockchain protocol is your Project based upon?

38



Bespoke, tailor-made protocol 7 .14% 4

Ethereum 39 .29% 22

Ripple 0 .00% 0

Hyperledger 21 .43% 12

R3’s Corda 0 .00% 0

Stellar 0 .00% 0

EOS 1 .79% 1

Tezos 0 .00% 0

Cosmos 0 .00% 0

Other 30 .36% 17

TOTAL 56

Q10 Are you aware of the privacy regulations applicable to your Project(s)?


78.57%

21.43%

0.00%

Yes NoYes, but onlyto some extent


Yes 78 .57% 44

Yes, but only to some extent 21 .43% 12

No 0 .00% 0

TOTAL 56

39


Q11 Who in your organisation is primarly responsible for meeting the requirements as set forth in the applicable privacy regulation(s)?


C-level Management 41.07%

IT Management 8.93%Legal department 19,64%

Data Protection Officer 12.50%

Other 17.86%


C-level Management 41 .07% 23

IT Management 8 .93% 5

Legal department 19 .64% 11

Data Protection Officer 12 .50% 7

Other 17 .86% 10

TOTAL 56

Q12 Have you made efforts to meet the requirements of the applicable privacy regulation(s)?

Answered: 56 Skipped: 12Have you made efforts to meet the requirements of the applicableprivacy regulation(s)?

Yes No

89.29% 10.71%


Yes 89 .29% 50

No 10 .71%

TOTAL 56

40


Q13 Is meeting the requirements of applicable privacy regulation(s) a strategic priority (e.g. addressed and prioritized at C-level)?

Answered: 56 Skipped: 12Is meeting the requirements of applicable privacy regulation(s)a strategic priority (e.g. addressed and prioritized at C-level)?

Yes No

89.29% 10.71%


Yes 89 .29% 50

No 10 .71% 6

TOTAL 56

Q14 Have you conducted any kind of formal data protection assessment on your Project (e.g. DPIA)?

Answered: 56 Skipped: 12Have you conducted any kind of formal data protection assessment on your Project (e.g. DPIA)?

No Yes, the most important focus pointsfor such an assessment were:

55.36% 44.64%


No 55 .36% 31

Yes, the most important focus points for such an assessment were:

44 .64% 25

TOTAL 56

Q15 What were the main privacy issues related to your Project? (Please include as many issues as you’d like)


41


Other (please specify)

14.63%

Informing data subjects of their

rights

21.95%

Storage of personal data (on chain,

off-chain)

68.29%

Legal basis for processing of the

personal data

34.15%

Cross-border data transfers

34.15%

What were the main privacy issues related to your Project?(Please include as many issues as you'd like)

Consideration of public keys as personal data

48.78%

Anonymization techniques

53.66%

Data Subject rights

41.46%

Defining roles and responsibilites

(processors/controllers)

36.59%


Storage of personal data (on chain, off-chain) 68 .29% 28

Anonymization techniques 53 .66% 22

Consideration of public keys as personal data 48 .78% 20

Data Subject rights 41 .46% 17

Defining roles and responsibilites (processors/controllers) 36 .59% 15

Cross-border data transfers 34 .15% 14

Legal basis for processing of the personal data 34 .15% 14

Informing data subjects of their rights 21 .95% 9


TOTAL 41

Q16 Do you store personal data off-chain in your Project?

Answered: 41 Skipped: 27Do you store personal data off-chain in your Project?

Yes No

82.93% 17.07%

42



Yes 82 .93% 34

No 17 .07% 7

TOTAL 41

Q17 How do you store or refer to personal data on-chain?


No

per

son

al d

ata

is s

tore

d o

n c

hai

nn

eith

er d

oes

any

refe

ren

ce is

mad

e to

it

In p

lain

text

En

cryp

ted

Has

hed

Has

hed

wit

hsa

lted

has

hes

Has

hed

wit

h w

ith

pep

per

ed h

ash

es

Wit

h t

he

use

of

Zero

-kn

owle

dg

e p

roof

s

Wit

h n

oise

add

itio

n

Wit

h ri

ng

-sig

nat

ure

s

Oth

er(p

leas

e sp

ecify

)

52.50%

0.00%

25.00% 22.50%

15.00%

5.00%

20.00%

2.50%5.00%

12.50%

How do you store or refer to personal data on-chain?


