3. Scope and Applicability
3.1 What PCT governs
This specification governs the format, content, signing, verification, and audit of Privacy Claims Tokens. It applies to any processing operation, data transfer, or AI model interaction where a participating system chooses to implement PCT-based enforcement.
PCT is applicable to, but not limited to, the following scenarios:
- Personal data processing operations subject to GDPR, UK GDPR, or equivalent frameworks
- Cross-border data transfers subject to adequacy decisions, standard contractual clauses, or equivalent transfer mechanisms
- AI model interactions where personal or sensitive data forms part of the input, context, or training pipeline
- Clinical data processing subject to HIPAA, EU Clinical Trials Regulation, or equivalent frameworks
- Financial data processing subject to DORA, FCA requirements, or equivalent frameworks
- Electronic communications processing subject to PECR or the EU ePrivacy framework
- Any data processing subject to national data localisation or sovereignty requirements
- Automated decision-making and profiling operations subject to Article 22 GDPR or equivalent provisions
3.2 What PCT does not govern
This specification does not govern:
- The content of the underlying policies, consents, or lawful bases that a PCT records. Those are the responsibility of the issuing organisation and its legal counsel.
- The technical architecture of systems that implement PCT verification. Implementers are free to use any technology stack consistent with the requirements of Section 6.
- Liability arising from incorrect claims within a PCT. The issuer bears responsibility for the accuracy of claims at the time of issuance.
- The format or content of privacy notices, consent records, or records of processing activities (RoPAs), which remain governed by applicable regulatory frameworks.
3.3 Regulatory frameworks addressed
Version 0.1 of this specification explicitly addresses the claims requirements arising from the following frameworks. The extension namespace mechanism (Section 5.7) supports any framework not listed here.
| Framework | Key obligations addressed | Relevant PCT fields |
|---|---|---|
| GDPR / UK GDPR | Lawful basis, purpose limitation, data minimisation, consent, transfer restrictions, DPA notification obligations, Article 22 automated decisions | lawful_basis, allowed_purposes, consent_status, transfer_restrictions, data_categories, automated_decision_flag |
| EU AI Act | High-risk AI system obligations, transparency requirements, human oversight, prohibited use cases, training data provenance | ai_context.risk_tier, ai_context.human_oversight, ai_context.prohibited_use_check, ai_context.training_data_flag |
| HIPAA | Minimum necessary standard, permitted disclosures, PHI handling, Business Associate obligations, breach notification triggers | x-hipaa:minimum_necessary, x-hipaa:permitted_disclosure, x-hipaa:phi_flag, x-hipaa:baa_in_place |
| DORA | ICT risk management, operational resilience, third-party risk, incident reporting obligations for financial entities | x-dora:ict_risk_classification, x-dora:third_party_flag, x-dora:incident_trigger |
| DUAA (Data Use and Access Act) | Data access conditions, trusted research environment requirements, data intermediary rules | x-duaa:access_condition, x-duaa:trusted_research_env |
| PECR / UK PECR | Cookie and tracking consent, electronic communications data, direct marketing permissions | x-pecr:tracking_consent, x-pecr:comms_data_flag, x-pecr:marketing_permission |
| Other frameworks | Any national or sectoral framework may be addressed via extension namespaces using the x-{framework}: prefix convention | x-{framework}:{field} |