- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Tue, 9 Apr 2019 12:25:47 +0100
- To: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>, Mark Lizar <mark@openconsent.com>, Eva Schlehahn <uld67@datenschutzzentrum.de>
**Sending to the public mailing list for archival purposes**
To clarify: NO, I'm not saying we create a term called 'regular' consent.
My proposal is to acknowledge in the description (dcterms:description or
rdfs:comment) of the term <A6(1)(a)> in our vocabulary that it is the
legal basis for what is referred to as "regular" consent in the
Guidelines on Consent by A29WP.
The 'definition' of <A6(1)(a)> as a term in our vocabulary is the URI
for the text of A6(1)(a) in GDPR (rdfs:isDefinedBy) to indicate its
source, with the definition (skos:definition) as -
"legal basis where the data subject has given consent to the processing
of his or her personal data for one or more specific purposes;" -->
taking text straight from 6(1)(a).
I think this way we can have our ~'regular' cake~ and eat it too :P
On 09/04/2019 12:14, Mark @ OC wrote:
> Hi Harsh,
>
> Are you suggesting we use the word ‘Regular’ in the definition? Can we
> please refrain from using the word regular and go with just ‘consent’ or
> ‘explicit consent’ as suggested?
>
> The reason being, is that we will have to account for irregular consent
> if we use the word regular. This would open another can of worms.
>
> - Mark
>
>
>> On 9 Apr 2019, at 12:08, Harshvardhan J. Pandit <me@harshp.com
>> <mailto:me@harshp.com>> wrote:
>>
>> Thanks Eva, Bud, Rigo, Mark.
>>
>> For our taxonomy/vocabulary, we have a 'flat' list (no-hierarchy) for
>> v1, because to create hierarchies we would need further discussion on
>> how the other legal basis are related.
>>
>> So I propose we go with the following from Eva's email today -
>>
>> * A6(1)(a) as the legal basis, and in its description, we mention that
>> it requires what is referred to as regular consent by A29WP (note - no
>> split into regular and explicit as it is listed currently in the
>> spreadsheet)
>>
>> * A9(2)(a) as the legal basis, and in its description we mention that
>> it requires what is referred to as explicit consent by GDPR and A29WP
>>
>> * Add additional legal basis that require explicit consent i.e.
>> A22(2)(c) and A49(1)(a) to the list as it currently only covers A6 and A9
>>
>> @Eva do you think this is okay to go ahead with?
>>
>> - Harsh
>>
>>
>> On 09/04/2019 10:35, Eva Schlehahn wrote:
>>>
>>> Dear Harsh, dear all,
>>>
>>> after wading through all the back and forth emails touching upon this
>>> topic, I am going back to the roots here. In short: I think Bud is
>>> right. :)
>>>
>>> I discussed at length with Bud in advance and as his preparation for
>>> the community group meeting. He is right because we have a need to
>>> capture following structure:
>>>
>>> * Consent - as legal basis with the definition: 'A data subject's
>>> unambigious/clear affirmative action that signifies an agreement
>>> to process their personal data'
>>> o Regular consent -> Legal basis of Art. 6 para 1 (a) GDPR
>>> o Explicit consent -> Legal basis of Art 9 para. 2 (a) GDPR
>>>
>>> Even though Rigo originally saw the term 'regular' critically, I
>>> still think it is useful to simply express that there is a difference
>>> between the consent required by Art. 6 in contrast to Art. 9. So in
>>> principle, we need some term to highlight this difference. And Bud
>>> relies on what the former Art. 29 Working Group said since it simply
>>> makes no sense to make up something else out of thin air.
>>>
>>> Btw. 'freely given & informed' are not definitions, they are
>>> conditions. There is a difference. :) And they probably cannot be
>>> expressed in a vocabulary since they are always context-dependent and
>>> subject to interpretation. :)
>>>
>>> Harsh, I like your examples given in your email - and I agree insofar
>>> as the explicit consent required a very clear statement from the data
>>> subject what they are agreeing to. Please note that this is even a
>>> step further than the consent just being 'informed' - in a way, this
>>> informed-ness also needs to be expressed explicitly.
>>>
>>> Greetings,
>>>
>>> Eva
>>>
>>> Am 08.04.2019 um 13:39 schrieb Harshvardhan J. Pandit:
>>>> tldr; This email is regarding using two separate legal basis for
>>>> consent as provided by A6(1)(a)
>>>>
>>>> Dear Eva, Rigo, and Bud.
>>>> I'm having trouble understanding the two separate legal basis for
>>>> consent as provided by A6(1)(a).
>>>> This discussion was mostly conducted in the F2F, and because this is
>>>> the first time I have come across this interpretation of two legal
>>>> basis under A6(1)(a), it would be good to have it in the mailing
>>>> list so as to have a point of reference in the future.
>>>>
>>>> My understanding of the discussion so far:
>>>> Please do specify (and if possible, correct) any errors made in
>>>> capturing the gist of the discussion.
