by Christos Papadopoulos (SLC)
In today’s digital systems, consent has grown far beyond a simple checkbox. It must function as a verifiable, auditable, and machine-readable agreement that works across many technologies and regulatory contexts. Within the CONSENTIS framework, this challenge inspired a focused objective: to design a machine-readable format for consent records that remains valid regardless of how consent is issued or stored.
A key idea behind this work was technological independence. Consent might be issued as a token, represented as a verifiable credential, embedded in a smart contract, or managed through other decentralised mechanisms. Instead of favouring any single implementation model, CONSENTIS seeks to define a representation capable of operating consistently across all of them. This decision reflects a broader reality of digital ecosystems, where infrastructures and standards evolve quickly and rigid designs can easily become obsolete.
Technological neutrality is particularly important in decentralised and self-sovereign environments. In such settings, there may be no central authority responsible for maintaining state or validating transactions. Consent therefore needs to remain interpretable, verifiable, and auditable even when interactions occur directly between peers. The schema must preserve meaning and trust without relying on a specific storage layer or protocol.
To build a solid conceptual foundation, the task adopted a standards-driven approach. Part of the design drew from ISO/IEC 27560 [1]and the Data Privacy Vocabulary (DPV) [2]. ISO/IEC 27560 provides a structured and technology-agnostic framework for consent record information, with clear attention to terminology, lifecycle, and accountability. DPV complements this by offering rich semantic constructs for describing privacy-related concepts in a way that aligns closely with General Data Protection Regulation [3](GDPR ) and European data governance initiatives.
A significant part of the work involved analysing consent as a lifecycle rather than a static event. Consent may be issued, validated, verified, withdrawn, expired, or revoked. Each of these transitions carries operational and legal implications. When applied to decentralised systems, lifecycle management becomes even more critical, since verification and auditability must be preserved without assuming central control.
The core modelling effort centred on mapping concepts between ISO/IEC 27560 and DPV. This mapping process helped identify where the two specifications overlapped, where gaps existed, and where interpretations required adjustment. Importantly, not every concept was adopted directly. Design choices were guided by the need to balance regulatory alignment, semantic clarity, and practical feasibility. Some elements were retained as defined in the standards, others were refined or simplified, and certain aspects were intentionally excluded to avoid unnecessary complexity.
The outcome of this process is the definition of a CONSENTIS-specific design of a schema for consent representation. The schema emphasises technology independence, interoperability, decentralisation readiness, and ease of implementation. It supports consistent consent handling across heterogeneous architectures through separating consent semantics from the technical mechanisms that enforce or store consent.
As digital identity systems, data spaces, and decentralised infrastructures continue to develop, such flexibility becomes increasingly valuable. Consent must remain understandable and trustworthy even as technologies shift. The CONSENTIS approach illustrates how established standards can be combined, adapted, and refined to meet emerging requirements while preserving legal and semantic integrity.
[1] https://www.iso.org/standard/80392.html
[2] https://dpvcg.org/
[3] https://gdpr.eu/
