Authors:
(1) Harshvardhan J. Pandit, ADAPT Centre, Dublin City University, Dublin, Ireland, and Cybersecurity and Data Protection Group, National Standards Institute, Ireland ([email protected])
(2) Jan Lindquist, Privacy and Security Group, Institute for Standards, Sweden ([email protected]);
(3) Georg P. Krog, Signatu AS, Oslo, Norway ([email protected]).
Table of Links
Abstract and 1 Introduction
2 Overview of ISO/IEC TS 27560:2023
3 Comparing ISO-27560, ISO-29184, and GDPR
4 Consent Records and Receipts using DPV
5 Supporting GDPR and DGA
6 Implementation Considerations and Future Work
6.1 Trust and Security
6.2 Using Records and Receipts with eIDAS and EUDI Wallet
6.3 Standard for PII Processing Record Information and 6.4 Technical Considerations in Managing Records and Receipts
6.5 IEEE P7012 Machine-Readable Privacy Terms
7 Conclusion and References
A Example of Consent Record with both required and optional fields
B Example of Consent Receipt with required fields from consent record
Abstract. The ISO/IEC TS 27560:2023 Privacy technologies — Consent record information structure provides guidance for the creation and maintenance of records regarding consent as machine-readable information. It also provides guidance on the use of this information to exchange such records between entities in the form of ’receipts’. In this article, we compare requirements regarding consent between ISO/IEC TS 27560:2023, ISO/IEC 29184:2020 Privacy Notices, and the EU’s General Data Protection Regulation (GDPR) to show how these standards can be used to support GDPR compliance. We then use the Data Privacy Vocabulary (DPV) to implement ISO/IEC TS 27560:2023 and create interoperable consent records and receipts. We also discuss how this work benefits the the implementation of EU Data Governance Act (DGA), specifically for machine-readable consent forms.
1 Introduction
Informed Consent is an important legal basis as it provides control and empowerment to data subjects or users based on the ability to choose and make decisions. Privacy and data protection laws such as EU’s GDPR [15] regulate this process by defining conditions for when consent should be considered Valid Consent. The process of Informed Consent requires information be provided in the form of a Consent Notice to inform the data subject about the processing that will occur based on the consent and to enable them to make an informed choice or decision .
In order to assess whether an instance of given consent is valid thus requires keeping records of information regarding how the consent was obtained i.e. using the notice, and how the consent is being utilised i.e. the processing enabled through that consent. This same information is also required for the organisation to determine whether its processing activities should continue, e.g. depending on whether a particular user has given consent and whether it is still valid i.e. hasn’t expired or wasn’t withdrawn). Such information that is documented and maintained regarding consent is called a Consent Record.
ISO/IEC TS 27560:2023 Consent record information structure [6] is a Technical Specification that “specifies an interoperable, open and extensible information structure” for recording the data subject’s consent to processing of their personal data i.e. as consent records, and to provide this information i.e. as consent receipts. The specification lists information fields that represent specific information associated with consent, and requirements over the form this information can take e.g. format, number of values, and whether it is mandatory or optional. It complements the earlier ISO/IEC 29184:2020 Online privacy notices and consent [5] which describes the information to be provided within privacy notices.
A ISO-27560 conformant implementation fulfils requirements by either storing information directly in the form prescribed by ISO-27560 or by storing information in a form that can be used to obtain this information. ISO-27560 allows flexibility in how the fields are represented to suit and match domain-specific labels or descriptions, or to introduce additional fields or information types that are needed. Such changes, expressed as schemas or profiles, are still required to be compatible with the requirements of ISO-27560 such as by requiring the same fields to be mandatory. In this manner, ISO-27560 provides a common, interoperable, and extensible structure for the exchange of information associated with consent.
In this article, we present an analysis of the requirements for recording consent within ISO-27560 and ISO-29184 and compare them with the requirements for valid consent under GDPR (section 3). We then present our work in implementing ISO-27560 using the Data Privacy Vocabulary (DPV) [14,12] to create a machine-readable, interoperable, and extensible specification for consent records and receipts based on open standards (section 4). Through this work we demonstrate the applicability and usefulness of ISO-27560 in assisting with the obligation for demonstrating consent under GDPR (Art.7-1), and explore how ISO-27560 and ISO-29184 can work within the legal framework of GDPR and DGA and the possibility for using this standard to inform the implementation of machine-readable common consent forms under the DGA (section 5). We also discuss practicalities for implementations regarding trust and security (section 6.1) and using records and receipts with eIDAS and EUDI wallets (section 6.2).
