Update 

This document presents a summary update to the ANCR WG and Consent Receipt community on of some of key issues and solutions that address them since MVCR v0.8  (when spec was frozen) for review by ANCR WG.  

The Original Use Case – To replace/ advance the  Online opt-in's contract of adhesions, with  a privacy agreement model that include standardized privacy rights access, independent of the technology and service provider. In such a way the 'concerns' are separated and the service providers can dramatically reduce data processing risk, transfer liability, and reduce the burden of policy on people with an international standard.   

The v1.2 completes Minimum Viable Consent Receipt use case which started the consent receipt work.  Including an analysis on what was broken in the v1.1, preparing the way forward for a V2 receipt specification.  This  receipt specification scope is on the legally required technical fields for extending personal data governance online. 

Key challenges were a lack of maturity and granularity in operational semantics of the legal frameworks , specifically  a) the technical semantics of delegation, authority, and control b) enforceable privacy law (GDPR) c) standards for notice and consent (ISO 29100 and 29184).  Thus addressing an International set of terms, definitions Notice content controls and consent structure format, so that people can consent to control and transfer their own data to another entity (locally or across jurisdictions)

With a focus on the  delegation of authority and the jurisdictional fields for a proof of notice and consent record. Called an ANCR Record in this v1.2, people can technically own their own records of consent and data control.  Generate with trusted 3rd Party Notary, proof of notice and evidence of consent.  Track ones own consent and purposes and because of this technically generate notification for access and rights, requesting standardized transparency with a Consent Receipt.  

The standardization of terminology, controls, notice and notification for maintaining a state of consent can all be automated with Consent Receipts.   Utilizing standards for legal semantics to implement the power of linked data and render records/receipts to provide people with transparency over risk and performance of human centric data controls. 

Key Updates

1. The ISO/IEC SC 27 Committee in April 2020 to start an ISO Working Draft based on the Consent Notice Receipt
2. The Consent Notice Receipt was published in appendix D, of ISO/IEC 29184 (June 6,2020)  titled 'Online privacy notice and consent' 
   1. this establishes  the Consent Notice Receipt as an authoritative data governance tool to provide transparency over the control and interoperability of data processing by services between jurisdictions     
3. V1.1  to V 1.2 Notice; regarding 'well known issues and developments' (WKID) Updates, 
   1. delegation (on-behalf)
   2. proof of notice receipt
   3. Consent Notice Receipt (Human Definition) 
      1. a receipt to prove awareness of any policy or notice regarding surveillance; a physical sign, a blinking light, T&C's, privacy policies, cookie notices, online consent forms etc, any notice or notification to inform people about the active state of processing and accountability.
      2. Consent is a human centric term which is technically a multi-permissoned active state at any one point of time reflecting hidden and personal capabilities per context, biological, social, legal, but more importantly, the physical environment which dictates security and controls considerations for the individual.  
      3. generated from the notice and or sign presented to the Individual in the individuals physical context indicating the system permissions/data protection and controls scopes/ relevant to the person and context. 
      4. the consent notice receipt MUST function to link privacy rights information and access into the processing context, using a receipt for proof and post interaction access to those rights. 
   4. a key challenge was the legal ontology for Purpose Specification
      1. to address this, Kantara CISWG members supported
         1. the launch of the W3C Data Privacy Vocabulary Group on the eve of the GDPR @ ODI in London in conjunction with MIT Media Labs 
      2. updating / replacing the MVCR Appendix with the contributions of the Personal Data Categories from Jason Cronk (revised by the Open Consent Group), now an agreed and adopted category basis for semantic control interoperability 
      3. Purpose category better defined as a  trust framework, for code of conduct and practices better nuanced as  identity governance scheme, as an audit or (micro)credential and certification.  Codes of conduct are often championed at a national and international to be approved by Data Protection and Privacy Regulators for an industry and sector. 
   5. Legal Justifications for Processing
      1. For people the purpose is used to make choices and decisions it is used to inform people so they can grant consent or assent in some way for a specified purpose.
      2.  Behind this purpose specification is the legitimacy of the processing which is technically broken down into recognized legal reasons for surveillance 
         1. Now greatly simplified with the GDPR  setting an international standard and ISO 29184, as a set of standard legal justifications,.
         2. Consent
         3. Contract
         4. Legitimate Interest
         5. In the Pubic's Interest
         6. for the Vital Interest of the Individual
         7. for a required  legal obligation
      3.  with a conformity assessment built in,  any notice can be extended to provide a consent notice receipt to a person - where by standards are used to specifying the legal justification, purpose, data categories, so that the rights available for person are accessible and viewable in context. (the objective of the CR receipt format ) Regardless of service and terms

Governance Interoperability: Standardized Privacy Notice Semantics for Transborder identity and data governance 

Governance Interoperability across

Human 

People first must have some sort of notice that they are providing consent before consent is possible.  People must first be aware of surveillance before it can be trusted / consistently depended upon, or trustworthy in context.  This is required for human usability and is described  in  terms of transparency (or conformance assessment) of the notice and its effectiveness for  privacy risk management and  data governance. 

