Privacy Rights & Receipt Types v0.2 (in Draft)

Owned by Mark Lizar (Unlicensed)
Last updated: Sept 28, 2021
6 min read

Introduction

This (N&)Consent Receipt Framework v1.2, illustrates  the  CR v1.1 consent receipt record field structure for consent as the privacy rights paradigm in which other legal justifications are presented as derogation to the state of consent, captured with a consent receipt.

A common problem for all stakeholders is applying which rights relate to a specific context and stakeholder,  Online, this challenge is more complex as there are multiple legal justifications involved in every interaction, 

This CR Framework breaks the consent  record structure into 3 segments, the prefix, the purpose specification and data access and treatment rules.  

A  consent receipt is semantically driven from inputs, from, a notice, sign or signal.  

  1. the initial receipt is used to create an anchored record for the assertion of data sovereignty by PII Principal

  2. Use the ANCR record to generate a consent receipt by choosing / confirming the legal justification, which represents a consent type and onto of this the legal justification is layered.

  3. **  implement this specification choose the receipt type for the legal justification, display the consent label in the receipt and privacy rights information access for the context of processing  

  4. The notice receipt is extended by the legal justification for processing

    1. Each type of Notice receipt is defined by a legal justification mapped to a consent type label for human record processing and privacy rights. 

    2. The legal justifications are represented generically, and based on those defined in the GDPR and  guidelines like those found in Canadian  privacy for meaningful consent.

Table 1: Consent Receipt Types for Legal Justifications & Consent Type Labels for Notice Liability Transfer

Consent Paradigm Controls - matching - Privacy Rights to data controls that re specified for data context governance and trust.  

Layering legal justifications onto of a consent receipt to modify the rights and permission scopes.  

“Consent is not the only lawful basis for the processing of PII and thus not always required. “  The aim of this specification is to modernize the consent exceptions to account for new digital realities that were not anticipated when these laws were originally adopted. 

In 29184, generic set of lawful basis are adopted and specified from the GDPR. 

  1. consent

  2. contractual necessity,

  3. compliance with legal obligations,

  4. vital interest, 

  5. public interest, and 

  6. legitimate interests

 [ISO/IEC 29184]

Receipt Type

GDPR Legal Justification

Definition

Privacy Rights (7)

Consent Type Label - Profile Label (Art 30)

Liability/Obligation

Controller / Provider liability in the chain for personal data

#Not Enough info to be consent

NA

when their are not enough information elements for a notice to provide a consent type.

N/A - To provide legal notice - which includes what notice Fake Notice Should Be Reported by Investigator

no legal justification type detected or contact of adhesion defined as consent

OPN-MDC-Receipt transfers liability.
3 liability to Risk Category

  • civil

    • contract / industry framework / person

  • privacy

    • person / privacy / government

  • technology

    • certification / insurance

Contract Notice Receipt

Contractual Necessity

 personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation, including the necessity for compliance with the legal obligation to which the controller is subject or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Subject Access, Rectification, Restrict Processing (3)

Note; must by binding on processors to be valid.

Implicit-Contractual Necessity


Legal Notice Receipt

Legal Obligation

processing is necessary for compliance with a legal obligation to which the controller is subject.

Subject Access, Rectification, Restrict Processing (3)

Consent Not Applicable


Emergency Notice Receipt

Best/Vital Interest of Data Subject,

When consent is not required is when it is legally deemed in the best interest of the data subject to disclose and process personal information. Vital interests are intended to cover only interests that are essential for someone's life. 

Subject Access, Rectification, Restrict Processing, Automated Individual Decision Making(4)

No Consent is Needed


Public Notice Receipt

Public Interest, Public Org Surveillance

ask carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(e) and Recital 45

Subject Access, Rectification, Restrict Processing, Object, Automated Individual Decision Making (5)

Consent Not Required


Legitimate Notice Receipt

Legitimate Interest

  1. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Subject Access, Rectification, Erasure, Restrict Processing, Object, Automated Individual Decision Making (6)

No Consent Needed


Consent Receipt

Consent

a consent receipt is by default using the legal justification of consent, unless further specified, with additional legal justification which supersedes consent.   purpose can be implied by context and is implicit by the action of PII Principle 

Subject Access, Rectification, Erasure, Restrict Processing, Object, Automated Individual Decision Making (6)

Implicit Consent


Implied-Consent Receipt

Consent  

the consented purpose is in some way implied through the explicit action of the person, e.g. walking through door, entering personal data in a form, or opting-out

Subject Access, Rectification, Erasure, Restrict Processing, Data.Portability (5)

