Data exchange safeguards: digital public infrastructure needs enforceable consent withdrawal, not interface toggles
- Ott Sarv
- Aug 14, 2025
- 3 min read
Updated: 6 hours ago
Digital public infrastructure is being sold as a shortcut to better government. The World Bank popularised a useful framing: identification, payments, and data exchange, with safeguards for personal data protection like consent. Yet, in many programmes, those safeguards are reduced to interface choreography. A person taps a screen, a setting flips, and the system claims consent has been withdrawn.
That is not withdrawal. That is a user interface narrative.
The moment a system enables data exchange across agencies and vendors, consent withdrawal becomes a network obligation. It must constrain processing beyond one channel, and it must do so in a way that can be proved. The European Commission states that once consent is withdrawn, the organisation can no longer process the data on that basis and must delete it unless another legal ground applies. The European Data Protection Board similarly emphasises that withdrawal must be easy and must not undermine prior lawful processing.
Data exchange safeguards require enforceable consent withdrawal
Data exchange safeguards are only credible when withdrawal is enforceable, meaning it produces a binding stop condition for the affected purpose and can be evidenced across the ecosystem, not just inside one application.
The legal expectation is not exotic. Article 7 of Regulation (EU) 2016/679 sets a clear baseline: the data subject can withdraw consent at any time and it must be as easy to withdraw as to give. The operational expectation is equally direct: if your programme relies on consent for a purpose, then withdrawal must stop processing for that purpose, not merely update a preference screen.
Why interface toggles fail at ecosystem scale
A toggle typically changes a local setting. It rarely changes the reality of data flows.
DPI reality | What the toggle changes | What withdrawal must change |
Data moves across agencies and suppliers | A user-facing state in one channel | The right of those actors to continue processing under the withdrawn consent |
Data is copied into caches, exports, and analytics pipelines | A flag in one database | The enforceability of continued use for the withdrawn purpose |
Decisions are made based on data received earlier | A profile setting | Whether reliance must stop, and whether remedial steps are triggered |
What enforceability must prove
If a withdrawal is contested, investigated, or audited, the programme needs proof that survives outside a product team’s logs.
Question an investigator will ask | Minimum evidence artefact | Why it matters for data exchange safeguards |
What exactly was withdrawn | A consent record identifier plus the scope of the withdrawal | Prevents ambiguity that lets processing continue by default |
Which purpose must stop | A purpose identifier tied to the original consent | Stops silent continuation for some purposes under a generic switch |
Who must stop relying | Receiver scope that identifies affected recipients and processors | Makes propagation explicit rather than informal |
When the stop took effect | A timestamped effective time | Prevents disputes about whether continued processing was permitted |
Whether it actually stopped | Action receipts from enforcing systems | Converts compliance claims into verifiable effect |
Withdrawal should behave like an event, not a setting
A workable design treats withdrawal as a revocation event that propagates across the same rails that enabled the original data exchange. The consent record must be referenceable, portable, and lifecycle-managed so that withdrawal can be applied consistently across systems.
ISO/IEC TS 27560:2023 specifies an interoperable consent record information structure intended to support consent records, consent receipts, exchange of consent information between systems, and lifecycle management. In practical terms, it supports a more disciplined question: can your ecosystem carry a withdrawal with the same certainty that it carries an eligibility check or a verification response.
The policy consequence
DPI succeeds when rights survive scale. A withdrawal that works only on a screen will fail precisely when the ecosystem grows, when data is reused farther from its source, and when decisions become harder to reverse.
If a programme claims data exchange safeguards, it must deliver enforceable consent withdrawal: scope-bound, purpose-bound, propagated, and evidenced. Otherwise, the safeguard is cosmetic, and the infrastructure will scale risk faster than it scales accountability.
Comments