Authors:
(1) Harshvardhan J. Pandit, ADAPT Centre, Dublin City University, Dublin, Ireland, and Cybersecurity and Data Protection Group, National Standards Institute, Ireland ([email protected])
(2) Jan Lindquist, Privacy and Security Group, Institute for Standards, Sweden ([email protected]);
(3) Georg P. Krog, Signatu AS, Oslo, Norway ([email protected]).
Table of Links
2 Overview of ISO/IEC TS 27560:2023
3 Comparing ISO-27560, ISO-29184, and GDPR
4 Consent Records and Receipts using DPV
6 Implementation Considerations and Future Work
6.2 Using Records and Receipts with eIDAS and EUDI Wallet
6.5 IEEE P7012 Machine-Readable Privacy Terms
A Example of Consent Record with both required and optional fields
B Example of Consent Receipt with required fields from consent record
5 Supporting GDPR and DGA
Using ISO-27560 and ISO-29184 within the EU legal framework: ISO27560 and ISO-29184 are developed and governed by the International Standards Organisation (ISO), and are not specific to EU’s regulations and terminology. To support their use in the legal frameworks, they need to be approved as ‘Euronorm’ (EN) through an EU standardisation body such as CEN, CENELEC, or ESO. At the moment, ISO-29184 has already been approved as EN, and we are working on a proposal with the Irish and Swedish national bodies to recommend the adoption of ISO-27560 as EN. Further, we have also submitted a proposal to the relevant ISO committees to make ISO-27560 standard freely accessible as its guidance is valuable for responsible innovation.
Having these standards as EN provides a strong framework for their utilisation in regulations, such as for notice and consent under GDPR. However, merely adopting the standards on an ‘as-is’ basis will not be sufficient. For example, the terminology in 29184 and GDPR has crucial differences which must be identified and appropriate guidance developed to enable using ISO-29184 with GDPR [13]. Similarly, to address current issues regarding consent [10,9] and further studies are required to assess the extent of these standards in solving existing issues and what additional measures need to be adopted beyond conformance with the standards.
Demonstrating consent under GDPR: GDPR Article 7-1 creates an obligation for data controllers to maintain consent information and to keep it up to date with the goal of demonstrating where consent was given, refused, or withdrawn. ISO-27560 provides a standard for a common technical structure to support implementing this obligation. In addition to this, GDPR Article 13 and Article 14, amongst others, also require record keeping for what information was provided to individuals in order to implement informed consent. ISO-29184 provides a standard for describing privacy notices, and together with ISO-27560 enables maintaining records of what information was provided and the resulting consent decisions. Based on the analysis provided in this article that demonstrates applicability of ISO-27560 and ISO-29184 to GDPR, we recommend authorities to suggest using these standards to support GDPR compliance.
Receipts to support rights under GDPR: ISO-27560 contains fields for acknowledging which rights exist, and with DPV we can express how/where to exercise them and what information will be required (e.g. identity verification). Further, consent decisions (e.g. given, withdrawn) are themselves also personal data about the data subject, and therefore subject to rights such as Art.20 data portability. This can be a way to enable the use of receipts under GDPR even where it is not explicitly defined as a concept by considering consent information as personal data. Considering consent information as personal data makes it subject to the right to data portability under Article 20 which requires providing information “in a structured, commonly used and machine-readable format”. Further, Article 20 also allows “ the right to transmit those data to another controller”, which can be utilised to transfer consent decisions from one controller to another - a crucial mechanism for the implementation of data reuse and altruism under DGA.
Common consent form under DGA: Article 25 of the DGA requires the Commission to produce a common consent form that will provide information in both human- and machine-readable forms. ISO-27560 with ISO-29184, based on the analysis in this article demonstrating their usefulness to meet GDPR requirements, should be used to define what information should be present in these forms. ISO-29184 as the standard for privacy notices provides the human oriented representation of information in the consent form, and ISO-27560 and the DPV implementation provide the machine-readable representation. The advantage of using these standards is that the resulting solution would be useful not only in EU but globally due to the global scope of ISO. The advantage of using DPV here is in providing common semantics based on W3C standards that support extensions for specific jurisdictions (like EU with GDPR and DGA) and its extensive taxonomy supporting practical use-cases which promote interoperability. Through direct meetings, we have presented this work to the EU Commission’s Unit G.1 which looks after GDPR and DGA implementations.
Data Intermediaries under DGA: We are also working on further implementations to support DGA by developing specific technical specifications that define how data intermediaries should maintain consent records and issue receipts, and support them in their duties by providing a way to express data reuse requests in a machine-readable form that can be matched with the consent to ensure the purposes are compatible in accordance with the GDPR. This will be based on existing work [1] that utilises the W3C Open Digital Rights Language (ODRL) standard [3] for representing policies and agreements, and using it in combination with DPV to create DGA specific offers for data subjects and data intermediaries to indicate which data is available for reuse and under what conditions, requests for data users to indicate what data they are looking for, and agreements to represent the conditions under which data reuse has been approved. We have already demonstrated the feasibility of using ODRL and DPV for such an approach in a manner that improves both technical and organizational processes for the use-case of sharing genomic health datasets [11].
Data Reuse and Altruism under DGA: To support the DGA’s goals of reusing data for altruism, we are working on creating a taxonomy of altruistic purposes within DPV and developing a framework to express them in a manner that is compatible with GDPR’s requirements for consent and information keeping based on ISO-27560. We are also working on novel approaches such as assessing the compatibility of ISO-27560 defined consent records with information required in a Data Protection Impact Assessment (DPIA), through which we aim to enable data subjects or data intermediaries to conduct their own DPIAs based on a common registry of risks and mitigations provided through the DPV. Through this we aim to establish responsible practices while promoting data reuse and altruism.
This paper is available on arxiv under CC BY 4.0 DEED license.