Privacy as Expected is a legal standard, explained technically here as a notice signalling protocol for the managing human expectation for personal data processing.
https://privacy-as-expected.org/
In the PaE.G project we specify the use of the Active State Transparency Privacy Risk signal for use with web browsers and demonstrated transparency over the active state of the PII Controller in order to present a privacy as expected signal, which include disclosures, to managed what people can expect. The PasE protocol is designed to implement operational transparency over access to privacy rights, as a default, and usable so that an individual can directly manage their own privacy expectations.
The internet (full of restful api's) is missing the active state of a verified organization and its accountable person, also known as the privacy controller credential (see ToiP) , which is an online privacy security measure, especially for context of people, and most identity management efforts are about activating the identifier for the individual. Representing the signalling gap required to indicate a level of (trustworthiness)/transparency - independent of the service provider's identity management system.
T&C's and their association online privacy policies dont implement privacy rights, and are not written with standards. Currently what is called An online privacy policy is a static document that facilitates contract of adhesions and ignores data soverignty and providence. It is not useable to enable dynamic use of privacy rights, as it is missing the active privacy state information required to use rights. All of which is required in privacy legislation globally and a core considerations for security standards.
NGI - Trust project, we focused on developing a privacy rights signalling protocol that is human centric (which means notice based) to implement a protocol that can leverage multiple, standards ISO/W3C/Kantara/ToiP standards and specifications, which are semantically interoperable, for contribution to this Consent Receipt v1.2 Framework at the Kantara Initiative ANCR WG.
The rights protocol is called Privacy as Expected (PasE) and is a privacy notice signalling protocol the people can see and trust in order to automate the use of privacy rights in Online environments.
The PasE protocol implements international (ISO/IEC) standard semantics from the open ISO/IEC 29100 and W3C Data Privacy Vocabulary legal ontology, to generate semantically standardized and linked record. A record the person owns and controls that is used to produce Consent Notice Receipts, (published in the appendix of ISO 29184: Online privacy notice and consent standard. This protocol is implemented as a demo for this projects, and used the first time a browser add-on interacts with a website data controller by creating an ANCR record of the controller of the website for automating access to privacy rights.
PasE protocol is displayed as a signal the next time a Data Subject uses the same service online, (or encounters the same data controller online). Using a traffic light colours, green means there is no change in the active state of control, yellow means there was a non-material change (and a notification is waiting), Red means there is a material change, and a notice must be reviewed and accepted to continue using the service.
Its simple for people, each new session interaction creates a linked consent notice receipt, which is compared against the previous receipt, to show a signal to indicate if privacy is as expected, or not. Thus providing a point to interact and access the use of privacy rights.
The PasE protocol is implemented with a notice and notification best practice called 2 Factor Notice for Online Meaningful Consent (2FC). Demonstrated with a browser add-on in the NGI-PasE Consent Gateway project. A first layer notification signal that is visual and accessible in context.
If privacy is as expected the receipt is used to signal a green light in order to streamline the service experience. The receipt works like a reverse cookie (is an ANCR record owned by the individual), eliminating the need for services to provide repetitive notices, notifications, or to make people read privacy policies to see what their rights are. As right preferences are kept by the person and asserted in context for more dynamic control of data sharing.
The first factor notice is provided by the PasE add-on, implementing standardized Notice semantics via the browser (independent of service providers). The first notice presented confirms, or registers the identity of data controller with a Consent Gateway.
The second factor notice is a capture of the websites privacy notice upon Data Subject interaction (or personal data provision). e.g. an I agree, submit, cookie notice, privacy policy link, etc. This second factor interaction generates the consent notice receipt that is sent to the Consent Gateway to be notarized, before being sent to the Data Controller as a privacy rights notice.
The response performance of the Data Controller is measured and reported by the gateway back to the Data Subject when the next receipt for this Data Controller is sent to be verified. Along with any notification of changes to the privacy status of the data controller (as monitored by the Consent Gateway) and the service’s data controller with whom the Data Subject is interacting with. Thus providing a signal for the discovery point for privacy notice and rights knowledge, reporting, monitoring and access.
The result, people are able to see if access to privacy is a risk and how/who is controlling their personal data.
To complete the project the PasE protocol is contributed back to the Kantara Initiative ANCR WG, where the PasE protocol will be published under a FRAND license. The protocol is then able to include controls from ISO/IEC 29184, Online Privacy Notice & Consent” which are then implemented in notice, notifications and disclosures with the W3C Data Privacy Control Vocabulary.
And finally, contributed as comments via a Kantara Liaison agreement to ISO/IEC 27560 Consent Record Structure Standard (for receipts) by Aug 16, in comments via the Kantara Liaison for working draft 3.
Identity Management Requires that a state change notification for privacy should at a minimum be linked to a log detailing the change using standard (semantics) so that this can automatically be understood by people.
This protocol is manged with receipts which in the PasECG project is publicly registered with a Consent Gateway so that all stakeholders can see a proof of notice and wether the consent grant is active,
When combined with a receipt, this notice can be used to provide an active state signal, that is decentralized and specific to the context of the person (human centric) view of the expected state of Controller of the online service. This transparency is a universal notice requirement for processing personal data, as it is required in all privacy laws and is required unless there is a specified legal exemptions and derogations. Which should be noticed to people as a surveillance risk.
The opposite of a cookie, it captures the identity surveillance relationship and the policy state so that people can a) the see and identify the relationship according to purpose b ) what state the relationship is in the next time the service is used and/or wants permission to process personal information.
This basic signalling protocol, can be further extended to the services that process personal data for notice of consent, and can then be used to manage rights and the relationship of the consent for a consent lifecycle. For example a consent notice receipt.
This then becomes a usable identity governance framework providing a degree of usable transparency to mitigate online service risks and is required for healthcare and medical research, contract tracing and the like.
Where notice and consent is positive, the provider is responsible for its quality and accuracy of notices and notifications . When active state is implemented/mandatory in an environment then people can control their information and experience in a more dynamic way directly without intermediaries for much higher trustworthiness.
As oppose to just T&C's this can be further enhanced to enable people and orgs to use privacy law as a trust framework directly, to supersede terms and conditions, with transparency independent of services and in-additions to terms and conditions.
Protocol Outline
Semantic Standards Stack for Human Centric - user centric - control semantics