Re: Definitions

Hello Mark,
Thank you for highlighting the discussion regarding consent.

IMHO, I think there is a need for a more operational definition of 
consent (as provided by the GDPR) to specify or measure an 
implementation of that consent in practice.
This is because consent in this case IS the permission regarding 
personal data under consideration.
And this is also useful in evaluating a reasonable 'expected state' of 
what consent should be (freely given, specific, informed, unambigious) 
as per the legal defintion.
In this, I agree with you that 'consent' is a human (I would rather say 
sapient) term.
For e.g. machines can be said to provide permission but not consent.
However, I do not think we should go over and beyond the legal 
definition or coverage of consent towards more social definitions.
We can, perhaps, provide a way to guide and describe practical 
implementations of consent, based on the deliverables of the WG.


Regards,
Harsh
** thoughts, opinions, criticism, disagreements welcome **

On 14/10/18 6:39 AM, Mark Lizar wrote:
> HI Axel et al,
> 
> Finally, I believe I may have made it on to this list as I am now 
> receiving emails.   I can see I am a bit late to the conversation about 
> definitions and consent, my apologies if being late and opinionated is 
> disruptive and out of context.
> 
> As for introductions, my name is Mark,  I have been working in 
> surveillance and the topical area of consent and notice for well over a 
> decade now.  I have championed surveillance by consent and research in 
> the contextual integrity of surveillance notices as an academic, 
> challenged the security vs privacy fallacies and worked on better 
> governance in this space, which led to the UKsurveillance code of 
> practice 
> <https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/204775/Surveillance_Camera_Code_of_Practice_WEB.pdf>and 
> policing by consent 
> <https://www.gov.uk/government/publications/policing-by-consent>.  
>   After this, I have spent a considerable amount off time working on 
> addressing the systemic attack on the social good that has been 
> undermining privacy with non-operational privacy policies. In particular 
> the lack of operational; privacy, privacy in identity management and 
> privacy security at a systemic and infrastructure level.
> 
> This led to the development of the Kantara Consent Receipt standard, 
> which has led to my most recent project of Consent by Design for 
> operational privacy and security in all legal justifications of privacy. 
>   Even with a long term focus in the topic of notice and consent I am 
> still learning and exploring what has turned out to be an incredibly 
> deep and human topic. As a result, my opinions here are open ended and 
> not to be taken as definitive in that I suggest this WG decide if these 
> opinions are useful for definitive purpose and if they do in fact 
> improve on definitions as they currently exists.
> 
> In this regard, I would like to challenge the definition of consent as 
> laid out in the GDPR as being a bit too sloppy to be operational for 
> what I think this list is aiming to achieve.  In that this GDPR 
> definition Is much closer to the what the definition of Explicit Consent 
> should be.
> 
> 
>> On 14 Oct 2018, at 10:50, Víctor Rodríguez Doncel 
>> <vrodriguez@fi.upm.es <mailto:vrodriguez@fi.upm.es>> wrote:
>>
>>> 1.
>>>
>>>     5) Consent(Art 4 No. 11 GDPR)
>>>
>>>     Any freely given, specific, informed and unambiguous indication
>>>     of the data subject’s wishes by which he or she, by a statement
>>>     or by a clear affirmative action, signifies agreement to the
>>>     processing of personal data relating to him or her.
>>>
>>>
> In my opinion all privacy law, which requires a notice, is generally 
> consent based in that a notice is legally required to mediate the 
> expected state of signaling, and in the context of privacy law, the 
> expected state of personal data processing.
> 
> Being a bit sloppy with the definition of consent makes it a lot more 
> difficult to model and technically build operational privacy and 
> security infrastructure.  For example, the definition above is very 
> difficult to distinguish consent from permissions or authorisations, 
> which I would posit have different definitions and technical nuances 
> that have a direct operational impact.
> 
> In addition, consent is a human term and indicates a state of 
> expectation, which the Consent Receipt specification or (Minimum Viable 
> Consent Receipt) is used to capture.   From the human social context, I 
> have recently proposed that everything can be operationally understood 
> as a type of consent.  For example, the authoritative justification of 
> contract and legitimate interest could be understood as implied consent 
> for data processing (from a human operational perspective).
> 
> Lastly, I would also put forth that the initial state of privacy as 
> defined by a notice and policy, provided upon a first engagement is what 
> sets the ‘expected state’ for people and that permissions are used to 
> mediate this expected state.  Which at the moment, I think is what is 
> making consent so confusing, so easily attacked (aka cookie consent is 
> really surveillance) and what undermines any attempt at creating systems 
> that people can find trustworthy (e.g. an expected state over time).
> 
> For this reason, I have been working on the operational privacy and 
> security principal of Consent by Design, which means that notice is 
> required to iteratively maintain an expected privacy state, regardless 
> of the justification.
> 
> Hopefully, this contributes to the ongoing discussion,
> 
> Mark Lizar | Open Consent | 22 Wenlock Rd, London|  N1 7GU
> P +44 (0) 208 123-2476 | E mark@openconsent.com 
> <mailto:mark@openconsent.com>
> | Twitter @openconsent | Web https://www.openconsent.com |
> 
> Confidentiality Note: This message and any attachments may contain 
> legally privileged and/or confidential information.If you are not the 
> intended recipient of this e-mail message, kindly notify the sender and 
> then delete the message.
> 

-- 
---
Harshvardhan J. Pandit
PhD Researcher
ADAPT Centre, Trinity College Dublin
https://harshp.com
GPG: D81BF4F31D31B413

Received on Sunday, 14 October 2018 17:16:39 UTC