Authors:
(1) Harshvardhan J. Pandit, ADAPT Centre, Dublin City University, Dublin, Ireland, and Cybersecurity and Data Protection Group, National Standards Institute, Ireland ([email protected])
(2) Jan Lindquist, Privacy and Security Group, Institute for Standards, Sweden ([email protected]);
(3) Georg P. Krog, Signatu AS, Oslo, Norway ([email protected]).
Table of Links
2 Overview of ISO/IEC TS 27560:2023
3 Comparing ISO-27560, ISO-29184, and GDPR
4 Consent Records and Receipts using DPV
6 Implementation Considerations and Future Work
6.2 Using Records and Receipts with eIDAS and EUDI Wallet
6.5 IEEE P7012 Machine-Readable Privacy Terms
A Example of Consent Record with both required and optional fields
B Example of Consent Receipt with required fields from consent record
6.1 Trust and Security
Security considerations are extremely important in the implementation of consent records and receipts, with ISO-27560 Annex E providing guidance for implementations. Consent records are intended to be maintained internally by an entity, and require measures to ensure they maintain their consistency and correctness, and are not tampered with. This includes best practices for information management such as using cryptographic hashes to ensure information has not changed, or using access control to ensure only authorised modifications are permitted. Current internationals standards such as W3C Decentralized Identifiers[8] (DID) and W3C Verifiable Credentials[9] (VC) allow for implementations compatible with the implementation of ISO-27560 using DPV as all are based on interoperable semantic web standards.
For consent receipts to be utilised in a verifiable and trustworthy manner, the information provided within the receipt may require cryptographic measures to provide assurance to prove its immutability and non-repudiation. Further, receipts are intended to be information provided or exchanged between different entities, which may necessitate a mechanism to demonstrably verify the provenance (e.g. a receipt was provided by A to B) and its immutability (e.g. receipt contained X exactly). Cryptography techniques such as digital signatures and certificates can support such applications based on their current utilisation in internet-enabled applications and documentations. Prior work [7] and projects[10] have explored such considerations, but effective implementation requires consensus amongst stakeholders to create an interoperable ecosystem.
Given the role of consent records and receipts in demonstrating consent decisions, they may end up with potentially sensitive information. ISO-27560 recommends not putting such information directly in records and receipts, and if necessary then implementations should utilise techniques such as information masking or pseudonymisation to avoid directly exposing sensitive information. - though this has to be balanced with the purpose of receipts in providing data subjects with information about their consent.
6.2 Using Records and Receipts with eIDAS and EUDI Wallet
Following the launch of projects for using European Digital Identity wallet (EUDI) wallet[11] for travel, health, banking, education and other sectors, CEN TC224 WG20[12], which is the EU standardisation body’s technical committee for personal identification, has initiated a new standards project to provide guidance on when personal data (attributes) are shared from the wallet in compliance with eIDAS and its proposed revision.
In this, ISO-27560 and ISO-29184 can be used to create an interoperable and standards based mechanism to structure information and ensure the mandatory fields needed to comply with GDPR are present. Further, the use of these standards also enables a consistent approach for creating common privacy dashboards that can work across EU. Such privacy dashboards would allow a wallet holder to have an overview of all their consent transactions, including any pending requests as well as provide a centralised mechanism for controlling their rights and withdrawing consent by using the eIDAS and eID mechanisms to establish identity and proof of past engagement.
ISO-27560 and ISO-29184 are also crucial as being the only standards regarding consent records and receipts, and privacy notices respectively. Using the analysis and implementations described in this article, a ISO-27560 solution that is also conformant with the GDPR can be used to store consent records and receipts in wallets, which enables data subjects to have a copy of their decision and agreement to process personal data.
Having this information made available to the data subject in a machinereadable format further enables its use in innovative applications that promote reuse of data while ensuring adequate adherence to the EU’s values and regulations. For example, by looking at past consent records or receipts, preferences can be identified for how the individual makes decisions and these can be used to create a template or pattern that will make future consent decisions more efficient and simpler for the individual. ISO-27560 Annex F provides guidance on how such preferences used as ’privacy signals’ can be represented within consent records and receipts.
Another powerful paradigm is also made possible when combining ISO-27560 with eID, eIDAS, and EUDI - where the data subject initiates the consent process by providing a specific consent to use or reuse their personal data, for example to access a particular service. In this scenario, the data subject decides the extent and limit of what their consent will cover, provides their consent to the service provider, and maintains a consent record within their wallet with a signed receipt provided to the service provider as proof of consent.
This paper is available on arxiv under CC BY 4.0 DEED license.
[8] https://www.w3.org/TR/vc-data-model/
[9] https://www.w3.org/TR/did-core/
[10] NGI funded Privacy as Expected: Consent Gateway project D2 Final Technical Deliverable https://doi.org/10.5281/zenodo.5086238