Authors:
(1) Harshvardhan J. Pandit, ADAPT Centre, Dublin City University, Dublin, Ireland, and Cybersecurity and Data Protection Group, National Standards Institute, Ireland ([email protected])
(2) Jan Lindquist, Privacy and Security Group, Institute for Standards, Sweden ([email protected]);
(3) Georg P. Krog, Signatu AS, Oslo, Norway ([email protected]).
Table of Links
2 Overview of ISO/IEC TS 27560:2023
3 Comparing ISO-27560, ISO-29184, and GDPR
4 Consent Records and Receipts using DPV
6 Implementation Considerations and Future Work
6.2 Using Records and Receipts with eIDAS and EUDI Wallet
6.5 IEEE P7012 Machine-Readable Privacy Terms
A Example of Consent Record with both required and optional fields
B Example of Consent Receipt with required fields from consent record
6.2 Using Records and Receipts with eIDAS and EUDI Wallet
Following the launch of projects for using European Digital Identity wallet (EUDI) wallet[11] for travel, health, banking, education and other sectors, CEN TC224 WG20[12], which is the EU standardisation body’s technical committee for personal identification, has initiated a new standards project to provide guidance on when personal data (attributes) are shared from the wallet in compliance with eIDAS and its proposed revision.
In this, ISO-27560 and ISO-29184 can be used to create an interoperable and standards based mechanism to structure information and ensure the mandatory fields needed to comply with GDPR are present. Further, the use of these standards also enables a consistent approach for creating common privacy dashboards that can work across EU. Such privacy dashboards would allow a wallet holder to have an overview of all their consent transactions, including any pending requests as well as provide a centralised mechanism for controlling their rights and withdrawing consent by using the eIDAS and eID mechanisms to establish identity and proof of past engagement.
ISO-27560 and ISO-29184 are also crucial as being the only standards regarding consent records and receipts, and privacy notices respectively. Using the analysis and implementations described in this article, a ISO-27560 solution that is also conformant with the GDPR can be used to store consent records and receipts in wallets, which enables data subjects to have a copy of their decision and agreement to process personal data.
Having this information made available to the data subject in a machinereadable format further enables its use in innovative applications that promote reuse of data while ensuring adequate adherence to the EU’s values and regulations. For example, by looking at past consent records or receipts, preferences can be identified for how the individual makes decisions and these can be used to create a template or pattern that will make future consent decisions more efficient and simpler for the individual. ISO-27560 Annex F provides guidance on how such preferences used as ’privacy signals’ can be represented within consent records and receipts.
Another powerful paradigm is also made possible when combining ISO-27560 with eID, eIDAS, and EUDI - where the data subject initiates the consent process by providing a specific consent to use or reuse their personal data, for example to access a particular service. In this scenario, the data subject decides the extent and limit of what their consent will cover, provides their consent to the service provider, and maintains a consent record within their wallet with a signed receipt provided to the service provider as proof of consent.
This paper is available on arxiv under CC BY 4.0 DEED license.