 Legally,  

A privacy notice is the only required elements for all personal data privacy processing across all privacy legislated jurisdictions. The harmonization's of the legal semantics, via international standards and the adoption of best practices.   Notice is the most similar across all jurisdictions and it is also the only privacy element that is constant in all frameworks.  

Notice for security, privacy, health and safety is universally required in governance, and where there is none. Like big data, there is little to no providence,  

Technically : Decentralized Governance 

Active state event receipts enable in context transparency to support rights that are proportionate and reciprocal, meaning that the Individual can see the active state of the legal entity and status of the service, independent of the service, ( reciprocal transparency) and then have the choice to use rights as defined by legal justification and context.  

Legal Justification Standards for Dynamic Data Flow Controls

For a high privacy assurance and transparency an online privacy notice can be structure and labelled to automate the permissioning over the  flow and control of processing  

For online services, there are more that one legal justification operating at once, for example, explicit consent to a PII Controller most often requires secondary processing by a third party with a contract based framework, legitimate interest for tracking service renewals, legal obligations to flag fraud, and implmentation safeguards for public and vital interest access. E.g. the emergency health responder. 

An Individual manages/ governs by  consent to purpose, and  a Systems authority is provided by specifying  the legal  justification a key point and nuance to highlight in order to understand how notice can aid in the interoperability of governance between system

For transparency, a consent notice receipt can come in these 6 legal flavours of purpose specification, framed by privacy regulation as the overarching scheme/trusted framework for all parties. 

1. Explicit Consent Notice Receipt   
2. Contract Notice Receipt 
3. Vital Interest of Individual (Vital Interest Notice Receipt) 
4. Legal Obligation - ( Legal Notice of Monitoring Receipt  
5. Legitimate Interest - Essential-Use Notice Receipt  
6. Public Interest - Public Health, Safety, Security Notice Receipt \

In all  contexts, notifications a  inform the lifecycle of legal justification for processing and its relationship, and receipts render this lifecycle  making transparent active state to which rights apply in context, and what the performance of those rights ares legally expected by people.  

The CR V1.2 Updates the CR V1.1 Structure & Generation of a Receipt

the receipt is further defined and fields and broken down into

1. Part 1 :  Required Notice of Controller Identity Fields - the capture of the identity of the controller, and the physical context of the notice for processing provided by the controller
2. Part 2: Legal Justification and (services) purpose specification to generate a consent notice receipt from the notice presented to the Individual
3. Part 3: the human interaction point - in which proof of notice being provided/read is captured and a Consent Notice Receipt is generated. 

Additional information for data control & accountability providence can be nested in the receipt to provide a higher level of automated privacy assurance to better mitigate risk and liability   

 Consent Types The Consent Receipt Framework exposes the legal requirements that are required to administrate consent, further define the governance of permissions and application of preference.  Online, or with sensory infrastructure, consent (and consensus) is implied in public spaces when processing personally identifiable information. 

The CR CV1.2. WD 2,  generates a consent record from an interaction with a Notice or Sign,  which for security, the PII Controller needs to be identifiable, and verifiable.  The ANCR Record is an iteration of the prefix of the CR V1.1.   

The consent receipt framework is consent by default and the anchor record is the Consent Receipt prefix and is used to capture legal entity information and used to generate a consent notice receipt. 

The receipt is further defined and fields broken down for use by privacy framework for conformance assessment, which is based on the lifecycle of a specific notice for processing personal data and a specified  purpose, the purpose is used to define the consent grant which provide the scope of permissions for a digital identifier management system. 

• Flow of Architecture PII Principle Creates and controls  Anchored privacy notice records for Privacy Assurance 

• For Example

  • a self-asserted PII Controller ANCR record provides a tier 0 privacy assurance, 

    • if held by PII Controller, on behalf of the PII Subject then this is not compliant
      • must be witnessed by 3rd Party Privacy Assurance Provider 

  • 
    

    • a self-asserted PII Principle ANCR Record 
      • is held by PII Principle, used to generate consent notice receipts

• Conformance assessment use cases for 27560 for the PII Principal: 
  - use of receipt as evidence for proof of notice and consent. 
  - use of receipts as proof of awareness for identity management system
  - use of receipt to see the state of privacy / consent lifecycle - so that people can automatically see what to expect without reading a privacy policy or terms - with access directly to digital use of privacy rights .

