Re: Definitions from Axel Polleres on 2018-10-15 (public-dpvcg@w3.org from October 2018)

From: Axel Polleres <axel.polleres@wu.ac.at>
Date: Mon, 15 Oct 2018 04:34:46 +0200
To: Mark Lizar <mark@openconsent.com>
Cc: Víctor Rodríguez Doncel <vrodriguez@fi.upm.es>, public-dpvcg@w3.org, Patricia Martín Chozas <pmchozas@fi.upm.es>, Elena Montiel <emontiel@fi.upm.es>, María NAVAS LORO <mnavas@fi.upm.es>
Message-Id: <E055CD62-B85D-4CBB-8EDC-FE680142E708@wu.ac.at>
Hi Mark,

welcome to the group and looking forward to discuss all these inputs in the Tue tel.conf.

Axel
--
Prof. Dr. Axel Polleres
Institute for Information Business, WU Vienna
url: http://www.polleres.net/  twitter: @AxelPolleres

> On 14.10.2018, at 15:39, Mark Lizar <mark@openconsent.com> wrote:
> 
> HI Axel et al,  
> 
> Finally, I believe I may have made it on to this list as I am now receiving emails.   I can see I am a bit late to the conversation about definitions and consent, my apologies if being late and opinionated is disruptive and out of context. 
> 
> As for introductions, my name is Mark,  I have been working in surveillance and the topical area of consent and notice for well over a decade now.  I have championed surveillance by consent and research in the contextual integrity of surveillance notices as an academic, challenged the security vs privacy fallacies and worked on better governance in this space, which led to the UK surveillance code of practice  <https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/204775/Surveillance_Camera_Code_of_Practice_WEB.pdf>and policing by consent <https://www.gov.uk/government/publications/policing-by-consent>.   After this, I have spent a considerable amount off time working on addressing the systemic attack on the social good that has been undermining privacy with non-operational privacy policies. In particular the lack of operational; privacy, privacy in identity management and privacy security at a systemic and infrastructure level. 
> 
> This led to the development of the Kantara Consent Receipt standard, which has led to my most recent project of Consent by Design for operational privacy and security in all legal justifications of privacy.  Even with a long term focus in the topic of notice and consent I am still learning and exploring what has turned out to be an incredibly deep and human topic. As a result, my opinions here are open ended and not to be taken as definitive in that I suggest this WG decide if these opinions are useful for definitive purpose and if they do in fact improve on definitions as they currently exists.  
> 
> In this regard, I would like to challenge the definition of consent as laid out in the GDPR as being a bit too sloppy to be operational for what I think this list is aiming to achieve.  In that this GDPR definition Is much closer to the what the definition of Explicit Consent should be. 
> 
> 
>> On 14 Oct 2018, at 10:50, Víctor Rodríguez Doncel <vrodriguez@fi.upm.es <mailto:vrodriguez@fi.upm.es>> wrote:
>> 
>>> 5)  Consent (Art 4 No. 11 GDPR)
>>> 
>>> Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
>>> 
>>> 
> In my opinion all privacy law, which requires a notice, is generally consent based in that a notice is legally required to mediate the expected state of signaling, and in the context of privacy law, the expected state of personal data processing. 
> 
> Being a bit sloppy with the definition of consent makes it a lot more difficult to model and technically build operational privacy and security infrastructure.  For example, the definition above is very difficult to distinguish consent from permissions or authorisations, which I would posit have different definitions and technical nuances that have a direct operational impact. 
> 
> In addition, consent is a human term and indicates a state of expectation, which the Consent Receipt specification or (Minimum Viable Consent Receipt) is used to capture.   From the human social context, I have recently proposed that everything can be operationally understood as a type of consent.  For example, the authoritative justification of contract and legitimate interest could be understood as implied consent for data processing (from a human operational perspective). 
> 
> Lastly, I would also put forth that the initial state of privacy as defined by a notice and policy, provided upon a first engagement is what sets the ‘expected state’ for people and that permissions are used to mediate this expected state.  Which at the moment, I think is what is making consent so confusing, so easily attacked (aka cookie consent is really surveillance) and what undermines any attempt at creating systems that people can find trustworthy (e.g. an expected state over time). 
> 
> For this reason, I have been working on the operational privacy and security principal of Consent by Design, which means that notice is required to iteratively maintain an expected privacy state, regardless of the justification.  
> 
> Hopefully, this contributes to the ongoing discussion,
> 
> Mark Lizar | Open Consent | 22 Wenlock Rd, London|  N1 7GU
> P +44 (0) 208 123-2476 | E mark@openconsent.com <mailto:mark@openconsent.com> 
> | Twitter @openconsent | Web https://www.openconsent.com <https://www.openconsent.com/> |
> 
> Confidentiality Note: This message and any attachments may contain legally privileged and/or confidential information.If you are not the intended recipient of this e-mail message, kindly notify the sender and then delete the message. 
>
Received on Monday, 15 October 2018 02:35:20 UTC