- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Mon, 8 Apr 2019 18:39:14 +0100
- To: Bud Bruegger <uld613@datenschutzzentrum.de>, Eva Schlehahn <uld67@datenschutzzentrum.de>, Rigo Wenning <rigo@w3.org>
- Cc: public-dpvcg@w3.org
My argument rests on the premises that defining the complement of
explicit consent within the set of consent is redundant, or, if we
picture these in terms of requirements - then R doesn't exist!
Let's assume that -
- C is the set of requirements needed to say consent is valid
- E is the set of requirements needed to say explicit consent is valid
- In terms of requirements, E is the sum of requirements in C and some
additional ones that are required to make consent explicit
- Therefore, E is a superset of C
In this case, R is not needed to refer to C at all, or rather {R = C}
Taking sets for the concept of consent rather than their requirement (as
Bud originally did in his email), we have -
- C is the set of consent
- E is the set of explicit consent
- Since E is a specific type of consent with additional requirements, E
is a subset of C
- R is consent that is not explicit, i.e. {C - E}
- R does not have any additional requirements other than those required
by C (is this correct Bud?)
If so, then I fail to see what purpose R serves, except to distinguish C
from E. If the legal basis is L(C), then all requirements in C apply to
it (valid consent). If the legal basis is L(E) (or any of its subsets),
then all requirements in E apply to it, which includes requirements in C.
The only use of L(R) here would be to state that the requirements of
consent apply but not those of explicit consent. While this is useful in
terms of describing requirements of compliance, how much appropriate is
this for specifying the legal basis?
But since we are defining a taxonomy of legal basis, and not their
requirements - the assumption should be to choose the 'most appropriate'
or 'most applicable' legal basis, and then to follow its requirements -
not to determine requirements and then choose the legal basis.
Consulting Eva's (excellent) flow-chart for legal basis, we only reach
A6(1)(a) when the use-case is for 'regular' consent, and if it is
special categories of data - then we go to A9(2)(a) for 'explicit'
consent. At no point do we reach A6(1)(a) without determining whether
'regular' or 'explicit' consent is needed - it's always 'regular' at
A6(1)(a). This is what I meant by C = R for the legal basis.
Now, another way of looking at it is that since reaching A9(2)(a) means
that the controller should also satisfy requirements of legal basis in
A6(1)(a), we **can** model the legal basis of A9(2)(a) as a special case
of A6(1)(a) without resorting to splitting A6(1)(a) into regular and
explicit - since choosing A6(1)(a) as the legal basis means that it is
regular consent, because if it was not - then the correct legal basis
would have been A9(2)(a).
And since there are 3 cases where explicit consent is needed, we **can**
create a parent legal basis for them called explicit consent to
categorise them as all being based on explicit consent.
The gist of this is - the legal basis are -
{consent, explicit consent},
and we should not define them as
{(not explicit consent), (explicit consent)}
- Harsh
On 08/04/2019 17:17, Bud Bruegger wrote:
> Am 08.04.2019 um 16:55 schrieb Harshvardhan J. Pandit:
>> Replies are inline. If I have not replied to something - I agree with it.
>>
>> On 08/04/2019 14:30, Bud Bruegger wrote:
>>> Rigo just provided a subset of Art 4(11). It was not meant to be
>>> comprehensive.
>> If I remember correctly, Rigo provided it as a definition for
>> 'consent', and that is what we have listed on the spreadsheet.
>> My point is that we cannot use that as a definition for the legal
>> basis of consent (to which you agree, as you suggested A4-11 for the
>> definition).
>> So - this definition needs to be replaced with A4-11 in the spreadsheet.
> I agree in essence. The definition of consent is not limited to 4(11),
> however. To understand its semantics, Articles 7 and 8 and several
> recitals need to be taken into account too. So I would refer to 4(1),
> 7, and 8.
>
>>> The GDPR speaks in two places of "explicit" consent, where the risk
>>> is higher and the data subject requires an increased level of
>>> protection. Namely, this is in Art 9(2)(a) and 22(2)(c).
>> As well as in A49(1)(a) for transfers to third country
>
> Yes, that was oversight on my side.
>
>>> Looking at it as sets:
>>> 6(1)(a) is the set of all "valid" consents.
