index

0PN: Jan 28th Executive Report

Mark Lizar

Mark Lizar

5 min read
Share
0PN: Jan 28th Executive Report

Event: International Data Protection Day Webinar — 0PN Lab Launch

Date: January 28, 2026

Distribution: Tier 1 Members

Listen to Full Event Recording

Executive Summary

0PN Lab successfully launched as the international collaboration space for Digital Public Transparency Infrastructure (DPTI) on Convention 108+ International Data Protection Day. The 90-minute virtual panel convened leading transparency infrastructure specialists, regulators, and standards developers to address three converging crises: browser surveillance theater, AI data extraction without legal basis, and cross-border governance collapse.

Key outcome: Demonstrated operational readiness of standards-based transparency infrastructure 18 months ahead of market competition, with clear regulatory enforcement pathways through Convention 108+ Article 11 code of conduct authorization.

Strategic Context

Convention 108+ Treaty Status

33 of 38 ratifications complete — five countries away from binding international law. Article 11 authorization mechanism enables ISO/IEC 27560-1 Universal Notice Receipt Profile as treaty-backed regulatory infrastructure once treaty enters into force.

Commonwealth opportunity: 55+ jurisdictions representing 2.5 billion individuals create harmonized transparency infrastructure market.

Market Timing

Speaker Joanne Cooper (ID Exchange, GDTA founding member) confirmed 0PN Lab holds 18-month lead over closest competitor in deploying transparency-by-default architecture.

Three converging crises create regulatory urgency:

  1. Browser surveillance theater — Cookie consent fatigue masks permission systems that violate Convention 108+ Article 8.2 (controller identification before data collection)
  2. Mass AI data extraction — Training datasets scraped without legal basis or provenance records enable zero-accountability infrastructure
  3. Cross-border governance collapse — National data protection authorities lack audit capacity for international flows; complaint-driven enforcement cannot scale to internet speed

Technical Framework Presented

Digital Public Transparency Infrastructure (DPTI)

Mark Lizar (ISO/IEC 27560-1 Profile Editor) presented the Council of Europe Convention 108+ Code of Conduct, implemented with a Transparency by Default Code of Practice.

Four-pillar framework:

1. Controller-ID First Architecture

Transparency by Default (TbD) principle: controller disclosure precedes data collection. Convention 108+ Article 8.2 compliance through Controller Identification Record (CIR) at /.well-known/notice.txt.

2. Universal Notice Receipts (UNR)

Bilateral proof-of-notice replacing "trust us" privacy policies. Machine-readable records synchronized between controller and individual.

3. Notice Event Logs

Append-only audit trails enabling Glass Box governance model (comparable to banking transaction logs). Both parties verify authorization history; regulators audit using same records individuals access.

4. Transparency and Trust Assurance (TATA) Framework

72 configurations spanning:

  • 3 data control vectors (Personal Control, Data Protection, Co-Regulation)
  • 4 assurance levels (Self-Assertion → Registered Controller → ANCR → Active State High Assurance)
  • 6 legal bases (Convention 108+ Article 5: Consent, Contract, Legal Obligation, Legitimate Interest, Vital Interest, Public Interest)

Current architectures operate across 4 control contexts. DPTI enables 24 transparent contexts (expanding to 72 configurations with TATA levels).

Speaker Contributions

Sharon Polsky — Privacy and Access Council of Canada (PACC)

Event moderator. PACC president and DPO certification partner with 1,500+ privacy professional network.

Key insight: Self-regulation failure necessitates flipping the script through standards-backed enforcement architecture.

Lisa LeVasseur — Internet Safety Labs

Product: App Microscope safety labels measuring empirical software behavior risks.

Transparency resistance pattern: "Nobody wants to admit they've seen our labels because then they'd have to act." Plausible deniability rather than overt opposition prevails. Products change or disappear after measurement.

Approach: Objective risk measurement infrastructure, not ethics compliance theater. Safety labels combine information and ingredient labels, doubling in scope during 2026 to include AI-related and dark pattern risks.

Sal D'Agostino — IDmachines, Kantara Initiative

Innovation: TPI-R (Transparency Performance Indicators) methodology for automated compliance assessment.

Live demonstration: Real-time AI-powered TPI report generation during presentation. Assessed healthcare site controller identification, notice timing, privacy access points, and security credentials against Convention 108+, GDPR, HIPAA, and sector standards.

Key distinction: "Humans manage consent, systems manage permissions." Conflating them enables surveillance architecture.

Technical validation: Open standards (ISO/IEC 29100, ISO/IEC 27560, NIST frameworks, W3C DPV) enable free infrastructure deployment without licensing overhead. AI tooling (Claude integration) generates TPI reports, privacy policy analysis, and consent receipt tokens from controller credentials.

Joanne Cooper — ID Exchange, GDTA Founding Member

Vision: Global Digital Transparency Alliance as multi-stakeholder coalition harmonizing siloed initiatives across open banking, health, insurance, and other sectors facing identical transparency problems.

