Dear Leadership Council, 

Your support of the request for ISO/IEC 29184 Online privacy notice and consent to be free to access

The ANCR WG had a motion to support request for  29184 to free to access. 

As it is now the security and privacy controls in 29184 for notices are not available for the consent record framework in ANCR. This is why the ANCR WG motioned to support the request for 29184 to made open and to make it clear, that there is great demand, and even an urgent need for standardized digital transparency and Consent by Design.  

ANCR WG has identified a clear gap in trust of digital identity management driving demand for standards that enable people to manage their own digital identity and security risks.

In this regard, an important request was made during the recent plenary in Manchester, UK: to make the ISO/IEC 29184 Online privacy notice and consent standard to be free to access.  As our work on the Consent Receipt was specified to supplement this standard, without it bing free to access, we would not be able to directly use it. 

In addition, as this standard specifies  transparency, it has a great value for the Consent by Design work at the ANCR WG. In fact, 29184 would provide excellent benchmarking criteria for regulators and policy makers, and with support of Kantara community we could make it possible for this consent work to fulfil its purpose of addressing misinformation in security, digital identity, AI and personal media management technology.  

For this purpose, on 28 May, I sought assistance from Canada’s National Mirror Committee for ISO/IEC in this effort. Below you can find a summary of my argument for doing so.

Now we ask if  the LC, and Kantara community will join in supporting this effort through the ISO/IEC liaison. You would not only be furthering our shared goal of enhancing digital privacy and transparency but also moving towards ensuring transparency and trust in digital identity practices worldwide.   A topic in which there broad and growing consensus on, 

Thank you for your consideration.

 Mark / ANCR WG

Why open access matters
29184 was developed to supplement the freely accessible ISO/IEC 29100 security and privacy techniques framework. Our work at the Kantara Initiative has long focused on standardizing notice to enable managed consent and control over data access on a large scale. This effort began more than a decade ago at the W3C - Do Not Track and Beyond conference, where Ashkan Soltani, Reuben Bins, and I presented on the need for notice and transparency standards in online security and privacy.

The business case for standardizing digital transparency
There is a compelling business case for ISO/IEC to lead in standardizing digital transparency for security, privacy, and digital identity management. A robust set of international transparency standards would compel industries to adopt ISO/IEC’s paid security standards, such as 27001, 27002, and 27701. These standards provide specific requirements and guidance for establishing a Privacy Information Management System (PIMS).  Acting now to facilitate data governance and security interoperability will enable ISO/IEC to lead this competitive practice internationally. 

International impact and interoperability
Our commitment to this project is driven by 29100’s influence in developing international privacy instruments that are interoperable with GDPR and, importantly for Canada, the CoE Convention 108+. Expected to be ratified by 2025 latest, Convention 108+ will provide Canada with an international data governance instrument for security and privacy across the Commonwealth, encompassing 56 countries and 2.5 billion people. Convention 108+ mirrors the GDPR Chapter 1 Transparency Modalities section, and 29100 has been the only international standard we can use to create an international transparency standard that scales consent with identity management internationally.

The implications for Kantara
Last August, ISO/IEC 27560 Consent Record Information Structure was published, derived from the Kantara Consent Receipt V1.1 specification. This specification was designed to supplement both 29100 and 29184. When 29184 was published, the Consent Notice Receipt was included in Appendix B. Consequently, our work at Kantara on notice and consent receipts can contribute as a regulatory tool to assess the conformance and compliance of PII Controller notice records and credentials, benchmarking compliance with 29184 natively.

In our ANCR WG, we developed a Transparency Performance Scheme for creating conformant PII Controller records, as a legal record of processing to assess the performance of transparency and  legal validity of consent.  To further this work and utilize 29184 for it to support an international standard for digital privacy transparency and consent (notice record and receipts), it, along with ISO/IEC 27560 consent record information structure must be open and freely available to use for public digital infrastructure.