Consent Receipt v1.1 Work Backlog

• A formal data model
• A JSON representation of the data model

A formal data model is needed

There are missing definitions for key terms in the specification, "Purpose Category" is an example

Lack of required elements in the data model to genuinely encoded consent. Missing are:

• use cases covered by consent, purpose category is a start but the list and range of types needs to be part of the standard

• time element of consent e.g. access for 30 minutes, for one month, one year, 3 months in perpetuity etc..

• frequency of access e.g. once a month, upto five time

• recency to prevent over use within specific time frames

• limits set on data volumes resulting from a request

• coverage of the ability to write data either in form of an update or new entry

• Statement of protocol the consent was given over e.g. UMA, OpenID Connect, or any other number of protocols. Individual's need to know consent receipts can work across multiple domains and protocols

• SPLIT UP
• Some inputs into data model item
• (break out) PURPOSE CATEGORY: each one could have recommended practices developed (suggestion: collect purpose categories submissions via form or email list)
• Recommendations for practices to satisfy particular use cases
• More clear definition of PURPOSE CATEGORY meaning

What is the required coding of jurisdictions? (IS0 3166-1?) Is this the jurisdiction of the contract or of processing? If the later, then multiple jurisdictions will be needed – array or delimited list?

---

For 'jurisdiction' I suggest you define a format for the value of this element, to promote interoperability. This may require an additional document or standard, if nothing exists yet in another domain; but I think that real-world implementations will struggle without it.

• MORE ANALYSIS NEEDED
• Comment: jurisdiction is not uniformly at a country level
• Action: clear context of 'jurisdiction' - is this country level? Regulation level? Province/State level?
• Is this the country that the regulator exists in?
• Based on Action - will determine what data format. In today's practice, what are orgs specifying in the notices they already issue?

JL09

AH02

The following fields are missing:

1) the ability to record multiple (joint) data controllers,

2) a defined retention period (in seconds) for the collected data &

3) a field defining the language of the receipt.

• SPLIT
• 1) Add the ability to have multiple/joint (is this about 3rd party, chained, joint, flow-down, etc?)
• 2) Add the field and specify it
• 3) Add this and Use the ISO standard to specify what written language is in use

• Issue 1: the data storage format shall be specified in UTC time zone
• Issue 2: usability and display formats shall be considered when displaying information to people
• Issue 3: should there be 2 fields - one for the UTC time and another for the 'localized' time which includes the timezone?

• Lower priority
• Review the meaning of 'collection method' field

• Specify that the CR ID shall be a UUID-4 (including relevant references to define that)

• Check to see if the JSON includes data types - and bring those back into the field definition text.

• v1.1: state that wherever URIs are specified that RFC whatever is in effect.
• The field is currently a free-form text field and not intended to include any particular text format.
• Decision needed: if a URI is specified where the target is mutable, it defeats the purpose.
• Implication: are we requiring that data controllers keep copies of every policy that ever existed.

• Not really feasible to specify a maximum field length in the core spec
• Guidance - suggest that field lengths should go in a profile of the specification

• This is out of scope for the specification itself, but probably a good idea.
• Is this a request to have registration authorities or independent registries that contain this information.

(i) Signature The rationale for including the PII Controller's public key (but not the signature) in the list of receipt contents is not clear, especially as the form of the key and signature are left unspecified beyond the JWT recommendation in section 7.3. The example key in Appendix B.3 doesn't seem to clarify the intended use. Also, should the policy statement be included in the content covered by the digital signature? This would seem reasonable, as most of the protection offered to the PII Principal (if any) is dependent on the policy.

Introductory comments from Jens Kremer - more on attachment provided (a commented v1.0.0 spec): The definition of consent is not in line with the broad understanding of the term in data protection law. Consent is defined as ‘Consent is an individual agreeing to allow an organization to collect, use, and/or disclose their data, and data about them, according to a set of terms and conditions defined by the organization.’ Consent, however, should be ‘…any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;’. This appear to mix consent with contract or agreement. It is important to keep consent and contract separated, because these are entirely different concepts. Surely, one ‘consents’ to signing a contract, but Data Protection law (and especially the GDPR) takes a very different stand. This problem is reflected throughout the paper, and results in a mix up of concepts throughout (see detailed comments).

The terminology in the paper uses ISO standards. Particlularily with the recent push of regulation in Europe, and in global data protection law, it may make sense to adjust the terms to be in line with global data protecton standards (OECD, UN, COE, and especially GDPR).

The document seems to understand ‘consent’ as a transferable and tradeable commodity rather than an expression of a persons will and interest. This is problematic. Beyond consent, other important concepts such as ‘purpose’ may require clarification if not reformulation.

One of the most challenging issues with the specification is that it seems to adopt a very problematic, controller/processor centered approach to consent. Conditions seem to be defined by that entity, and the consent is tracked mainly from that perspective. This is rather problematic as it disregards the role of data subjects. This is certainly not in line with the principles of data protection. Especially not with GDPR.