Strategic approach: "Don't ask permission, deploy, then bang the drums." Grassroots demonstration bypasses lobby resistance. Private-public partnership model where private sector sets pace, government follows evidence.

Commonwealth strategy: Leverage harmonized legal frameworks across 55+ jurisdictions as initial deployment target.

Paul Knowles — Dynamic Data Governance

Innovation: Role-Based Containment for agentic AI. American Bar Association presentation (January 31, 2026).

Core concept: Ward as privacy boundary — bearer of consequence, locus of agency. Distinct from principle (accountability binding).

Technical architecture: Warrant token minting with single-use consumption enforced by warden compliance layer. Roles → Personas → Operations → Action Intents → Warrant Tokens → Warden Enforcement.

Legal-first strategy: Validate lawful architecture with lawyers before tech industry adoption to prevent surveillance-enabling misuse.

Regulatory Capacity Infrastructure

Evidence-Grade Enforcement

TPI-R methodology enables data protection authorities to:

  • Audit controller transparency at scale through automated measurement
  • Generate cross-border evidence admissible in multiple jurisdictions
  • Shift from reactive complaint-driven model to proactive architectural oversight

Multi-lateral enforcement becomes operational through:

  • Harmonized transparency standards (ISO/IEC 27560-1 as Convention 108+ Article 11 code of conduct)
  • Synchronized notice event logs providing bilateral audit trails
  • Controller registry infrastructure (UN/CEFACT, UK ICO 26-year registry precedent)

Glass Box vs Black Box Governance

Current model (Black Box): Controllers maintain exclusive visibility. Individuals have no authorization records. Regulators conduct forensic investigation per complaint.

DPTI model (Glass Box): Synchronized records between all parties. Individuals verify authorization history. Regulators audit using same infrastructure individuals access. Comparable to banking transaction visibility.

Business Model and Membership

Working Groups Launch

Authority with Consent & Permission (AuthC) Working Group — First meeting February 6, 2026. Open registration for Tier 1 members.

Additional working groups (Policy, Technology, Protocol) coordinate through Zulip platform.

Tier 1 Founder Rate

50% discount through March 31, 2026. Tier 1 membership aligns with TATA Level 1 (Self-Assertion): Controller uses open Universal Notice Receipt to deploy notice.txt, notice event log, and CIR.

Target metrics (Q1 2026):

  • 50 Controller Identification Records deployed by late February
  • 5 pilot programs in pipeline
  • Sandbox environment operational

Partnership Value

  • PACC: DPO certification program integration, regulatory community access
  • ID Exchange: GDTA Australia hub coordination, Commonwealth deployment
  • Internet Safety Labs: Safety label + TPI-R integration potential
  • Kantara Initiative: TPI-R methodology co-development, standards body collaboration

Key Takeaways for Tier 1 Members

Technical Breakthroughs

  1. Controller-ID first replaces surveillance-by-default — Transparency-by-default architecture implements existing Convention 108+ Article 8.2 legal requirement through missing infrastructure layer
  2. Glass Box governance creates bilateral audit trails — Banking-comparable transparency without privileged controller-only visibility
  3. TPI-R automation enables regulatory oversight at scale — Objective measurement replaces complaint-driven enforcement bottleneck
  4. Role-Based Containment protects through boundaries — Architectural privacy protection for agentic AI, not control systems

Market Opportunity

  1. GDTA coalition consolidates fragmented initiatives — Open banking, health, insurance sectors face identical problems requiring common transparency standards
  2. Commonwealth-first deployment — 55+ jurisdictions with harmonized framework provide 2.5B individual market
  3. 18-month competitive lead — First-mover advantage in treaty-backed regulatory infrastructure
  4. Grassroots + demonstration strategy — Bypass lobby resistance through operational deployment and evidence generation

Regulatory Partnership

Convention 108+ Article 8.2 mandates controller identification before data collection. Legal requirement exists; infrastructure was missing. 0PN Lab provides complimentary regulatory capacity infrastructure enabling enforcement at scale.

Multi-lateral evidence coordination becomes possible through harmonized TPI-R reporting and synchronized notice event logs.

Available Now

  • 0PN:GDTA DG Meeting registration — February 6 first meeting (join here)
  • AuthC Working Group registration — February 6 first meeting (join here)
  • TPI-R methodology access — Automated compliance assessment tools
  • Notice.txt implementation guidance — Controller Identification Record deployment
  • Sandbox environment access — Q1 2026 operational

Content Calendar

February 2026 content pipeline launches with launch recap (February 3), and content roadmap covering; technical implementation guides, regulatory analysis, and Commonwealth strategy briefs.

Members Resources

Full Event Audio: January 28 Launch Recording

Latest Technical Standards:

  • Convention 108+ Transparency Code of Conduct (Council of Europe)
  • ISO/IEC 27560-1 Universal Notice Receipt Profile (free and open access)
  • ISO/IEC 29100 Privacy Framework (free and open access)
  • W3C Data Privacy Vocabularies (DPV) Convention 108+ Legal Model
  • Project Implementation / Integration / Interoperability

Read more