HI Everyone,

Now that 27560 is going to be open, I have looked into recent work on 27560, and 29184, so I could try and locate where the consent receipt use case has gone awry exactly, in addition, to provide Transparency Report Specific references to support the use of Consent Receipts, to enable Controller compliance.

Its clear the Consent Receipt use case to regulate digital identity trust and address surveillance capitalism is still a big deal, and something that perhaps the ANCR WG can support, to educate the industry on a way for human data control and interoperability with consent and identity management. Aka the Consent Receipt.

To this end, I have drafted some comments/ update to the Consent Receipt use case, to the W3C DPV, Group and to provide the legal references to request updates to the proposed 27560.

Would these comments be supported by ANCR. WG?

Best,

Marl

Core Consent Receipt Use Case - Permission for Identification (or self-identifying with consent)

As the researcher, developer and editor of the Consent Receipt, and editor of the Transparency Performane Report at the ANCR WG. I would like to clarity the core use case for the consent receipt, to demonstrate how to decentralised the govern of digital identification and surveillance with enforceable privacy, transparency, and consent regulation.

To this end, I would request a review of notice and consent in DPV (and 27560), with regards to the associated guidance found in particular

Associating Identity with Consent

“Additionally, GDPR encourages using an identifier so that controllers can demonstrate the individual’s given consent (Art.7-1), enable them to withdraw it (Art.7-3), and provide them with a history of their consent events (Art.15).”https://harshp.com/research/publications/038-comparison-notice-requirements-consent-29184-gdpr#associating-identity-with-consent

Referencing Guidelines 05/2020 on consent under Regulation 2016/679

( point to the guidance which has a different interpretation that what is provided here)

“64. >>>> Furthermore, there may be situations where a data controller is processing personal data that does not require the identification of a data subject (for example, with pseudonymized data). In such cases, Article 11.1 may also be relevant as it states that a data controller shall not be obliged to maintain, acquire, or process additional information to identify the data subject solely to comply with the GDPR.”

In Article 29 Working Party: Guidelines on transparency under Regulation 2016/679

“106. At the same time, the duty to demonstrate that valid consent has been obtained by a controller should not in itself lead to excessive amounts of additional data processing. This means that controllers should have enough data to show a link to the processing (to show consent was obtained) but shouldn’t be collecting any more information than necessary.”

The context of the use case

The consent receipt version 1.1 , which was adopted as ISO/IEC 27560, was developed through five years of research and two years of drafting and volunteer community work, originating from Hackathons and Campaigns to stop the biggest lie on the internet: whcich is “Our Data Is Collected without Consent.” Which is now showing to cause significant harms on society (References available upon request)

The Issue being addressed

If an individual must first be identified to access rights to stop being surveilled online, then privacy is not a right; it is a consumer protection with limited capacity to see and control who can surveil PII principals. This is referred to as the surveillance capitalism use case, which the MVCR and Consent Receipt work solves.

Key Points:

Without this, people can be surveilled, their data scraped (like with AI), and then they have to opt-out of being tracked, referencing a ‘Consumer Protection’ Paradigm where privacy isn't a fundamental right, and consent is required to surveil people.
The consent receipt is the solution to this challenge. Using a standard interaction pattern, well-known in society for trust, that requires fair and proportionate transparency (as explained in Guidance for use of GDPR).
It's very simple: Put up a sign, provide a notice, and ask for permission—fundamental components of human etiquette, being polite, and reducing frictions.

How does it work;

How does this consent receipt work so PII principals can provide permission before being surveilled.
- 1. A Controller presents their identity in a standard notice (layer 1 of online interaction).
  2. This generates a notified record when the PII principal interacts with it.
  3. That notified processing activity is mirrored as a consent receipt.
  4. A controller digital identifier is provided to the PII principal, instead of a PII principal identifier being taken secretly from the data subject.
  5. The data subject can use the receipt (in a secure private space like a digital wallet) to interact with the Controller, send more PII, provide permission to be digitally identified, and self-identify.
  6. Consent can be withdrawn with a click.

Please consider that at this time, 27560, which is called a consent record, uses a PII principal identifier is in the record header (with an unknown 3rd party ID - for un-notified tracking of people), indicating that this is not consent but a USA-style consumer protection record. Which has significant, security and privacy implications, AS USA Law only affords US citizens consumer rights not afforded to EU or Canadians, under USA Foreign Intelligence Surveillance Laws.

As you can imagine, without a real consent receipt and transparency before surveillance, it provides people with much weaker consumer protection, and leaves Canadians open, without rights, or data sovereignty, having a geo-political impact to the international market.

Please update text, here especially,https://harshp.com/research/publications/038-comparison-notice-requirements-consent-29184-gdpr#associating-identity-with-consent