The context
Jan Lindquist is an expert in next generation consent certification, based on distributed ledger technology. He has been heavily active in ISO standardisation, and has notably been co-editor of ISO/IEC 27560:2023 with Harshvardhan Pandit, from Dublin City University, who is leading the paper. He is the founder of Linaltec, providing consulting expertise on auditing, data governance, and general data engineering considerations. Jan Lindquist is also a member of the Swedish Institute for Standards, with a particular focus on privacy and digital identity.
The challenges
'Informed Consent' is an important legal basis in privacy debates in the digital field, as it provides control and empowerment to data subjects or users based on the ability to choose and make decisions. Privacy and data protection laws such as EU’s GDPR regulate this process by defining conditions for when consent should be considered Valid Consent (clearly stated in Article 7, and Recital 42).
The process of Informed Consent requires information be provided in the form of a Consent Notice to inform the data subject about the processing that will occur based on the consent and to enable them to make an informed choice or decision.
To do so, it is therefore important to keep a record of information regarding how the consent was obtained, and how such content is being utilised. This is what is known as a 'Consent Record'. The covered work was able to address this dimension at technical level.
As a second step, the carried out work also has strong potential towards supporting the implementation of the Data Governance Act's requirements.
How standardisation activities help face the challenges
With particular support from StandICT.eu, the developed ISO-27560 Consent record information structure is a Technical Specification that “specifies an interoperable, open and extensible information structure” for recording the data subject’s consent to processing of their personal data.
The specification lists information fields that represent specific information associated with consent, and requirements over the form this information can take e.g. format, number of values, and whether it is mandatory or optional. It complements the earlier ISO/IEC 29184:2020 Online privacy notices and consent, which describes the information to be provided within privacy notices.
ISO-27560 allows flexibility in how the fields are represented to suit and match domain-specific labels or descriptions, or to introduce additional fields or information types that are needed.
Such work was recognised at high level, by winning best research paper at ENISA's Annual Privacy Forum 2024 - further disseminating the findings, and the practical implementation of the work.
The Benefits
Consent receipts are a relatively new and under-utilised practice, with no legal requirements existing that refer to the concept (of receipts) or state how they should be used. In addition, the usefulness of receipts as information provided to another entity requires consideration of specific terms and norms particular to the domain or sector.
ISO-27560 follows this by providing the flexibility for organisations to choose a suitable schema for their particular domain or use-case. It defines a minimal structure consisting of some fields representing the receipt metadata, but does not have any requirements on the information structuring within the receipt or its correspondence to fields within the record. A ISO-27560 conformant consent receipt only requires a metadata section providing information about the consent receipt such as its identifier.
Secondly, the conducted standardisation work has a high impact regarding supporting stakeholders' compliance with the EU's GDPR, and potentially in the future with the Data Governance Act.
Future plans
ISO-29184, on which the new TS builds from, has already been approved as EN. Work is now ongoing on a proposal with the Irish and Swedish national bodies to recommend the adoption of ISO-27560 as EN too. Further, a proposal was also submitted to the relevant ISO committees to make ISO-27560 standard freely accessible as its guidance is valuable for responsible innovation.
Having these standards as EN provides a strong framework for their utilisation in regulations, such as for notice and consent under GDPR. However, merely adopting the standards on an ‘as-is’ basis will not be sufficient. For example, the terminology in 29184 and GDPR has crucial differences which must be identified and appropriate guidance developed to enable using ISO-29184 with GDPR.
Regarding the EU's upcoming Standardisation Request on Trusted Data Frameworks, the carried out work also has strong relevance. Article 25 of the Data Governance Act requires the Commission to produce a common consent form that will provide information in both human- and machine-readable forms. ISO-27560 with ISO-29184, based on the analysis in this article demonstrating their usefulness to meet GDPR requirements, should be used to define what information should be present in these forms. ISO-29184, the standard for privacy notices, provides the human-oriented representation of information in the consent form, and ISO-27560 and the Data Privacy Vocabulary (DPV), developed by the W3C Data Privacy Vocabularies and Controls Community Group (DPVCG) and chaired by Harshvardhan Pandit, provide the machine-readable representation. The advantage of using these standards is that the resulting solution would be useful not only in EU but globally due to the global scope of ISO. The other advantage of using DPV here is in providing common semantics based on W3C standards that support extensions for specific jurisdictions (like EU with GDPR and DGA) and its extensive taxonomy supporting practical use-cases which promote interoperability.