Skip to content

12.19 Terms And Conditions Markup Language for Privacy Policy Manager

12.19.2 Description

Given different legal jurisdictions and individual preferences, there is a need to at least semi-automate the process for configuring privacy preferences and agreement to Terms and Conditions (T&C's). Otherwise the user (data subject) would have to agree multiple T&C's and each smart device and service would have to have a GUI that the user would have to access and configure to set their privacy preferences by hand. A better way forward would be to allow the profile owner configure a single set of profile's (house, work, personal, parental, legal etc.) and as a new smart device or service is added:

  • A. Where the terms and conditions fall within the parameters set in the user's profile, the device can be automatically authorised (with a notification to the user). If the T&C don't fall within the parameters set, only the differences (as a delta to the user's profile) are presented to the user for authorisation with the exception of the parental/Legal profile which the user will not be able to override, only the profile owner (e.g. parent/Local government respectively) can override.

  • B. The user's privacy settings from their profile can be automatically configured where relevant, with confirmation notification to the user. Where it's not possible to fully configure the relevant security controls the user is alerted and can manually decide

    To make this possible we need to be able to convert Terms & Conditions and privacy settings in to a standard mark-up language that can be understood by smart devices and translated in to a human readable format. Another advantage of this mark-up language will allow standard translations of this mark-up language in to multiple human languages allowing new compliant devices to be rapidly brought to market in multiple countries. Customers can also shop for devices and services that meet their requirements, such a meeting their defined minimal level of data encryption, thus allow business to more easily market the high value features of their products to mass market customers.

    Consider someone buying a prebuilt new home in the year 2025, the buyer will be looking at a home with integrated smart sensors, smart home appliances, each selected by builder or their subcontractor. Each of these will potentially have a separate set of terms and conditions, such as the Oven, fridge, washing machine, security motion sensor, fire alarm etc. just in an integrated kitchen alone. Currently as part of the legal information that the builder has to provide to a buyer certain paperwork, mainly focuses on legal liabilities governed by law which the buyer's solicitor will check on buyer behalf for any issues.

    In 2025 the buyer will also have to go through potentially dozens of sets of T&C before purchasing the property, the buyer may also need to check this with their insurer (e.g. who can access alarm data) and Mortgage company as they could affect the value of the property (such as the issues with zero priced solar panels & roof leases in the UK, example of devices). In addition to the smart devices, which may be tied to specific service, selected by the builder such as electrical power and water, the builder may have selected other services such as Fire and security monitoring services that are pre-configured as part of the smart home.

    [The builder may have selected these as they provide free trials they can use to demonstrate the features, may be required to by law (Energy), their own backers (such as banks funding the development wanting fire/security monitoring to protect their investment), the smart device makers may offer a discounted price in return for connecting the service or the builder may be provided with finical incentives to "install" a service by a specific company. There will be business interest by service providers in getting builders to pre-select and configure their services on the grounds that inertia selling will convert a percentage of home buyers in to customers.]

    The home purchaser will have to read though all the terms and conditions*, decide which he agrees with, which he does not, then go through the process to disable each of the devices/services they don't accept the T&C for, add their own selected services before configuring the devices and services how they want. In theory as each of the devices and services is gathering data about the new owner, they should suspend their operation until the user has formally provided informed consent to the T&C in accordance to local laws.

    This will require that smart devices and services do the following:

    • Announce their presence to the new owner.
    • Be able to display their terms and conditions directly to the user.
    • Have some way for the new owner to accept the terms and conditions.
    • Configure their preferences
    • Be able to receive a revocation of permissions command and delete user configuration to trigger the above steps.

    Another option would be for all machine to machine devices to be able to communicate this information to a user's selected control devices e.g. a Smart Phone.

12.19.2 Source

REQ-2015-0619R02 Terms And Conditions Markup Language for Privacy Policy Manager

12.19.3 Actors

Names are based on the current European Union (EU) data protection definitions.

  • Data subject. The living individual about who the data is captured. May or may not be the data owner.
  • Data owner. The individual who owns the data. E.g. the home owner. Can be the data processor or a separate entity. [But also need to account for Non EU companies who may believe they own the data].
  • Data processor. The entity who processes the data on behalf of the data owner

12.19.4 Pre-conditions

None

12.19.5 Triggers

None

12.19.6 Normal Flow

  1. The profile owner configures a single set of profile's (house, work, personal, parental, legal etc.)
  2. A new smart device or service is added:
  3. Where the terms and conditions fall within the parameters set in the data subject's profile, the device can be automatically authorised (with a notification to the data subject).
  4. If the T&C don't fall within the parameters set, only the differences (as a delta to the data subjects profile are presented to the data subjects for authorisation.
  5. The data subject will not be able to override the parental/legal profile. Only the profile owner (e.g. parent/local government respectively) can override.
  6. The data subject's privacy settings from their profile can be automatically configured where relevant, with confirmation notification to the data subject..

12.19.7 Alternative flow

Where it's not possible to fully configure the relevant security controls the data subject is alerted and can manually decide

12.19.8 Post-conditions

The data subject has given or refused informed consent for data capture for each oneM2M service based only on the deltas between each new service and the terms and conditions already accepted.

12.19.9 High Level Illustration

The concept of a Privacy Policy Manager (PPM), as described in TR-0016 [i.20] is

"The PPM had been adapted to large scale HEMS (Home Energy Management System) as trial, and they had started evaluation of PPM effectiveness.

The PPM is based on the following two main concepts:

  • Based on 'Privacy by Design', Inclusion in the architecture of a personal data distribution base.
  • Based on 'Privacy First', the provision of an " end users function" by which end users can manage their own personal data distribution according to their privacy preferences."

An overview of the proposal is shown below (Data Provider is the equivalent of Data Subject in UE data protection legislation).

Figure 12.19.9-1 Terms And Conditions Markup Language for Privacy Policy Manager

Figure 12.19.9-1 Terms And Conditions Markup Language for Privacy Policy Manager

12.19.10 Potential requirements

  1. The oneM2M system shall store and process privacy preferences in an interoperable manner.
  2. The oneM2M system shall support privacy profiles at various levels to care for conditions of legal requirements, manufacturers, and data subjects.
  3. The oneM2M system shall be able to prioritise privacy profiles where there is a conflict between profiles (legal profile takes priority over data subject profile, for example).