ANCR:0PN-TFP for Age Assurance: Demonstrating Digital Governance Interoperability (draft v0.2)

Owned by Mark Lizar
Last updated: Apr 04, 2024
4 min read

(Draft) The premier use case for transparency and security over the surveillance of children, youth and Community requires the use of governed facial surveillance technologies, in order to not only include but protect the vulnerable and 4th sector (non identified) human.

[Note: The ANCR Age Assurance input, for reference.]

ANCR WG - & the Digital Transparency Lab, work to contribute in the ANCR WG developing specifications to enable global privacy rights through a Trust Framework Program called 0PN Digital Privacy and Transparency, a Community Interest-Charity with Asset Locked community interest infrastructure for Digital Commons infrastructure development.

All of this work is in accordance with OECD Guidelines, Convention 108+, using ISO/IEC 29100 Security and Privacy framework for digital identity management, in which the terminology is interoperable with the definitions used legally in the Convention 108+ and GDPR, making it the most authority legal and technical privacy framework, implementing the 0PN: ANCR Trust Framework as specified by laws using standards.

This enables the TP-Scheme to be employed to make a ISO/IEC 29100 standard record, and Consent Receipt, which can be used to capture the transparency of any given technical context in a digital record and (digital) consent receipt, enabling digital privacy rights based access and control of information.

The Age Assurance technologies are able to implement the 0PN:ANCR framework to provide consent receipts when onboarding people into a service, receipt consent tokens to manage and access the data according to the legal justifications and bound technical permissions in the consent receipt;

This standardised digital privacy transparency, records and receipts bring assurance to accountability infrastructure, which has been lacking regulated transparency and consent, up until 2024, when the three required things have happened.

  1. Feb 17, Digital Services Act came into force (consent receipt was originally in that Act),

  2. March 7, and the CJEU Ruled on the commercial Transparency and Consent Framework, ( I Agree' check boxes and buttons for plain text privacy policies, effectively contracting privacy, without consent.

  3. Digital Market Act came into force March 8,

All of this is a pre-cursor to the Convention 108+ comes into effect internationally, which is what we have been focused on here in the ANCR WG for quite sometime. 108+ comes into effect as the defacto international adequacy standard legally and baseline for compliance for standards.

\

All of these apply greater legal scope and definition to what has already been defined and understood as notice and consent legally, but ignored by industry.

In terms of international gold standard the Quebec, Canada law came into force and in effect enforcing the requirements to provide a consent receipt, not only when requested but in Quebec.

These regulations started to officially come into force in Aug in the EU with DPA starting to fine companies in 2023.

Regulated -

 

March 7, 2024 - CJEU Judgment in Case C‑604/22 (IAB TCF)

I have read it in its entirety, it is a strong judgment. Here are some of my thoughts:

  1. Controllers/Joint Controllers do not have to have access to the personal data in order to be determined as a Controller/Joint Controller. It is enough that they either alone or jointly with others determine at least some of the purpose and/or means related to the processing of the Personal Data. In the IAB case, because IAB has rules for it Members on both how the preferences should be collected (in relation to the Consent Management Platforms) and how they should be used (in the case of the OpenRTB system), they are a Joint Controller (I have argued this point for years).

This doesn't just effect IAB's TCF - this effectively makes other platforms (think SaaS providers like Google Workplace, Office 365, Salesforce etc.) also Joint Controllers as they design the software in a way in which their customers have no control and as such are responsible for determining purposes and means. This brings me to another point I have been making for many, many years, in that these platforms are using Data Processing Agreements and passing themselves off as "Processors" in an attempt to reduce liability - those DPA's are, in my opinion, now invalid and should be replaced with Joint Controller Agreements.

  1. This does not just effect web sites - the Court talks about websites and applications throughout the judgment - this means Mobile Applications, Desktop Applications and Operating Systems are *all* within scope of the judgment.

  2. The Court ruled that any processing of the personal data after the fact (by the third parties who use the TCF and OpenRTB system) over which IAB has no control, is not conducted on the basis of IAB being a Joint Controller (this should be considered as obvious, but it is worth mentioning since it was one of the questions specifically answered by the Court).

  3. The CJEU once again took a broad approach to the definitions supported by various recitals - making it clear that the GDPR exists to set a high standard of protection for Article 7 and 8 rights under the CFR.

  4. The Court made it explicitly clear that the collection and use of such personal data can only be lawful on the basis of consent (no legitimate interest) which of course was always the case due to the interplay between GDPR and ePrivacy Directive (the latter of which only has consent as a legal basis and is lex specialis to GDPR).

What to expect next:
The case goes back to the Belgian Courts and will almost definitely result in the Belgian DPA's enforcement being upheld and further action against any company that continues to use the TCF system and new actions against the thousands of data brokers behind OpenRTB.

https://lnkd.in/dHB5MHTk

 

https://sd.iso.org/documents/ui/#!/doc/182c269a-8346-41ec-a4d1-b2bd9ced7a64