Implied Consent


Consent Notice Receipt (ISO 29184 Appendix)

Consent

informed and meaningful consent is explicitly specified to a purpose of use, in such. a way that it is clear data will be processed only in the manner specified

Subject Access, Rectification, Erasure, Restrict Processing, Data.Portability (5)

Explicit Consent


Altruistic Consent Notice Receipt

Consent 

the Person defines the privacy requirements of the consent in a Privacy Agreement, where the individual understands and is aware, because the person set the terms. The consent still needs to conform to the legal requirements of Explicit Consent


Subject Access, Rectification, Erasure, Restrict Processing, Data.Portability (5)

Consent Directive - Certified Awareness Level


  1. N/A - Not A Privacy/Surveillance Notice - no legal justification present : No valid notice for processing personal data provided.

  2. Contract Notice Receipt - Contractual Necessity - used for any type of contract | Implicit-Contactual necessity

  3. Legal Notice Receipt - Legal obligation to process personal data | Consent not applicable

  4. Emergency Notice Receipt - Vital interest of the Individual (Master data controller) | No consent needed

  5. Public Notice Receipt - processing in the vital interest of the public - (e.g. pandemic) | No consent needed

  6. Legitimate Processing Notice Receipt - processing is necessary for the purpose of legitimate interest | No consent needed

  7. Implicit Consent Notice Receipt - consent is implicit through the record action of the master data controller | Implicit

  8. Implied Consent Notice Receipt - this is where the service provider implies a mutual state of awareness and understanding from a previous and still valid explicit consent | Implied Consent

  9. Consent Notice Receipt - an explicit notice receipt for providing privacy risk information and for a consent receipt (see Appendix ISO 29184)| Explicit Consent or consent

  10. Consent Directive Notice Receipt - explicit pre-defined consent and permissions for contributing data to research, data commons, community health etc. | Consent Directive.  Consent Directives themselves can / are themselves standardised with a privacy agreement framework 

Terms & Definitions

  • Operational Notice Receipt Type(s) -  A Consent Notice Receipt is defined in Table 1 refer to the type of legal justification use for processing personal information, which may be utilised by any legally defined justification

  • Consent Type Label - Record Processing Label for Human Centric Privacy AI

  • Consent Type Profiles - A consent type label defined by a legal justification for processing personal data/meta-data/identifiers, mapped to the GDPR privacy rights, which are linked in an Operational Notice & Consent Receipt V1.2

  • Master Data Clause/Controls - for Operational Notices & Consent Receipt

  • Notice & Consent Receipt V1.2 Specification

Proposed for automated Privacy rights administration specifying Consent Type Label defined by legal justifications for processing personal data. 

Notes on making class : liability of processing – (movement of processing liability between parties for use of rights)

  • Legal Justification + Purpose of Use define obligations - The roles are obligated according to how the controller is engaged. This obligations provide liabilities -

  • Consent - Take liability for claim/responsibilty -= withdraw consent - remove the credit and liability -

Expectations: expect to happen, make happen, doesnt happen, didn't expect to happen-

  • data source liable for data provided - false claim -

  • data operator liable for - miss-use - how does anyone know ?

If clause is use then the liability is transferred for a contract deliverable - referring the prescribed standard application - Napoleonic Code


Data subjects have the right to object to you processing their data. You can only override their objection by demonstrating the legitimate basis for using their data. 

Notes for Implementors Conformance Testing Consent Types

Checklist: To determine  Notice have the 4 minimum requirements:

  1. identity of controller and accountable point of contact

  2. contact information for privacy rights access

  3. purpose description  

  4. legal justification for processing personal data (or consent type)

  1. In this policy context does the notice have ?

    1. Dark patterns identified, is there an appropriate ;

      1. opt-in,

      2. opt-out

      3. no opt-in (or) opt-out -

      4. Terms of Service Framework

      5. No Transbordar - metadata privacy mechanism

      6. presentation of risks ]

  2. Is this notice, a notification of an existing Notice or Consent - already active ?

    1. yes

    2. no

Always ensure that a link to find more information is directly connected or even linked from the Consent Type for best practice.

Test 2: Instructions for Deploying a Consent Type

To use a consent type,

  1. First identify the legal justification for processing personal data

    1. if base legal justification is consent (subject to Terms of Service) this is fake privacy and not consent

  2. Use the table to find the Receipt Type - and use the corresponding consent type label in the receipt provided

  3. Add the Consent Type to the first Notice a person encounters

  4. Link the notice to the policy explaining its use

Always ensure that a link to find more information is directly connected or even linked from the Consent Type for best practice.