A Digital Forest Charter for the Age of the Data Barons

The problem is not the rules. It is that you cannot see them.

Your data crosses borders faster than any regulator can follow it. By the time a transfer is questioned, the data has already moved through a dozen systems in a dozen jurisdictions, each one asserting compliance, none of them handing you anything you can hold in your hand to check. The rules exist. Convention 108+ binds 55+ jurisdictions. The OECD privacy guidelines have stood for decades. UN General Assembly Resolution 68/167 affirmed the right to privacy in the digital age. The rules are not the gap.

The gap is that the rules are invisible at the moment they matter: before you identify yourself, and before your data crosses a border. You cannot see who is accountable. You cannot see what they will do with what they take, or under whose authority. And when an AI system banks your knowledge and trains on it without your consent, there is no receipt, no record, nothing that travels with the interaction to make any of it inspectable later.

This is the difference between dirty AI and clean AI. Dirty AI takes without notice and asks you to trust the assertion. Clean AI gives you evidence you can hold. We call the second condition Trustparency: transparency strong enough to support an enforcement decision, not just a compliance checkbox.

History already showed us how this gets fixed

Invisible power gets corrected the same way every time. Not by rules alone, but by legible evidence that travels with the interaction.

The Land Barons, 1217. The Magna Carta named the rules. But rules alone did not stop the enclosure of common land. What changed daily life was the Forest Charter: a public sign placed at the boundary of private land, so that a person crossing it could see who owned it and under what authority. Transparency over the rules, not just the rules.

The Robber Barons, the industrial age. New technology, commercial paper and industrial banking, created invisible money management. Banks took deposits and invested them without disclosure, until the system collapsed. What restored stability was not more rules. It was scalable evidence: double-entry accounting, the transaction receipt, oversight that operated at the scale of the whole financial system. The receipt is what made the bank accountable to the depositor, not only to the regulator.

The Data Barons, now. AI systems and digital identification technologies extract and move personal data across borders without meaningful notice or consent. The actors have changed and the scale is transnational, but the shape of the problem is identical, and so is the solution. We need a digital Forest Charter. We need the receipt for the data age.

Four things that must be inspectable

The Internet Transparency Stack answers one question: what is the minimum that must be inspectable before identification is demanded and before data crosses a border? The answer is the same four things that have always been in the receipt, across every era.

1. Who is accountable. A Controller Identification Record: the entity responsible for this processing, resolvable and inspectable before any individual identifies themselves.
2. What for, and under what authority. A machine-readable notice: purpose, legal basis, and scope, declared upfront and versioned.
3. That the notice was actually issued. A Notice Event Log: an append-only record of when the notice was issued, when it changed, and what changed.
4. Proof of disclosure. A Notice Receipt: verifiable evidence that this notice, at this version, was presented at this time. The digital equivalent of the bank receipt.

These are not abstractions. They are the minimum viable transparency infrastructure for a world in which data moves faster than enforcement can follow.

The stack

The image above is the whole argument in one picture: six layers, each one making the layer below it inspectable in practice.

At the foundation sit the standards: ISO/IEC TS 27560:2023 and PWI 26689, the Universal Notice Receipt Profile now in development, anchored to Convention 108+. Above them is the controller-side infrastructure that publishes the identification record, the notice, and the event log, live today. Above that, the personal-side control surface, where an individual receives those signals and exercises their rights. Then the registry and badge, a verification layer that reflects live state and can be checked by individuals and regulators alike.

Layer 5 is the one we are building toward: the Internet Transparency Code of Practice, in draft, setting out implementation guidelines for cross-border processing that regulators in different jurisdictions can reference and implementers can deploy without bespoke negotiation. Layer 6 is the reason the whole stack exists: enforcement capacity, machine-readable evidence that a regulator can audit at internet scale, across borders, without custom integrations.

One point of discipline, because it matters. The Code of Practice does not create new obligations. It is not an alternative to the law. It is an implementation of obligations that already exist under Convention 108+, the OECD guidelines, and the UN framework, and it makes them inspectable, portable, and enforceable across borders. It is how the law finally becomes visible at the boundary.

The coalition

No single institution can build this, and that is the point. The coalition that makes it real is the same kind of coalition that solved every previous version of the problem. It works in sequence: a treaty-grade baseline, then the standardisation machinery, then the adoption trajectory.

The Council of Europe brings the baseline. Convention 108+ already requires transparency, proportionality, and accountability across 55+ jurisdictions, with binding obligations and real enforcement infrastructure behind it. This work is anchored there, at Convention 108+ and its Article 14 mechanism for cross-border transfer.

ISO/IEC JTC 1/SC 27/WG 5 brings the standardisation machinery: interoperable definitions, conformance criteria, and the evidence artefacts that can be implemented globally. TS 27560:2023 is the published anchor; PWI 26689 is the active work that closes the gap.

The UN system is the proposed trajectory: the convening power and the adoption pathway that could let states align cross-border practice so that protection scales across regions. UN Resolution 68/167 already supplies the moral authority. The work of elevation is the work ahead, which is why we describe this as the Internet Transparency Code of Practice toward UN adoption, carried through the WG5 liaison rather than asserted before its standing is earned.

Together the principle is simple: no identification without accountability, and no cross-border transfer without inspectable conditions.

The proof is already in progress

This is not a proposal looking for evidence. The evidence is being produced now.

Over the summer, Transparency Lab and 225IEG are running three ethnographic research sessions at the Centre for Social Innovation in Toronto, on June 30, July 14, and August 4. Five to ten participants each. The transparency infrastructure runs live in the room. Participants are co-researchers, not subjects: they receive a real notice before the session begins, they can download a receipt as evidence of what was disclosed, and they can exercise their rights through the personal control surface. Even the AI agent supporting the research is declared in the notice, operating under the same transparency obligations as the people running it.

The research question is the one that decides everything: what does it actually feel like to encounter evidence-based transparency, and what would make you trust it?

This is the difference between a standard you propose and a standard working in the world. By the Council of Europe presentation in September, the stack will arrive with a published reference implementation, three sessions of evidence about what happened when real people met the signal, a tested personal control surface, and a draft Code of Practice grounded in what those people needed, not only in what lawyers require.

What this is, and what comes next

This is a Code of Practice, not a new law. It makes the transparency that Convention 108+, the OECD, and the UN framework already require into something you can inspect: a receipt that travels with the interaction, a record a regulator can audit, a signal an individual can hold.

What comes next is a formal liaison between the Council of Europe, ISO/IEC WG5, and the UN system, focused on an Internet Transparency Code of Practice for cross-border processing, cross-border signalling conventions backed by verifiable records, and a shared interoperability profile that regulators can reference and implementers can deploy.

The outcome we are building toward is Transparency by Default as the default state of the internet: not because it is mandated, but because the infrastructure finally makes it the natural, verifiable, enforceable condition.

Consent you can prove. Data control you can see. AI you can hold accountable. A digital Forest Charter for the age of the Data Barons.