Introducing Privacy Receipts into DLT and eIDAS
DOI:
https://doi.org/10.13052/jicts2245-800X.1121Keywords:
Privacy, GDPR, consent, DLT, blockchain, identity management, eIDAS, digital identity, walletAbstract
The introduction of digital identification (e.g., eIDAS) and wallet standards (e.g., EUDI wallet) require compliance with privacy principles and clear communication of the principles through privacy notice and record of consent in the form of a privacy receipt. Regulation needs standards to help set the bar for reducing the privacy infringement risk. Without a standard-based implementation, solutions will be proprietary and siloed with no concern for interoperability, like privacy labels in Google and Apple app stores. Do existing standards address the gap, or do new ones need to be introduced? This article looks at the standards and regulations in three areas to answer this question: privacy protection standards, blockchain and DLT standards, and digital identification and wallet standards.
Downloads
References
ISO/IEC 29100:2011. Information technology – Security techniques – Privacy Framework https://www.iso.org/standard/45123.html
Data Governance Act. https://www.consilium.europa.eu/en/press/press-releases/2022/05/16/le-conseil-approuve-l-acte-sur-la-gouvernance-des-donnees/
GDPR. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) https://eur-lex.europa.eu/eli/reg/2016/679/oj
ePrivacy. REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52017PC0010
eIDAS. REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52021PC0281&from=EN
ISO/IEC 27701:2019. Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines https://www.iso.org/standard/71670.html
ISO/IEC 29134:2017. Information technology – Security techniques – Guidelines for privacy impact assessment https://www.iso.org/standard/62289.html
ISO/IEC 29151:2017. Information technology – Security techniques – Code of practice for personally identifiable information protection https://www.iso.org/standard/62726.html
ISO/IEC FDIS 27556. Information security, cybersecurity and privacy protection – User-centric privacy preferences management framework https://www.iso.org/standard/71674.html
ISO/IEC 29184:2020. Information technology – Online privacy notices and consent https://www.iso.org/standard/70331.html
ISO/IEC AWI TS 27560. Privacy technologies – Consent record information structure https://www.iso.org/standard/80392.html
Consent Receipt Specification 1.1.0, published December 30, 2019 https://kantarainitiative.org/download/7902/
ISO/TR 23244:2020. Blockchain and distributed ledger technologies – Privacy and personally identifiable information protection considerations https://www.iso.org/standard/75061.html
ISO/TR 23249:2022. Blockchain and distributed ledger technologies – Overview of existing DLT systems for identity management https://www.iso.org/standard/80805.html
ISO/DTR 23644. Blockchain and distributed ledger technologies – Overview of trust anchors for DLT-based identity management (TADIM) https://www.iso.org/standard/81773.html
ISO/TS 23635:2022. Blockchain and Distributed Ledger Technologies – Guidelines for Governance https://www.iso.org/standard/76480.html
European Digital Identity Architecture and Reference Framework – Outline, published February 22, 2022 https://ec.europa.eu/newsroom/dae/redirection/document/83643
W3C Data Privacy Vocabulary (DPV) https://w3c.github.io/dpv/dpv/
Creating a Vocabulary for Data Privacy, The First-Year Report of Data Privacy Vocabularies and Controls Community Group (DPVCG) Harshvardhan J. Pandit, Axel Polleres, Bert Bos, Rob Brennan, Bud Bruegger, Fajar J. Ekaputra, Javier D. Fernández, Roghaiyeh Gachpaz Hamed, Elmar Kiesling, Mark Lizar, Eva Schlehahn, Simon Steyskal & Rigo Wenning https://link.springer.com/chapter/10.1007/978-3-030-33246-4_44
Hyperledger Aries RFC 0167: Data Consent Lifecycle https://github.com/hyperledger/aries-rfcs/tree/main/concepts/0167-data-consent-lifecycle
NGI essif-lab ioc, Automated Data Agreements https://www.ngi.eu/funded_solution/essif-ioc-30/
DIF Claims & Credentials – data agreement work item https://github.com/decentralized-identity/data-agreement
COnSeNT 2021 – ODRL Profile for Expressing Consent through Granular Access Control Policies in Solid, Beatriz Esteves https://www.slideshare.net/BeatrizEsteves23/consent-2021-odrl-profile-for-expressing-consent-through-granular-access-control-policies-in-solid
ISO/IEC 27001:2013. Information technology – Security techniques – Information security management systems – Requirements https://www.iso.org/standard/54534.html
ISO/IEC 27002:2022. Information security, cybersecurity and privacy protection – Information security controls https://www.iso.org/standard/75652.html
ETSI Electronic Signatures and Infrastructures Activities https://portal.etsi.org/TB-SiteMap/esi/esi-activities
ISG PDL activity report 2021 https://www.etsi.org/committee-activity/activity-report-pdl
ISO/IEC JTC 1/SC 27/WG 5 “Identity management and privacy technologies” – WG5 SD1 Roadmap https://www.din.de/resource/blob/259644/c0aa4373b3c56277cab61cd15b5f1368/sc27wg5-sd1-data.pdf
Mobile-App Privacy Nutrition Labels Missing Key Ingredients for SuccessBy Lorrie Faith CranorCommunications of the ACM, November 2022, Vol. 65 No. 11, Pages 26–28 https://cacm.acm.org/magazines/2022/11/265814-mobile-app-privacy-nutrition-labels-missing-key-ingredients-for-success/fulltext
