Re: Taxonomy of legal bases

Hello again,

I do not agree with Rigo on this and have sent him the following mail 
asking the rational behind his advice:  (With the bad audio, I couldn't 
follow what Rigo said at the F2F meeting--which wasn't at all F2F)

I would  like to ask you a set naming question

The GDPR defines conditions for valid consent.

Let us define C as the set of all consents that meet this requirements 
and is valid according to the GDPR.

The GDPR also speaks of "explicit consent", posing more stringent 
requirements.

Let E be the set of consents of all consents that meet the requirements 
for explicit consent.

Then E is a (proper) subset of C:  Every explicit consent is also a 
valid consent; but not every valid consent is an explicit consent.

C and E imply another subset, namely the set of all consents that are 
valid but not explicit.  Let it be denoted by (C - E).

The existance of this set is clearly based on the GDPR.  The GDPR fails 
to name this set.

In my reading, the Art 29 Working Party in their guidelines on consent 
actually name this set as "regular consent":  See [1] page 18, section 
4, 2nd paragraph.

So here concrete questions:

(i) do you agree that the Art29WP names (C-E) as "regular consent"?

(ii) if not, can you explain what "regular consent" means in terms of 
the above defined sets?

(iii) if yes, for what reason should the DPVCG vocabulary not use the 
term "regular consent"?

Many thanks and kind regards
-b


[1] https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051


Am 08.04.2019 um 13:39 schrieb Harshvardhan J. Pandit:
> tldr; This email is regarding using two separate legal basis for consent 
> as provided by A6(1)(a)
> 
> Dear Eva, Rigo, and Bud.
> I'm having trouble understanding the two separate legal basis for 
> consent as provided by A6(1)(a).
> This discussion was mostly conducted in the F2F, and because this is the 
> first time I have come across this interpretation of two legal basis 
> under A6(1)(a), it would be good to have it in the mailing list so as to 
> have a point of reference in the future.
> 
> My understanding of the discussion so far:
> Please do specify (and if possible, correct) any errors made in 
> capturing the gist of the discussion.
> For consent as the legal basis, Eva and Bud suggested 
> (https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0005.html 
> 1-APR) two types ('regular' and 'explicit') of consent from Article 
> 6(1)(a), with a reference to A29WP guidelines on consent - that also 
> mention these two terms.
> Rigo (skype call in F2F, 4-APR) suggested to remove the word 'regular' 
> and simply call it consent, and provided the following definition for 
> (previously regular) consent - "A data subject's unambigious/clear 
> affirmative action that signifies an agreement to process their personal 
> data". (personal opinion - I think this was to provide a definition of 
> 'consent' as a top-level concept in the taxonomy)
> 
> Points I'm struggling with -
> 
> (1) If the (regular) consent is used as a legal basis with the above 
> definition - would it be valid under the GDPR given that it does not 
> follow the definition of consent (A4-11) for being "freely given, 
> informed".
> 
> (2) Where do we use the GDPR definition of consent (A4-11) in the 
> taxonomy for legal basis of A6(1)(a) - 'regular' or 'explicit'?
> 
> (3) In the guidelines for consent by A29WP (Sec.4, pg.18), 'regular' 
> consent is mentioned in context - The GDPR prescribes that a “statement 
> or clear affirmative action” is a prerequisite for ‘regular’ consent.
> In the same section, 'explicit' consent is mentioned as - "The term 
> explicit refers to the way consent is expressed by the data subject. It 
> means that the data subject must give an express statement of consent."
> Given that I have no legal background, I'm confused as to wouldn't every 
> 'regular' consent required by GDPR also be 'explicit' given the 
> requirement for every consent to be informed, specific, unambiguous 
> indication by a statement or action (A4-11) - which covers descriptions 
> of both terms by A29WP?
> Or, is the difference as follows:
> - regular - saying "I Agree"
> - explicit - saying "I Agree to XYZ" ← note explicit mention of what I'm 
> agreeing to?
> But wouldn't this be covered by the information in the description of 
> what they are agreeing to because consent should be informed?. It does 
> come to my mind, that the 'explicit' in this case may refer to the 
> requirement of stating that some information, such as special categories 
> of data, need to be mentioned in an 'explicit' form in the 'informed' 
> part of consent - in which case, does it qualify as a separate legal 
> basis OR as the requirements for valid consent (and therefore not part 
> of legal basis taxonomy)?
> 
> (4) If conditions provided by A9(2)(a) count as a legal basis based on 
> 'explicit' consent for special categories of personal data, do the 
> following also count as a legal basis given that they are based on 
> 'explicit' consent and are types of processing?
> - R72 Profiling
> - A22(2)(c) Automated individual decision-making, including profiling
> - A49(1)(a) transfers of personal data to a third country or an 
> international organisation
> 
> I don't mean to start a long discussion that may delay the work on 
> wrapping up the taxonomy, so am willing to accept short answers (e.g. 
> yes/no, use 'this' as definition); but at the same time it would be very 
> helpful to clarify this things - both for the group as well as 
> (personally) for my PhD work.
> 
> Best,
> Harsh
> 
> On 01/04/2019 14:36, Eva Schlehahn wrote:
>>
>> Dear all,
>>
>> Bud and I developed further the taxonomy of legal bases according to 
>> the GDPR. Please find attached
>>
>>   * in the Word document file Bud's version of such a vocabulary, as
>>     well as
>>   * in the image file my extension of the already existing
>>     visualization from lawyer perspective. ;-)
>>
>> A pity I cannot make it to Vienna. I wish you all a fruitful meeting 
>> there. :-)
>>
>> Greetings,
>>
>> Eva
>>
>> -- 
>> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
>> Eva Schlehahn,uld67@datenschutzzentrum.de
>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
>> mail@datenschutzzentrum.de  -https://www.datenschutzzentrum.de/
>>
>> Informationen über die Verarbeitung der personenbezogenen Daten durch
>> die Landesbeauftragte für Datenschutz und zur verschlüsselten
>> E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/
> 
> -- 
> ---
> Harshvardhan Pandit
> PhD Researcher
> ADAPT Centre
> Trinity College Dublin
> 

-- 
Bud P. Bruegger, Dipl.-Ing. (ETH), Ph.D. (University of Maine)
ULD613@datenschutzzentrum.de
Unabhaengiges Landeszentrum fuer Datenschutz (ULD) Schleswig-Holstein
Dienststelle der Landesbeauftragten für Datenschutz Schleswig-Holstein
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1217, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/

Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung

Received on Monday, 8 April 2019 12:39:45 UTC