Some background on the thinking that has gone into the design of a consent receipt specific to safe harbour.
One of the biggest issues with moving data across jurisdictions is the different laws. This is in addition to the complexity of difference cultures and different contexts that create expectations of data use. This is why data protection and privacy in the context of cross border data transfers is so difficult.
A preferred way to expedite data transfers is for people to control their own data and to consent to its access, rather than only its transfer. (A new and developing layer of technical capability affectionately called Consent 2.0)
A consent receipt is like a reverse (VRM) cookie, its a record that people get to track organisations and what they share about them. It collects the identity attributes that are provided, the purpose they are provided for and who they are shared with. The Consent Receipt can also carry assurances, trust marks, security promises and even reputations.
Combined with UMA, a consent receipt is a tool to show how personal control over data means that it can stay in a jurisdiction, and be shared with others. In essence people can control access to data and create their own safe harbour to transfer data across borders.
Regardless of who the data controller is, a key benefit of a consent receipt for organisations is the ability to add, record and provide jurisdictionally based notice requirements to a consent notice. Demonstrating compliance (or not) by the notices provided with the privacy policy for sharing and data use. Combined with model contract clauses, which are used to assure liability and define data controls, consent receipts address Privacy Policies while model contracts address Terms of Use policies.
In the EU, notice and consent is required for all personal data collection and sharing. In the US, explicit notices are required for consent for sensitive data. Data covered by federal laws like COPPA, GBLA, HIPPA, and the like.
In every jurisdiction sensitive data comes with specific, legally defined, notice requirements, that are localised. All sensitive personal data transfer requires explicit consent and notice that are intended to assure informed consent. It is for this reason that a consent receipt has been designed to highlight sensitive data, both what an individual considers sensitive and what the law considers sensitive, so that PII can be shared.
If an organisation doesn’t meet legal notice requirements across jurisdictions, then it doesn’t matter what model contract clauses are used, the consent is not informed and compliant for sensitive data collection and sharing. In fact, model clauses can become a source of toxic liability and can be used to hold the data controller or processors liable. (which builds trust)