~ COnSeNT 2021 ~

Author(s): Paulina Jo Pesch - University of Innsbruck, Austria

In the world of online marketing, Consent Management Providers (CMPs) are on the rise. CMPs collect online users’ consent to the processing of their personal data by publishers and ad-tech vendors. At the same time, there are reasonable doubts about the compliance of the existing market standard with the General Data Protection Regulation (GDPR). This could potentially create compliance risks for the companies adopting the standard, in particular for ad-tech vendors that – in the pre-CMP era – were invisible to users.

This paper reveals drivers and obstacles for the adoption of the Transparency & Consent Framework (TCF) by ad-tech-vendors, gained in semi-structured interviews with representatives of Global Vendors List (GVL) members. It presents novel insights into ad-tech vendors' perspectives. It particularly shows existing market pressure and reveals ad-tech vendors' confusion and doubts about the TCF's compliance with the GDPR.

Author(s): Piero Bonatti - University of Naples Federico II, Italy; Jonathan Langens - Tenforce, Belgium; and Luigi Sauro - University of Naples Federico II, Italy

Being compliant with the GDPR (and data protection regulations in general) is a difficult task, that calls for manifold, computer-based automated support. In this context, several use cases related to the management and the enforcement of privacy policies and consent call for a machine-understandable policy language, equipped with reliable algorithms for compliance checking and explanations. In this paper, we outline a set of requirements for such languages and algorithms, and address such requirements with a framework based on a profile of OWL2 and a set of policy serializations based on popular formats such as ODRL and JSON. Such “external” policy syntax is translated into the “internal” OWL2 syntax, thereby enabling semantic compliance checking and explanations using specialized OWL2 reasoners. We provide a precise definition of both the OWL2 profile and the external policy language based on JSON

Authors: Beatriz Esteves - Universidad Politécnica de Madrid, Spain; Harshvardhan J. Pandit - Trinity College Dublin, Ireland; and Víctor Rodríguez-Doncel - Universidad Politécnica de Madrid, Spain

Solid, the emerging technology for organizing data in decentralized stores, relies on a simple authorization mechanism for granting access to data. Solid’s personal online datastores (Pods) are ideal for keeping personal data, as they allow individuals to represent the access permissions in a very simple manner using Access Control Language (ACL) expressions. Whereas these expressions suffice for yes/no and read/write permissions, they cannot represent more complex rules nor invoke regulation-specific concepts. This paper describes an extension of the ACL language and algorithm to implement consent and data requests. The extension is based on the Open Digital Rights Language (ODRL) policy language, which allows expressing rich rules, and the Data Privacy Vocabulary (DPV), which permits invoking privacy and data protection-specific terms. Some usage examples illustrate this proposal.

Author(s): Soheil Human - University of Economics and Business, Austria; Niklas Kirchner - Sustainable Computing Lab, Austria; Mandan Kazzazi - Vienna University of Economics and Business, Austria; Gustaf Neumann - Vienna University of Economics and Business, Austria

The concept of informed consent plays a central role in digital regulations such as the European GDPR. As a result, the study and development of accountable information systems should be based on a careful analysis and understanding of this very concept. However, the normative role of context-sensitivity in consent as well as potential intersectionality of consent is often overlooked in the process of personal data accumulation and re-use. In this paper, based on a human-centric perspective on digital consenting and using the case of direct-to-consumer genetic testing, we elaborate on the distinction between consent to personal data processing for commercial purposes and consent to personal data donations intended for research. In applying the concept of contextual integrity by Helen Nissenbaum, we will argue that these contexts imply diverging privacy expectations and intentions that need to be accounted for in the emergence of genetic data markets. We hope that this approach can contribute towards the development of accountable and human-centric information systems dealing with consent and privacy management.

Author(s): Marietjie Botes - IRiSC, Snt University of Luxembourg, Luxembourg; and Arianna Rossi - IRiSC, Snt University of Luxembourg Luxembourg

With emerging technologies such as genome research and the digitization of health records comes the need for new models of informed consent. In this climate of innovation people are often prone to explore the latest technological advancement as possible solutions, including for informed consent. In this paper, we present the design and evaluation of a so-called low-tech informed consent solution that was designed specifically for the informational and cultural needs of a vulnerable indigenous population, i.e., the San of South Africa. This low-tech solution took the form of a comic and, although it could enhance understanding and identification, the costs and labour intensity of comic design and the deriving limitations on its scalability should be critically considered in the light of a digitised and more standardized solution.

Author: Vitor Jesus - PrivDash, UK

This position paper present and discusses new requirements for Privacy and Data Protection. We first raise misalignments of current Privacy regulations; from it, we propose the Start-from-the-End approach to online Privacy by putting the focus on the later stages of the lifecycle of Personal Data and, thus, re-empower the user at all stages