Introducing Privacy Receipts into DLT and eIDAS


  • Jan Lindquist Swedish Institute for Standards (SiS), StantICT, Stockholm, Sweden



Privacy, GDPR, consent, DLT, blockchain, identity management, eIDAS, digital identity, wallet


The introduction of digital identification (e.g., eIDAS) and wallet standards (e.g., EUDI wallet) require compliance with privacy principles and clear communication of the principles through privacy notice and record of consent in the form of a privacy receipt. Regulation needs standards to help set the bar for reducing the privacy infringement risk. Without a standard-based implementation, solutions will be proprietary and siloed with no concern for interoperability, like privacy labels in Google and Apple app stores. Do existing standards address the gap, or do new ones need to be introduced? This article looks at the standards and regulations in three areas to answer this question: privacy protection standards, blockchain and DLT standards, and digital identification and wallet standards.


Download data is not yet available.

Author Biography

Jan Lindquist, Swedish Institute for Standards (SiS), StantICT, Stockholm, Sweden

Jan Lindquist received a bachelor’s degree in electrical engineering from the Illinois Institute of Technology in 1991. He is currently a member of the Swedish Institute for Standards (SiS) and co-editor of the ISO/IEC 27560 standard with a long history of standardization work across multiple sectors. He performs data protection impact assessments to help organizations adhere to GDPR and information security requirements. He is engaged in various NGI-awarded (eSSIF-labs and ONTOCHAIN) collaborations to develop interoperable privacy receipts. He also helped lead working groups in the decentralized identity foundation (DIF) to create an open-source solution based on DID method.


ISO/IEC 29100:2011. Information technology – Security techniques – Privacy Framework

Data Governance Act.

GDPR. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

ePrivacy. REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)

eIDAS. REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity

ISO/IEC 27701:2019. Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines

ISO/IEC 29134:2017. Information technology – Security techniques – Guidelines for privacy impact assessment

ISO/IEC 29151:2017. Information technology – Security techniques – Code of practice for personally identifiable information protection

ISO/IEC FDIS 27556. Information security, cybersecurity and privacy protection – User-centric privacy preferences management framework

ISO/IEC 29184:2020. Information technology – Online privacy notices and consent

ISO/IEC AWI TS 27560. Privacy technologies – Consent record information structure

Consent Receipt Specification 1.1.0, published December 30, 2019

ISO/TR 23244:2020. Blockchain and distributed ledger technologies – Privacy and personally identifiable information protection considerations

ISO/TR 23249:2022. Blockchain and distributed ledger technologies – Overview of existing DLT systems for identity management

ISO/DTR 23644. Blockchain and distributed ledger technologies – Overview of trust anchors for DLT-based identity management (TADIM)

ISO/TS 23635:2022. Blockchain and Distributed Ledger Technologies – Guidelines for Governance

European Digital Identity Architecture and Reference Framework – Outline, published February 22, 2022

W3C Data Privacy Vocabulary (DPV)

Creating a Vocabulary for Data Privacy, The First-Year Report of Data Privacy Vocabularies and Controls Community Group (DPVCG) Harshvardhan J. Pandit, Axel Polleres, Bert Bos, Rob Brennan, Bud Bruegger, Fajar J. Ekaputra, Javier D. Fernández, Roghaiyeh Gachpaz Hamed, Elmar Kiesling, Mark Lizar, Eva Schlehahn, Simon Steyskal & Rigo Wenning

Hyperledger Aries RFC 0167: Data Consent Lifecycle

NGI essif-lab ioc, Automated Data Agreements

DIF Claims & Credentials – data agreement work item

COnSeNT 2021 – ODRL Profile for Expressing Consent through Granular Access Control Policies in Solid, Beatriz Esteves

ISO/IEC 27001:2013. Information technology – Security techniques – Information security management systems – Requirements

ISO/IEC 27002:2022. Information security, cybersecurity and privacy protection – Information security controls

ETSI Electronic Signatures and Infrastructures Activities

ISG PDL activity report 2021

ISO/IEC JTC 1/SC 27/WG 5 “Identity management and privacy technologies” – WG5 SD1 Roadmap

Mobile-App Privacy Nutrition Labels Missing Key Ingredients for SuccessBy Lorrie Faith CranorCommunications of the ACM, November 2022, Vol. 65 No. 11, Pages 26–28




How to Cite

Lindquist, J. . (2023). Introducing Privacy Receipts into DLT and eIDAS. Journal of ICT Standardization, 11(02), 117–134.



Blockchain and Distributed Ledger