ANCR Feedback to W3C DPV - Notice and Consent

It has been noted that the W3C DPV has had an impact on ISO/IEC 27560 and its proposed changes threaten the use of the standard for online notice and consent receipts, the purpose of 27560 to begin with.

In this regard, memebers of the ANCR WG have raised this item to be reviewed by ANCR WG and Kantara Initiative, in particular with how the W3C DPV version of notice and consent impacts the consent receipt work represented in ISO/IEC 27560. In particular how it allows for multiple purposes in notice, and consent records without permission to be identified. Which is the opposite of the design of the Kantara Consent Receipt.
In this regard, Challenging W3C DPV accuracy in relation to the GDPR, transparency and requirements for Digital identification for consent.

In particular in reference to how DPV is used to Associate ‘digital identity’ with Consent “Associating Identity with Consent
- “Additionally, GDPR encourages using an identifier so that controllers can demonstrate the individual’s given consent (Art.7-1), enable them to withdraw it (Art.7-3), and provide them with a history of their consent events (Art.15).”Comparison of notice requirements for consent between ISO/IEC 29184:2020 and GDPR

First and foremost, this refers not the ‘identity of the individual’ but of the technical identification of a PII principal, and the surveillance of that individual with that identifier, in a consent record.

The purpose of the Kantara Consent Receipt, is to generate a notice record of the permission to be identified, for the PII principal, who could then use this record as a consent receipt, to manage digital identification. And for a Consent Receipt be used to replace/convert cookies and the like.

This consent receipt was designed according to explicit legal requirement, and terms, not using digital identification industry terms like ‘identity’ which co-opt the human and legally defined term, for a term that references digital surveillance,

In particular, in the context of the W3C DPV - which is semantically specified to the GDPR. These are the references to which the Consent Receipt is specified legally.

Referencing Guidelines 05/2020 on consent under Regulation 2016/679
- “64. >>>> Furthermore, there may be situations where a data controller is processing personal data that does not require the identification of a data subject (for example, with pseudonymized data). In such cases, Article 11.1 may also be relevant as it states that a data controller shall not be obliged to maintain, acquire, or process additional information to identify the data subject solely to comply with the GDPR.”
In Article 29 Working Party: Guidelines on transparency under Regulation 2016/679
- “106. At the same time, the duty to demonstrate that valid consent has been obtained by a controller should not in itself lead to excessive amounts of additional data processing. This means that controllers should have enough data to show a link to the processing (to show consent was obtained) but shouldn’t be collecting any more information than necessary.”

GDPR References for Transparency

GDPR References for Transparency
EDPB Guidance on Transparency (Article 29 Working Party: Guidelines on transparency under Regulation 2016/679)	Guidelines 05/2020 on consent under Regulation 2016/679 Introduction - "Transparency is an overarching obligation under the GDPR "2. , transparency is now included as a fundamental aspect of these principles. Transparency is intrinsically linked to fairness and the new principle of accountability under the GDPR. The concept of transparency in the GDPR is user-centric rather than legalistic and is realised by way of specific practical requirements on data controllers and processor the quality, accessibility and comprehensibility of the information is as important as the actual content of the transparency information, which must be provided to data subjects. The transparency requirements in the GDPR apply irrespective of the legal basis for processing and throughout the life cycle of processing. .
	18. Of course, the use of digital layered privacy statements/ notices is not the only written electronic means that can be deployed by controllers. Other electronic means include “just- in-time” contextual pop-up notices, 3D touch or hover-over notices, and privacy dashboards. Non-written electronic means which may be used in addition to a layered privacy statement/ notice might include videos and smartphone or IoT voice alerts.25 “Other means”, which are not necessarily electronic, might include, for example, cartoons, infographics or flowcharts. Where transparency information is directed at children specifically, controllers should consider what types of measures may be particularly accessible to children (e.g. these might be comics/ cartoons, pictograms, animations, etc. amongst other measures).
36. WP29: Recommends that the first layer/ modality should include the details of the purposes of processing, the identity of controller and a description of the data subject’s rights. (Note: - For TPR Measurement Purpose) Furthermore this information should be directly brought to the attention of a data subject at the time of collection of the personal data e.g. displayed as a data subject fills in an online form.)	The importance of providing this information upfront arises in particular from Recital 39.34 While controllers must be able to demonstrate accountability as to what further information they decide to prioritise, WP29’s position is that, in line with the fairness principle, in addition to the information detailed above in this paragraph, the first layer/ modality should also contain information on the processing which has the most impact on the data subject and processing which could surprise them. Therefore, the data subject should be able to understand from information contained in the first layer/ modality what the consequences of the processing in question will be for the data subject (see also above at paragraph 10).
39 “Push” and “pull” notices (like he Consent Receipt)	Another possible way of providing transparency information is through the use of “push” and “pull” notices. Push notices involve the provision of “just-in-time” transparency information notices while “pull” notices facilitate access to information by methods such as permission management, privacy dashboards and “learn more” tutorials. These allow for a more user- centric transparency experience for the data subject
38. …	WP29 recommends that the first “layer” (in other words the primary way in which the controller first engages with the data subject) should generally convey the most important information (as referred to at paragraph 36 above), namely the details of the purposes of processing, the identity of controller and the existence of the rights of the data subject, together with information on the greatest impact of processing or processing which could surprise the data subject. Note: =- I recommend translating the term - Purpose used above into - permissions - for digital identity)
Footnote 14	The requirement for transparency exists entirely independently of the requirement upon data controllers to ensure that there is an appropriate legal basis for the processing under Article 6.
	Furthermore, obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality.