<aside>
⚠️
Focus: This report describes safety, security, and privacy considerations arising when DPV (and DPV:27560 guidance) is used to model digital identification and consent/notice evidence without capturing scope of authority and notice-first constraints.
*** DOWNLOAD ***
Primary issues referenced:
- Scope of authority gap: ‣
- Consent receipt misuse risk narrative: ‣
- EU digital identification regulatory stack mapping: ‣
</aside>
1. Executive summary
This report identifies a systemic failure mode in machine-readable privacy and consent modeling: legal basis assertions and “consent receipt” artefacts can be represented without proving that the asserted legal basis is valid in context (authority + scope) and without proving notice occurred before identification and processing.
When these constraints are absent, DPV modeling can unintentionally enable:
- Surveillance-by-default extraction to be wrapped in “compliance-shaped” metadata.
- Misapplication of legacy data protection interpretations to internet-scale digital identification governance.
- Reduced accountability because people and regulators cannot reliably verify what happened, when it happened, and under what authority.
2. DPV:27560-specific failure mode (ISO/IEC 27560 consent record → surveillance record)
DPV:27560 safety, security & privacy header
2.1 Problem statement
DPV:27560 guidance risks encoding a structural category error: treating a controller-side PII processing record as if it were consent evidence.
When the model allows identifier-first recordkeeping, the resulting artefact functions as a surveillance record information structure that can be presented as “consent” (or “privacy receipt”) even when meaningful choice never occurred.
2.2 What the record must prove (minimum)
For a DPV:27560 artefact to be defensible as consent evidence (where consent is the legal basis), it must prove:
- Notice-first: controller identification + terms were disclosed before any identifier binding event and before any dpv:Collect/dpv:Use.
- Authority + scope: the asserted legal basis is valid in the stated jurisdiction and for the stated competence (mandate/contract/legitimate interest/consent), including constraints.
- No covert tracking enablement: any tracking/identifier technology included in the record must itself be disclosed and governed (purpose, recipients, retention, and the authority for its use).
- Reciprocity: evidence must be retainable by the individual (not controller-only).
- Integrity: the evidence chain must be tamper-evident (anchored/signed sequencing).
2.3 Specific DPV:27560 risk signals (from the ISO/IEC 27560 pattern)