Fwd: Re: dpvcg-ACTION-66: Look into structuring processing categories, ramisa, bud, eva to help/review. from Bud Bruegger on 2019-04-04 (public-dpvcg@w3.org from April 2019)

From: Bud Bruegger <uld613@datenschutzzentrum.de>
Date: Thu, 4 Apr 2019 14:23:54 +0200
To: public-dpvcg@w3.org
Message-ID: <facce341-d91a-d121-99f4-0f73551e020e@datenschutzzentrum.de>
-------- Weitergeleitete Nachricht --------
Betreff: Re: dpvcg-ACTION-66: Look into structuring processing 
categories, ramisa, bud, eva to help/review.
Datum: Tue, 26 Feb 2019 14:37:28 +0100
Von: Bud Bruegger <uld613@datenschutzzentrum.de>
An: public-dpvcg@w3.org

Hi Harsh,

apologies for the delayed reply.

Disclaimer:  I am not a lawyer but have worked with lawyers for some 
time now.  Also, Eva is on sick leave and so I can't talk with her about it.

Art 4(2) GDPR, in my understanding, just tries to give the widest 
possible definition for "processing" without concerns of orthogonality, 
completeness, or suitedness to indicate certain cases that need to be 
treated specifically.

Also, the GDPR always speaks of data--while modern processing is goes 
way beyond the ancent data in, data out paradigm.  In particular, what 
is excluded is (i) the "production" of "physical products" (e.g., a 
passport or a dental pretesis--both based on personal data but much more 
than the data) and (ii) effects acting on the physical world (for 
example, the control of a personal medical device that for examle 
controls the dispension of medication based on various sensors).

The GDPR uses the term "nature of processing" without giving a 
definition.  So I propose that nature of processing could be:
[output of data/information product,   production of a physical 
artefact,  control of the physical environment/cyber-physical system]

It seems that so far, the GDPR and consequently we have focuses on the 
first of the three.

[NB, the GDPR uses other interesting ajectives of processing beyond 
"nature":  scope, context.  And the Art29WP speaks of "scale" and "

> The specific structuring is problematic because the GDPR definition
> contains a lot of words which are difficult to understand e.g.
> alteration and transfer. Sometimes it is not clear whether to use the
> legal meaning of the term or one more closely aligned to technologies.
> Can the legal experts assist with this?

As said above, I am not a legal expert. BUT, I don't think that 4(2) is 
a good basis for the vocabulary.

When I think of the GDPR and what kinds of processing triggers certain 
things, what comes in mind without systematic digging, is "Automated 
individual decision-making, including profiling" (Art 22) and "produces 
legal effects concerning him or her or similarly significantly affects 
him or her" (also Art 22).

The Art 29. Working Party (now European Data Protection Board) also has 
issued an opinion [1] that uses other terms that characterize processing 
including:

* Evaluation or scoring

* Automated-decision  making  with  legal or similar  significant effect 
  [Bud: financial effects??]

* Systematic monitoring

* Matching or combining datasets

* processing that involves new technological or organisational solutions

* processing  that  “prevents  data  subjects  from  exercising  a right 
  or  using  a service  or  a contract”  (Article  22 and  recital 91)

These more or less seem to fit in the same dimension, although I don't 
believe they are necessarily mutually exclusive..

What isn't explicitly mentioned by the Art29WP is processing based on 
machine learning or similar forms of AI.

> I've also added profiling and cross-border processing as types from
> their definitions in Article-4.

Profiling is also mentioned by Art29WP and included above. 
"Cross-border" in my conceptionalization fits in a different dimension, 
maybe the same that "scale of processing" fits in (The Art29WP gives a 
definition of scale, one aspect being geographic extent).

BTW, the bullet list above is a subset of things the Art29WP lists as 
indicators of possible high risk--namely those that in my head fit under 
"type of processing".  Others such as "scale", type of data (sensitive, 
data of a highly personal nature--eg. location), type of affected data 
subjects (children, vulnerable data subjects) I left out...

Do you all think that we could start with the above sub-list from 
Art29WP and discuss how to make it orthogonal and complete?

best cheers
-b

[1] https://ec.europa.eu/newsroom/document.cfm?doc_id=47711 see pages 9 
and 10

Am 22.02.2019 um 16:11 schrieb Harshvardhan J. Pandit:
> Hello.
> Here is a rudimentary categorisation of processing types, taken from the 
> definition of processing in GDPR (A4-2)
> https://github.com/dpvcg/processing
> 
> At the broadest level, processing is categorised as obtaining data, 
> using data, storing data, disclosing data, transfering data, 
> transforming data, organising data, removing data, and automation (i.e. 
> automated processing)
> 
> The specific structuring is problematic because the GDPR definition 
> contains a lot of words which are difficult to understand e.g. 
> alteration and transfer. Sometimes it is not clear whether to use the 
> legal meaning of the term or one more closely aligned to technologies.
> Can the legal experts assist with this?
> 
> I've also added profiling and cross-border processing as types from 
> their definitions in Article-4.
> 
> For processing (URI DataProcessing), I've added links to the definition 
> of processing in Eurovoc. Eurovoc contains definitions for terms such as 
> data collection and processing as well as links to other vocabularies 
> such as UN and UNESCO. We should define links to such vocabularies once 
> we have finalised the terms.
> 
> Best,
> Harsh
> 
> On 12/02/19 7:21 PM, Data Privacy Vocabularies and Controls Community 
> Group Issue Tracker wrote:
>> dpvcg-ACTION-66: Look into structuring processing categories, ramisa, 
>> bud, eva to help/review.
>>
>> https://www.w3.org/community/dpvcg/track/actions/66
>>
>> Assigned to: Harshvardhan Pandit
>>
>>
>>
>>
>>
>>
>>
>>
> 

-- 
Bud P. Bruegger, Dipl.-Ing. (ETH), Ph.D. (University of Maine)
ULD613@datenschutzzentrum.de
Unabhaengiges Landeszentrum fuer Datenschutz (ULD) Schleswig-Holstein
Dienststelle der Landesbeauftragten für Datenschutz Schleswig-Holstein
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1217, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/

Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung
Received on Thursday, 4 April 2019 12:24:35 UTC