May 24, 2024 ANCR (PrivMasJedi Privacy Day) WG Report : For International Digital Security and Privacy Community
...
Digital Transparency refers to Record and Receipt specifications for Record of Processing Activities, (contributed as 27560 Consent Record Information Structure to JTC1/SC27/WG5 after 6 years of community group @ Identity development @Identity Commons, called Identity Trust WG )
The study and specification of Consent by Design has been evolving at Kantara since 2011 to the point where we can now present consent as decentralized digital identity governance model for master control of ones own data. This model prioritizes 2012 Call for standards collaboration at W3C - Do not Track and Beyond conference. The transparency record and receipt model mimicks secure currency exchanges by prioritizing the privacy principle of transparency and accountability over choice and consent, placing this as the first privacy principle (as opposed to the 4th in 29100) for PII Principal centric data trust and governance.
...
Digital Privacy Transparency, referring to the presentation of notice, notifications and disclosures are presented in a way that mimics the physical how people, notice, permission and consent. In particular, humans manage consent while systems manage permission (an instance of a consented surveillance context)
The PII Controller notice record is standardized and used to generate a receipt, which is a credential, enabling the Controller to be relying party verifiable credential. In this context the PII Controller automatically becomes the gatekeeper to PII (aka the relying party) to verify the digital relationship presented in the receipt.
Rather that identifying the individual up front and taking their meta data. The individual can define and present their own digital identity, identifiers, credentials according to context using receipts as verified credentials, for security, safety and trust when interacting online. (AuthC)
Very Canadian approach, in that permission is first required to introduce a new purpose for consent, and the individuals consent is implied by engagement and capture in a notice record.
Notification and disclosure can be capture with standard 29100 defined notice record and receipt.
Semantically standard with the W3C Data Privacy Legal Vocabulary, so as to be entirely machine readable legal semantics. Specified to GDPR which mirrors Chapter 1 of the Convention 108+ Transparency Modalities,
For and services ANCR’s Records and receipts can be used to demonstrate compliance with Article 30 Records of Processing activities, and in Convention 108+. Article 80 Logging.
For individuals a receipt can be used to directly consent (and withdraw consent) to the PII Controller service according to context.
Like in real life, in physical interactions, the individual is anonymous to begin with and the first interaction with a PII Controller/service, the sharing of data is through consensus and consent.
...
SDPT as specified in the ANCR WG, takes into account Data Control, Data Protection, and whether or not the data trust is co-regulated, in order to assess levels of measure how operational digital transparency is, assess technical risk assurance and capacity for liability mitigation , that can be provided to the individual in in a specific context.