- From: Mark @ OC <mark@openconsent.com>
- Date: Mon, 8 Apr 2019 16:15:07 +0100
- To: "Harshvardhan J. Pandit" <me@harshp.com>
- Cc: Bud Bruegger <uld613@datenschutzzentrum.de>, Eva Schlehahn <uld67@datenschutzzentrum.de>, Rigo Wenning <rigo@w3.org>, public-dpvcg@w3.org
- Message-Id: <B22872A2-A6FD-44A4-9A9F-F2CB8CFE543E@openconsent.com>
Hi All, In terms of legal definition and the point of creating a consent record with this specification, I believe consent is loosely defined on purpose, and agree with Rigo interpretation. I believe, that the GDPR has inadvertently made consent confusing, by trying to leave room for regulatory development on this topic. The spirit of this legislation is intended to leave room for the reasonable expectation of privacy, and a reasonable/proportionate provision of implicit consent. To address this issue, if an organisation creates a consent record, and provides a privacy/notice receipt for this record, then consent can then be shown to be compliant. For the contexts of explicit consent for special categories of data, a consent receipt, which is signed and incorporates a privacy notice in the record, would suffice to provide a record that can be show to be compliant. In this regard, my recommendation is to use implicit and explicit consent types/definitions for DPV, and to only use explicit consent for the GDPR receipt specification. ( Note: I will dig out the EU legal discourse on explicit and implicit consent for legal reference for the taxonomy. ) In this way, this work and the simple demarcation of two types of consent classification should address all the issues discussed here. Best Regards, Mark > On 8 Apr 2019, at 15:55, Harshvardhan J. Pandit <me@harshp.com> wrote: > > I disagree with this point. I think A29WP used 'regular' consent to refer to all valid consent, and therefore 'explicit' consent is the subset of 'regular' consent. > > Consider this text in Sec.4, pg.18 of the Guidelines document, taking it sentence by sentence - > 1) The GDPR prescribes that a “statement or clear affirmative action” is a prerequisite for ‘regular’ consent. > - Here, 'regular' would mean the 'default' or 'defined' consent (as per GDPR or DPD) - and the use of word regular is to indicate usual or normal or normative. Note that this is the first mention of the word regular in the document. > > 2) As the ‘regular’ consent requirement in the GDPR is already raised to a higher standard compared to the consent requirement in Directive 95/46/EC, > - This means that there are requirements of regular consent, that can be compared between GDPR and DPD - and since neither document mentions 'regular' - this would mean that they are talking about the 'default' or 'defined' consent in these documents. > > 3) it needs to be clarified what extra efforts a controller should undertake in order to obtain the explicit consent of a data subject in line with the GDPR." > - This states extra efforts in addition to regular consent to obtain explicit consent, which therefore would mean that regular is the superset and explicit is a subset of it. > > I'm continuing this in the your (Bud) other email so as to ensure all points are addressed. > -- > --- > Harshvardhan Pandit > PhD Researcher > ADAPT Centre > Trinity College Dublin
Attachments
- application/pkcs7-signature attachment: smime.p7s
Received on Monday, 8 April 2019 15:16:39 UTC