Europe's Data Future Secured: How ISO Standards Just Changed the Privacy Game

Table of Links

Abstract and 1 Introduction

2 Overview of ISO/IEC TS 27560:2023

3 Comparing ISO-27560, ISO-29184, and GDPR

4 Consent Records and Receipts using DPV

5 Supporting GDPR and DGA

6 Implementation Considerations and Future Work

6.1 Trust and Security

6.2 Using Records and Receipts with eIDAS and EUDI Wallet

6.3 Standard for PII Processing Record Information and 6.4 Technical Considerations in Managing Records and Receipts

6.5 IEEE P7012 Machine-Readable Privacy Terms

7 Conclusion and References

A Example of Consent Record with both required and optional fields

B Example of Consent Receipt with required fields from consent record

7 Conclusion

This article provided a thorough analysis of how ISO/IEC TS 27560:2023 and ISO/IEC 29184:2020 can be used to create consent records and receipts in a machine-readable format that support GDPR requirements and enable the reuse of data under the DGA. Based on this analysis, we provide a concrete argument for why these two standards should be adopted and recommended by GDPR stakeholders. We also described the ongoing efforts of the W3C Data Privacy Vocabularies and Controls Community Group (DPVCG) in creating a technical specification to support implementing ISO-27560 by using its Data Privacy Vocabulary (DPV). Our work is a significant contribution to the ongoing efforts of implementing the DGA where the Commission is required to develop a common consent form that is both human- and machine-readable. We also discussed how this work can be utilised in practice, where reported on our ongoing efforts to adopt the standard within the EU’s legal framework, further develop specific implementations to support the needs of DGA, and how this work compliments the ongoing developments of eID, eIDAS2, and EUDI implementations.

Acknowledgements Jan Lindquist, through the Swedish National Standards Body, was a contributor and the co-editor of ISO/IEC TS 27560:2023. Harshvardhan J. Pandit, through the Irish National Standards Body, was a contributor to the ISO/IEC TS 27560:2023, and is the chair of the W3C Data Privacy Vocabularies and Controls Community Group.

This research was conducted with the financial support of Science Foundation Ireland at ADAPT, the SFI Research Centre for AI-Driven Digital Content Technology at Dublin City University Grant#13/RC/2106_P2. For the purpose of Open Access, the author has applied a CC BY public copyright licence to any Author Accepted Manuscript version arising from this submission.

References

1. Esteves, B., Pandit, H.J., Rodríguez-Doncel, V.: ODRL Profile for Expressing Consent through Granular Access Control Policies in Solid. In: 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS PW). pp. 298–306 (Sep 2021). https://doi.org/10/gnck5x

2. Esteves, B., Rodríguez-Doncel, V.: Analysis of ontologies and policy languages to represent information flows in gdpr. Semantic Web (Preprint), 1–35 (2022)

3. Iannella, R., Villata, S.: ODRL Information Model 2.2. https://www.w3.org/TR/odrl-model/ (Feb 2018)

4. ISO/IEC 29100:2011 Information technology — Security techniques — Privacy framework. Tech. rep., International Standards Organisation (ISO) (Dec 2011)

5. ISO/IEC: ISO/IEC 29184:2020 Information technology – Online privacy notices and consent (Jun 2020)

6. ISO/IEC: ISO/IEC TS 27560:2023 Privacy technologies — Consent record information structure (2021)

7. Jesus, V., Pandit, H.J.: Consent Receipts for a Usable and Auditable Web of Personal Data. IEEE Access 10, 28545–28563 (2022). https://doi.org/10.1109/ACCESS.2022.3157850

8. Kurteva, A., Chhetri, T.R., Pandit, H.J., Fensel, A.: Consent through the lens of semantics: State of the art survey and best practices. Semantic Web Preprint(Preprint), 1–27 (Jan 2021). https://doi.org/10/gmsjzn

9. Machuletz, D., Böhme, R.: Multiple Purposes, Multiple Problems: A User Study of Consent Dialogs after GDPR. Proceedings on Privacy Enhancing Technologies 2020(2), 481–498 (Apr 2020). https://doi.org/10/ghqdq8

10. Matte, C., Santos, C., Bielova, N.: Purposes in IAB Europe’s TCF: Which legal basis and how are they used by advertisers? In: Annual Privacy Forum (APF 2020) (Oct 2020)

11. Pandit, H.J., Esteves, B.: Enhancing Data Use Ontology (DUO) for health-data sharing by extending it with ODRL and DPV. Semantic Web Preprint(Preprint), 1–26 (Jan 2024). https://doi.org/10.3233/SW-243583

12. Pandit, H.J., Esteves, B., Krog, G.P., Ryan, P., Golpayegani, D., Flake, J.: Data privacy vocabulary (dpv)–version 2. preprint arXiv:2404.13426, OSF (2024). https://doi.org/10.31219/osf.io/ma9ue

13. Pandit, H.J., Krog, G.P.: Comparison of notice requirements for consent between ISO/IEC 29184: 2020 and General Data Protection Regulation. Journal of Data Protection & Privacy 4(2), 193–204 (2021)

14. Pandit, H.J., Polleres, A., Bos, B., Brennan, R., Bruegger, B., Ekaputra, F.J., Fernández, J.D., Hamed, R.G., Lizar, M., Schlehahn, E., Steyskal, S., Wenning, R.: Creating A Vocabulary for Data Privacy. In: The 18th International Conference on Ontologies, DataBases, and Applications of Semantics (ODBASE2019). p. 17. Rhodes, Greece (2019). https://doi.org/10/ggwx7x

15. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union L119 (May 2016)