>>> 6(1)(a)-explicit is a subset of 6(1)(a) that contains only those
>>> "consents" that satisfy the additional requirements for "explicit"
>>>
>>> 6(1)(a) - 6(1)(a)-explicit, i.e., the complement of 6(1)(a)-explicit
>>> within 6(1)(a) is not named in the GDPR.
>>> I insist however, that the Art 29 Working Party introduces the term
>>> "'regular' consent" for this complement (page 8, 2nd paragraph of
>>> section 4). Since this claim of mine is simply based on the
>>> understanding of English grammar, IMHO this doesn't require legal
>>> advice but simply careful reading. In my reading, this is simple and
>>> clear and therefore I insist.
>>
>> I disagree with this point.
>
> But you haven't convinced me.
>
> But what we seem to agree on is that there is a set of valid consent (I
> call this "the whole", a subset for explicit consent (I call this
> "explicit subset" and a complement subset ("the whole" sans "explicit
> subset") that I call "complement subset".
>
> What we still disagree on is how to call them.
>
> My naming is:
>
> the whole: "consent" or "valid consent"
> explicit subset: "explicit consent"
> complement subset: "regular consent"
>
> Your naming:
>
> the whole: "regular consent"
> explicit subset: "explicit consent"
> complement subset" ????
>
> While the GDPR already uses the terms "consent" (and "valid consent")
> and "explicit consent", we need to find a term for the complement subset.
>
> In my reading--you haven't convinced me of the contrary--the Art29WP has
> exactly introduced the term "regular consent" to name this yet unnamed
> subset.
>
>> I think A29WP used 'regular' consent to refer to all valid consent,
>> and therefore 'explicit' consent is the subset of 'regular' consent.
>>
>> Consider this text in Sec.4, pg.18 of the Guidelines document, taking
>> it sentence by sentence -
>> 1) The GDPR prescribes that a “statement or clear affirmative action”
>> is a prerequisite for ‘regular’ consent.
>> - Here, 'regular' would mean the 'default' or 'defined' consent (as
>> per GDPR or DPD) - and the use of word regular is to indicate usual or
>> normal or normative. Note that this is the first mention of the word
>> regular in the document.
>
> I would have preferred "already for regular consent", but I still don't
> see that this excludes my semantics.
>
>> 2) As the ‘regular’ consent requirement in the GDPR is already raised
>> to a higher standard compared to the consent requirement in Directive
>> 95/46/EC,
>> - This means that there are requirements of regular consent, that can
>> be compared between GDPR and DPD - and since neither document mentions
>> 'regular' - this would mean that they are talking about the 'default'
>> or 'defined' consent in these documents.
>>
>> 3) it needs to be clarified what extra efforts a controller should
>> undertake in order to obtain the explicit consent of a data subject in
>> line with the GDPR."
>> - This states extra efforts in addition to regular consent to obtain
>> explicit consent, which therefore would mean that regular is the
>> superset and explicit is a subset of it.
>
> So what I read is: regular is already high, what extra effort is
> necessary to reach explicit? [That reads the above two sentenses
> together].
>
> When looking at it as "requirements" for a certain type of consent, this
> probably becomes clearer:
>
> regular consent is the set of all consents that fulfill the regular
> requirements.
>
> Explicit consent requires extra effort, therefore:
> explicit consent is the set of all consents that fulfills both, the
> regular requirements plus the additional explicit requirements.
>
>
> What is important to me is the structure. I'm not hung up on one naming
> of complement or another. But we need to name it in the vocabulary.
>
> What I much prefer is have some kind of a legal authority name it (the
> GDPR or the Art29WP). If we name it, it can only be wrong.
>
> Since I believe that anyone in their right (legal) mind will stay far
> away from naming something that is already named, I believe that the
> Art29WP introduced a new term only since there was no name for it already.
>
> Consent, in the sense of "the whole", is already defined. Why introduce
> a synomym of "regular consent"? But use a adjective to further
> distinguish "consent" into two subclasses makes perfect sense to me.
>
> Eva is not available at the moment--not sure when she'll be back. But
> let's wait for Rigo's reply and I will ask two colleagues who are
> lawyers and who are part of the EDPB. That should yield an
> authoritative answer.
>
> cheers
> -b
>
>>
>> I'm continuing this in the your (Bud) other email so as to ensure all
>> points are addressed.
>
--
---
Harshvardhan Pandit
PhD Researcher
ADAPT Centre
Trinity College Dublin
Received on Monday, 8 April 2019 17:40:11 UTC