Digital consent: A foundation for a human-centric digital society
This article is written by Ain Aaviksoo (Estonian Telecommunications Union), Benjamin Balder Bach (Independent consultant, fmly Danish Tax & Revenue), Lal Chandran (MyData Sweden) and Philippe Page (MyData Switzerland)
In this article, we introduce our ongoing work at GovStack with Consent Building Block (BB), including the key decisions we put in our architectural requirements for handling digital consents. Consent Management is underestimated as a seemingly simple formality, which appears notoriously difficult and nuanced if appropriately implemented. As the GovStack initiative requires a solution implemented today to fulfil the need for the safe digital transformation of government services worldwide, we can’t wait for a perfect solution. However, we hope this early work inspires readers and decision-makers, in general, to prepare for a comprehensive and more ambitious future for digital consent to be used globally.
GovStack constituted a working group in September 2021, tasked with delivering a “building block” specification for consent management that fits a larger puzzle of building blocks for government digital services. Our findings are relevant for any government defining its digital services, regardless of the government’s and citizens’ existing services, jurisdiction or economic context. We see this as a global perspective on digital consent — and a fresh one.
As Lawrence Lessig has previously established (known as Lessig’s “modalities of regulation”, the Internet is regulated by multiple forces. The same is valid for digital consent as well. The key drivers for digital consent include 1) Data laws, 2) Ethics and norms, and 3) Standards and architectures.
Data laws, of which GDPR is perhaps one of the most sophisticated legal frameworks, may define the rules of personal processing information. It has been one of the key considerations for us, too. However, not everywhere GDPR is implemented similarly; therefore, the building block (BB) also needs to be able to support different kinds, and maybe lighter ways, to implement the consent services. The second key driver is ethical norms that are prevalent in any society. These may be based on certain standards or ethical norms such as, e.g., MyData or FAIR Data Principles. Finally, consent is also influenced by standards developed over time, starting with, e.g., Kantara standards.
Based on the above key drivers, in the GovStack context, we define consent as:
“a voluntary declaration by an individual to approve the processing of their personal data. It is one specific justification for personal data processing that is assumed to be required by legal, ethical or standard conditions. It assumes that the person can decide on processing their personal data, managed in and by other GovStack BBs and that they are free to withdraw their consent at any time.”
This means that for the individual, the Consent should be freely given, informed, and unambiguous and that the person is free to withdraw their consent at any time. It is the obligation of the organisation responsible for the data processing (aka data controller as per the GDPR) to make sure that such consent has been signed between them and the individual before data processing. It is essential to understand that consenting is just one specific, albeit increasingly important, justification for personal data processing.
How does this definition of consent make a difference?
The approach protects the digital rights of individuals while ensuring that organisations can process data fulfilling their regulatory obligations. Contemporary consent tools converge with a data owner’s perspective of tackling legislative requirements, as often seen in today’s “Consent Management Platforms”. We are advocating for a human-centred point of view in a global context where the core definition of informed consent does not directly aim at tracking and analysing user data. This starts with an understanding of the consent life-cycle supported by data models that grant us a set of critical properties of consent: It must be auditable, withdrawable, tamper-proof and based on a set of data policies supported by the law of the land. The latter is a crucial addition we introduced to our model of consent — it enables us to fit any implementation within a specific context and still be compatible with the consent services in a different jurisdiction.
The GovStack Consent Building Block specifications and related documents are publicly available. In addition, the latest version of the specification will be published soon on the GovStack BB page. The page publishes all building blocks as part of the GovStack.
Further reading
- A MyData perspective on GovStack’s consent building block has been presented in the public event “Accelerating digital transformation in the public sector globally”: https://www.youtube.com/watch?v=WIWt2JRxcdA
- MyData’s blog post “Advocating for human-centric consent — MyData joins GovStack Initiative.”: https://www.mydata.org/2022/02/14/advocating-for-human-centric-consent-mydata-joins-govstack-initiative/
About GovStack
GovStack is a global initiative to accelerate the digital transformation of government services. Our vision is that in five years, we can empower governments to take ownership of their digital futures by building more effective and cost-efficient digital government services.
Governments struggle to keep pace with the digitalisation trend due to budget constraints, the coordination between agencies and siloed digitalisation investments. GovStack solves these problems by developing specifications for reusable software components called “building blocks” that can be used to inform design in various e-government services. Existing solutions will be analysed regarding their compliance with GovStack’s specifications, and new products can be developed based on them and facilitating market linkage to proven solutions demonstrating this concept.
Continue reading on the GovStack website.
