~ COnSeNT 2021 ~

Author(s): Paulina Jo Pesch - University of Innsbruck, Austria

In the world of online marketing, Consent Management Providers (CMPs) are on the rise. CMPs collect online users’ consent to the processing of their personal data by publishers and ad-tech vendors. At the same time, there are reasonable doubts about the compliance of the existing market standard with the General Data Protection Regulation (GDPR). This could potentially create compliance risks for the companies adopting the standard, in particular for ad-tech vendors that – in the pre-CMP era – were invisible to users.

This paper reveals drivers and obstacles for the adoption of the Transparency & Consent Framework (TCF) by ad-tech-vendors, gained in semi-structured interviews with representatives of Global Vendors List (GVL) members. It presents novel insights into ad-tech vendors' perspectives. It particularly shows existing market pressure and reveals ad-tech vendors' confusion and doubts about the TCF's compliance with the GDPR.

Author(s): Piero Bonatti - University of Naples Federico II, Italy; Jonathan Langens - Tenforce, Belgium; and Luigi Sauro - University of Naples Federico II, Italy

Being compliant with the GDPR (and data protection regulations in general) is a difficult task, that calls for manifold, computer-based automated support. In this context, several use cases related to the management and the enforcement of privacy policies and consent call for a machine-understandable policy language, equipped with reliable algorithms for compliance checking and explanations. In this paper, we outline a set of requirements for such languages and algorithms, and address such requirements with a framework based on a profile of OWL2 and a set of policy serializations based on popular formats such as ODRL and JSON. Such “external” policy syntax is translated into the “internal” OWL2 syntax, thereby enabling semantic compliance checking and explanations using specialized OWL2 reasoners. We provide a precise definition of both the OWL2 profile and the external policy language based on JSON

Authors: Beatriz Esteves - Universidad Politécnica de Madrid, Spain; Harshvardhan J. Pandit - Trinity College Dublin, Ireland; and Víctor Rodríguez-Doncel - Universidad Politécnica de Madrid, Spain

Solid, the emerging technology for organizing data in decentralized stores, relies on a simple authorization mechanism for granting access to data. Solid’s personal online datastores (Pods) are ideal for keeping personal data, as they allow individuals to represent the access permissions in a very simple manner using Access Control Language (ACL) expressions. Whereas these expressions suffice for yes/no and read/write permissions, they cannot represent more complex rules nor invoke regulation-specific concepts. This paper describes an extension of the ACL language and algorithm to implement consent and data requests. The extension is based on the Open Digital Rights Language (ODRL) policy language, which allows expressing rich rules, and the Data Privacy Vocabulary (DPV), which permits invoking privacy and data protection-specific terms. Some usage examples illustrate this proposal.

Author(s): Soheil Human - University of Economics and Business, Austria; Mandan Kazzazi - Vienna University of Economics and Business, Austria;

Consent plays an essential role in different digital regulations, such as the European General Data Protection Regulation (GDPR). As a result, obtaining consent from data subjects (e.g. end-users or end-customers) are widely practised by many data controllers (e.g. service providers, companies, or organisations). Considering the importance and the widespread practice of consent-obtaining in different domains, critical and interdisciplinary studies of the current consent-obtaining mechanisms are highly needed. In this paper, we first shortly discuss an interdisciplinary human-centric perspective to consenting and propose that, among others, the contextuality of consent, as well as the potential intersectionality of consent, should be carefully considered in the development of consent-obtaining mechanisms. Then we elaborate on the distinction between “consent to personal data processing for commercial purposes” and “consent to personal data donations intended for research” in the field of direct-to-consumer genetic testing (DTC-GT). We show that based on our human-centric perspective, the contextuality and intersectionality of consent are sometimes overlooked in the current DTC-GT services, which are of considerable significance in the emerging genetic data markets. We hope that this paper can contribute towards the development of human-centric, accountable, lawful, and ethical (HALE) sociotechnical information systems dealing with consent and privacy management as fundamental building blocks of a sustainable digital economy.

Author(s): Marietjie Botes - IRiSC, Snt University of Luxembourg, Luxembourg; and Arianna Rossi - IRiSC, Snt University of Luxembourg Luxembourg

With emerging technologies such as genome research and the digitization of health records comes the need for new models of informed consent. In this climate of innovation people are often prone to explore the latest technological advancement as possible solutions, including for informed consent. In this paper, we present the design and evaluation of a so-called low-tech informed consent solution that was designed specifically for the informational and cultural needs of a vulnerable indigenous population, i.e., the San of South Africa. This low-tech solution took the form of a comic and, although it could enhance understanding and identification, the costs and labour intensity of comic design and the deriving limitations on its scalability should be critically considered in the light of a digitised and more standardized solution.

Author: Vitor Jesus - PrivDash, UK

This position paper present and discusses new requirements for Privacy and Data Protection. We first raise misalignments of current Privacy regulations; from it, we propose the Start-from-the-End approach to online Privacy by putting the focus on the later stages of the lifecycle of Personal Data and, thus, re-empower the user at all stages