• Consent Grant Roadmap  -  Scope protocol for Identity management system permissioning 
  - Consent Grant (human scope) - Identity Management = technoal permission and access controls

Updating from v1.1 - represented by submission to ISO 27560

• delegation 
• jurisdictions 
• personal data categories
• consent record structions 
  • purpose finger print 
  • purpose 

V1.2 : Consent Receipt Framework

Intro - Implements PasE Protocol with 2FC

V1.2.1 :  ANCR Record Conformance

• First Factor Notice for PII Principal 
• Fields for DS location require a verifier
  •  verifying (or synthetic) attribute 
  • a specified legal jurisdiction 
  • quality of notice of control receipt 
  • quality of service purpose specification receipt
• PII Controller
  • notice location
  • legal jurisdiction
  • governing framework - e.g. t&c's? 

V1.2.2 : Consent (Notice) Receipt:27560

• Extend with Legal justification to specify purpose for a service 
  1. Specifying the Legal Justification for data processing in a notification 
  2. Specifying Data Categories
  3. Specifying Data Treatment   
  4. Specifying Security 

V 1.2.3 : Rights Access & Automation 

• rights with ANCR Record
  • universal context right
    • right to information about privacy and security 
      • right to see contoller and purpose(s)
      • legal requirement for presenting risk 

V 1.2.4 : Consent Validation - The Life cycle of a consent 

• Active State of Consent Validation 
  • identity governance controls and scope
• Consent Grant for Identity Protocol Governance 
  • Scope of a Consent Grant Represented in the User Managed Access Protocol 
    • use of consent gateway for consent grant validation

• Protocol Scope Use Cases

  • UMA

  • SAML / eIDAS

  • FAPI
  • GNAP

V 1..2.5 : 

1. Privacy as Expected - Part 3:  Consent by Design - operational conformance - standardizing  signalling - UI interaction point conformance - proof of notice and transparency/accountability assurance 
   1. 29184 notice controls and consent structure 

V 1.2.6 Data Governance Interoperability 

• Privacy Framework for Gov interop for Security/Surveillance, Evidence and Policing
• Re-Issuing Identity Credentials with a native and local identity service - rather than exporting a federation into foreign governance models (e.g. Contracts / T&C's) 

1. Transparency Assurance

V 1.2.6 Topics Raised to be Reviewed / Refined and Addressed in Roadmap to V2

• Delegation
• Jurisdiction (physical location proof) 
• Consent Types Defined in v1.2
  • explicit
  • implied
  • directed
  • altruistic

Consent Notice Receipt (MVCR Finished = v1.2)  

...

WKD ISSUES

The CR v1,1 as published known challenges have been addressed and are specified here in the v1.2 update.  CR v1,

• See V1.1 Update https://kantarainitiative.org/confluence/x/VYSVC
  • V1.1 (2017) addressed with GDPR and then adopted to ISO 
  • V1.1 completed with comments to ISO 
    • delegation 
    • Jurisdiction 
    • PII categories 

CR v1.2  Format Structure and fieildsand fields

1. Notice field object
   1. Location & Time 
   2. Location – twin - 
   3. Physical Device - 
2. PII Controller object
   1. Jurisdictions, 
3. Link to physical notice 
4. Extend it (Legal Justification)  
5. Privacy Stakeholders 
6. Categories of controllers  
7. Consent Purpose Specification (v.1.1) 
8. Purpose Category 
9. Purpose Descriptions  
10. Purpose Sensitive Categories of Data  
11. Sensitive data category  
12. Personal Data Category  
13. Personal Data Types/attributes etc  
14. Personal Data Processing Treatment 
15. Storage 
16. Security (cert/sighed key) 
17. Extensions –Requirements (according to Context)  

Notice & Notifications

A Notice can itself be extended with a Notification for the maintenance of a consent record, and consent based relationship.  Notice Receipt Receipts facilitate a Semantic Governance Framework  

A notice of controller is the first section of the receipt  1, can be extended with these receipt profiles  

• Contract Notice Receipt 
• Vital Notice Receipt  
• Notice of (legal) Obligation Receipt  
• Legitimate Interest Notice Receipt  
• Public Interest Notice Receipt  

Notification  

notifications 

Rights Consent Notice Receipt 

Privacy and Surveillance based rights are applied to context according to the legal justification, which is confusing even for the experts.  

• Withdraw Consent 

Consent Notice Receipts (Lifecycle)   `

The spectrum of consent has multiple vectors  

...