No personal data is stored on chain neither does any reference is made to it .

52 .50% 21

Encrypted 25 .00% 10

Hashed 22 .50% 9

With the use of Zero-knowledge proofs 20 .00% 8

43



Hashed with salted hashes 15 .00% 6


Hashed with with peppered hashes 5 .00% 2

With ring-signatures 5 .00% 2

With noise addition 2 .50% 1

In plain text 0 .00% 0

TOTAL 40

Q18 If possible, please provide additional details about the methods of storing or referring to personal data on chain


Q19 Do you think any use cases inside or outside of your Project could benefit from having personal data directly (not just hashes) on a blockchain, either encrypted or in clear text?

Answered: 41 Skipped: 27Do you think any use cases inside or outside of your Project could benefitfrom having personal data directly (not just hashes) on a blockchain,either encrypted or in clear text?

No Yes, please providedetailed examples

68.29% 31.71%


No 68 .29% 28

Yes, please provide detailed examples 31 .71% 13

TOTAL 41

44


Q20 If you deal with personal data (also pseudonimised personal data) on public permisonless blockchain, how have you defined controllership of that data?(the ‘controller’ alone or jointly with others, determines the purposes and means of the processing of personal data)


Every nodeas a data controller

14.71%

I haven't definedcontrollership

52.94%

Full nodes asdata controllers

5.88%

Apps andsmart contracts

as data controllers

14.71%

Network user(Participant)

as a data controller

5.88%

Protocol andsoftware developers

as data controllers

5.88%


I haven’t defined controllership 52 .94% 18

Every node as a data controller 14 .71% 5

Full nodes as data controllers 5 .88% 2

DApps and smart contracts as data controllers 14 .71% 5

Network user (Participant) as a data controller 5 .88% 2

Protocol and software developers as data controllers 5 .88% 2

TOTAL 34

Q21 If you have not defined data controllership, what are the reasons for that decision?


45

The impact of data protection regulations on the blockchain ecosystem Report on survey results | November 2020If you have not defined data controllership, what are the reasons for that decision?

No clearguidance

Afraid fromchoosingone option

Other(please specify)

56.00% 12.00% 32.00%


No clear guidance 56 .00% 14


Afraid from choosing one option 12 .00% 3

TOTAL 25

Q22 Do you argue for joint controllership? If yes, provide information on how (who are considered joint controllers)(Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers).


Do you argue for joint controllership?If yes, provide information on how (who are considered joint controllers)(Where two or more controllers jointly determine the purposes and meansof processing, they shall be joint controllers.)

No 42.86%

Yes, with all nodesas joint-controllers

20.00%

Yes, with all full nodesas joint-controllers

5.71%

Yes, with other,specific type of nodes


5.71%

Yes, with protocol andsoftware developers


8.57%

Yes, with other actorsas joint controllers

(please specify)

17.14%


Yes, with protocol and software developers as joint controllers

8 .57% 3

Yes, with other, specific type of nodes as joint controllers 5 .71% 2

46



Yes, with all nodes as joint-controllers 20 .00% 7

Yes, with all full nodes as joint-controllers 5 .71% 2

No 42 .86% 15

Yes, with other actors as joint controllers (please specify) 17 .14% 6

TOTAL 35

Q23 Do you have data processing agreements in place for the participants of your blockchain network?


No Yes, in a form ofseparate written

agreements

Yes, in a formof separateelectronic

agreements

Yes, integratedin the existing terms

& conditions orin the privacy policy

Yes, in a formof smartcontracts

47.37%

10.53%7.89%

34.21%

0.00%

Do you have data processing agreements in place for the participantsof your blockchain network?


No 47 .37% 18

Yes, integrated in the existing terms & conditions or in the privacy policy

34 .21% 13

Yes, in a form of separate written agreements 10 .53% 4

Yes, in a form of separate electronic agreements 7 .8

The Impact of Data Protection Regulations on the Blockchain … · 2020. 11. 10. · 3 The impact...

Documents

Transcript of The Impact of Data Protection Regulations on the Blockchain … · 2020. 11. 10. · 3 The impact...