>>>> For consent as the legal basis, Eva and Bud suggested
>>>> (https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0005.html
>>>> 1-APR) two types ('regular' and 'explicit') of consent from Article
>>>> 6(1)(a), with a reference to A29WP guidelines on consent - that also
>>>> mention these two terms.
>>>> Rigo (skype call in F2F, 4-APR) suggested to remove the word
>>>> 'regular' and simply call it consent, and provided the following
>>>> definition for (previously regular) consent - "A data subject's
>>>> unambigious/clear affirmative action that signifies an agreement to
>>>> process their personal data". (personal opinion - I think this was
>>>> to provide a definition of 'consent' as a top-level concept in the
>>>> taxonomy)
>>>>
>>>> Points I'm struggling with -
>>>>
>>>> (1) If the (regular) consent is used as a legal basis with the above
>>>> definition - would it be valid under the GDPR given that it does not
>>>> follow the definition of consent (A4-11) for being "freely given,
>>>> informed".
>>>>
>>>> (2) Where do we use the GDPR definition of consent (A4-11) in the
>>>> taxonomy for legal basis of A6(1)(a) - 'regular' or 'explicit'?
>>>>
>>>> (3) In the guidelines for consent by A29WP (Sec.4, pg.18), 'regular'
>>>> consent is mentioned in context - The GDPR prescribes that a
>>>> “statement or clear affirmative action” is a prerequisite for
>>>> ‘regular’ consent.
>>>> In the same section, 'explicit' consent is mentioned as - "The term
>>>> explicit refers to the way consent is expressed by the data subject.
>>>> It means that the data subject must give an express statement of
>>>> consent."
>>>> Given that I have no legal background, I'm confused as to wouldn't
>>>> every 'regular' consent required by GDPR also be 'explicit' given
>>>> the requirement for every consent to be informed, specific,
>>>> unambiguous indication by a statement or action (A4-11) - which
>>>> covers descriptions of both terms by A29WP?
>>>> Or, is the difference as follows:
>>>> - regular - saying "I Agree"
>>>> - explicit - saying "I Agree to XYZ" ← note explicit mention of what
>>>> I'm agreeing to?
>>>> But wouldn't this be covered by the information in the description
>>>> of what they are agreeing to because consent should be informed?. It
>>>> does come to my mind, that the 'explicit' in this case may refer to
>>>> the requirement of stating that some information, such as special
>>>> categories of data, need to be mentioned in an 'explicit' form in
>>>> the 'informed' part of consent - in which case, does it qualify as a
>>>> separate legal basis OR as the requirements for valid consent (and
>>>> therefore not part of legal basis taxonomy)?
>>>>
>>>> (4) If conditions provided by A9(2)(a) count as a legal basis based
>>>> on 'explicit' consent for special categories of personal data, do
>>>> the following also count as a legal basis given that they are based
>>>> on 'explicit' consent and are types of processing?
>>>> - R72 Profiling
>>>> - A22(2)(c) Automated individual decision-making, including profiling
>>>> - A49(1)(a) transfers of personal data to a third country or an
>>>> international organisation
>>>>
>>>> I don't mean to start a long discussion that may delay the work on
>>>> wrapping up the taxonomy, so am willing to accept short answers
>>>> (e.g. yes/no, use 'this' as definition); but at the same time it
>>>> would be very helpful to clarify this things - both for the group as
>>>> well as (personally) for my PhD work.
>>>>
>>>> Best,
>>>> Harsh
>>>>
>>>> On 01/04/2019 14:36, Eva Schlehahn wrote:
>>>>>
>>>>> Dear all,
>>>>>
>>>>> Bud and I developed further the taxonomy of legal bases according
>>>>> to the GDPR. Please find attached
>>>>>
>>>>> * in the Word document file Bud's version of such a vocabulary, as
>>>>> well as
>>>>> * in the image file my extension of the already existing
>>>>> visualization from lawyer perspective. ;-)
>>>>>
>>>>> A pity I cannot make it to Vienna. I wish you all a fruitful
>>>>> meeting there. :-)
>>>>>
>>>>> Greetings,
>>>>>
>>>>> Eva
>>>>>
>>>>> --
>>>>> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
>>>>> Eva Schlehahn,uld67@datenschutzzentrum.de
>>>>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
>>>>> mail@datenschutzzentrum.de -https://www.datenschutzzentrum.de/
>>>>>
>>>>> Informationen über die Verarbeitung der personenbezogenen Daten durch
>>>>> die Landesbeauftragte für Datenschutz und zur verschlüsselten
>>>>> E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/
>>>>>
>>>>
>> --
>> ---
>> Harshvardhan Pandit
>> PhD Researcher
>> ADAPT Centre
>> Trinity College Dublin
>
--
---
Harshvardhan Pandit
PhD Researcher
ADAPT Centre
Trinity College Dublin
Received on Tuesday, 9 April 2019 11:26:55 UTC