Content for TS 33.501 Word version: 18.4.0
1…
4…
5…
5.3…
5.9…
5.10…
6…
6.1.3…
6.1.4…
6.2…
6.2.2…
6.3…
6.4…
6.5…
6.6…
6.7…
6.8…
6.9…
6.10…
6.11
6.12…
6.13
6.14…
6.15…
6.16…
7…
7A…
7A.2.3…
7B…
8…
9…
10…
11…
12…
13…
13.2.2…
13.2.4…
13.3…
13.4…
14…
15…
16…
A…
B…
C…
D…
E…
F…
G…
I…
I.9…
J…
K…
M…
N…
O…
P…
R
S…
T…
U…
V…
W…
X…
Y…
Z…
V User consent requirements and mechanisms
V.1 General
V.1.1 Scope
V.1.2 Relationship between end-users and subscriber
V.2 Requirements
V.3 User consent check
V.4 User consent revocation
...
...
V (Normative) User consent requirements and mechanisms |R17| p. 290
V.1 General p. 290
V.1.1 Scope p. 290
User consent can be required for 3GPP features depending on local regulations. Therefore, this Annex describes the generic security requirements and procedures to support user consent enforcement in 3GPP services. While the use cases can differ, the Annex focuses on the common and generic aspects related to the storage, checking and revocation of the user consent.
The user consent related requirements and mechanism in the present document are applicable only when it is required by regional regulations or operator's local policy, not otherwise.
The term data processing in this Annex is used to convey the same meaning as in [101].
V.1.2 Relationship between end-users and subscriber p. 290
It is assumed that the user consent is obtained from the end-users. The end-user(s) is the subscriber itself or authorize the subscriber to provide consent on behalf of the end-users. Alternatively, the end-users are authorized by the subscriber to provide the consent. That means user consent is always tied to the subscription information. How authorization is provided between the subscriber and the end-users is out-of-scope of this specification.
V.2 Requirements p. 290
The UDM shall support the following services related to the user consent.
- Retrieval of user consent parameters.
- Notification of user consent parameters change.
V.3 User consent check p. 290
Any NF that is deemed an enforcement point for user consent shall support to retrieve the user consent parameters from the UDM.
Any NF that is deemed an enforcement point for user consent shall not accept any services or requests for data processing unless user consent is granted.
Any NF that is deemed an enforcement point for user consent shall determine the purpose of data processing prior to the data processing. If the purpose of data processing is not implicitly known from the service request, the user consent enforcement point shall request it or otherwise deny the service.
NFs obtaining or checking the user consent parameters shall consider the user consent parameters as effective until revoked.
V.4 User consent revocation p. 291
Any NF that is deemed an enforcement point for user consent shall support subscription to the user consent parameter change notification provided by the UDM.
Consumer NFs (processing the data pertaining to user consent) shall subscribe to UDM for user consent parameter change notification, except if the consent enforcement NF that is deemed an enforcement point is tracking of those NFs and is actively informing those consumer NFs in case of user consent revocation.
Upon notification of user consent revocation, any NF that is deemed an enforcement point for user consent shall no longer accept any service request for data processing subject to a revoked user consent.
Upon notification of user consent revocation, any NF that is deemed an enforcement point for user consent may notify other NFs to halt the processing of the data subject to the revoked user consent.
Upon notification of user consent revocation, NFs (processing the data pertaining to the revoked consent) shall halt processing and collection of the data.
Upon notification of user consent revocation, NFs may delete, quarantine, or temporarily retain the data pertaining to the revoked user consent based on local policies and legal constraints.
