Re: Taxonomy of legal bases

I'm not a big fan of the term "regular" consent. I would suggest
looking at what is implied by not attaching the modifier explicit to
the word consent. If you think of this in terms of all consent and
break it into two categories, explicit and everything else, what terms
can we use to describe everything else. One word is non-explicit.
Another would be implicit. So rather than explicit and regular, I
would suggest (at least mentally) dividing consent between explicit
and implicit. 

IMPLICIT - implied though not plainly expressed

So lets look at an example.  Suppose I have a website where people
can place orders of a product to be shipped to them. After purchase, I
have a form with the following

Please provide your address for shipping
Address [____________________________]
Country [____________________________]
Postal Code [____________________________]

If someone were to complete that form, they would have consented to
the use of that address for me to ship their purchase.  Looking at
this from the GDPR perspective, the elements of consent have been met

	* Freely given
a. There is no imbalance of power (such as in an employer/employee
context) coercing the user to give up their address
b. I'm not conditioning some unrelated service on providing this
information 
c. I'm not, presumably, bundling unnecessary processing operations
d. [You have to suspend for the moment that a controller would
actually rely on performance of a contract for collection and use of
this information, not consent] 	* Specific - this relates to purpose
limitation, here the purpose is to ship a person their order. Its
clear from the context, and use of the word "shipping", that the
reason the address is being collected is for this purpose
	* Informed - The statement "Please provide your address for shipping"
provides the necessary information to the individual - what data is
collected and the purpose. Presumably, the other necessary elements of
informing the individual are provided elsewhere (such as who the
controller is, the right to withdraw, etc). 
	* Finally, completing the form is an unambiguous affirmative act on
the part of the individual and this is where the crux of the
difference between implicit and explicit come into play

If we now want to take this out of the implicit realm and into the
implicit, we would add a button or checkbox and some additional
language.

[      ] Type "I agree" in the box if you agree to the use of your
address to ship order 

By checking the box, the user has now explicitly consented to the use
of the information for the specified purposes. Now, under GDPR, we
don't need this for this purpose, but we would if the use were for Art
49 purposes. so let change up that final statement to demonstrate
where we need explicit consent

[     ] Type "I agree" in the box if you agree to the transfer of
your address to our fulfillment center in China. China has not been
deemed to have adequate data protection laws and there are risks that
your data will be used in ways we can't control or anticipate. 

Note, I'm not advising that this language meets all the criteria under
Art 49(1)(a) or Art 13(1)(f), just using it to demonstrate how
explicit consent would be gathered. 

Jason 

	.....................................................................
R. Jason Cronk                  | Juris Doctor  
Privacy and Trust Consultant    | IAPP Fellow of Information
Privacy
ENTERPRIVACY CONSULTING GROUP [1]   | CIPT, CIPM, CIPP/US, PbD
Ambassador
Privacy notices made simple: https://simpleprivacynotice.com [2] 
....................................................................

	UPCOMING TRAINING

Privacy by Design Professional:  Cyprus (April [3]), Belarus -
English/Russian (July)

Online (coming soon): https://privacybydesign.training [4]

----- Original Message -----
From:
 "Harshvardhan J. Pandit" <me@harshp.com>

To:
"Eva Schlehahn" <uld67@datenschutzzentrum.de>, "Rigo Wenning"
<rigo@w3.org>, "Bud Bruegger" <uld613@datenschutzzentrum.de>
Cc:
<public-dpvcg@w3.org>
Sent:
Mon, 8 Apr 2019 12:39:49 +0100
Subject:
Re: Taxonomy of legal bases

	 tldr; This email is regarding using two separate legal basis for
consent as provided by A6(1)(a)  

	 Dear Eva, Rigo, and Bud.
 I'm having trouble understanding the two separate legal basis for
consent as provided by A6(1)(a).
 This discussion was mostly conducted in the F2F, and because this is
the first time I have come across this interpretation of two legal
basis under A6(1)(a), it would be good to have it in the mailing list
so as to have a point of reference in the future.  

	 My understanding of the discussion so far:
 Please do specify (and if possible, correct) any errors made in
capturing the gist of the discussion.
 For consent as the legal basis, Eva and Bud suggested
(https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0005.html
[5] 1-APR) two types ('regular' and 'explicit') of consent from
Article 6(1)(a), with a reference to A29WP guidelines on consent -
that also mention these two terms.
 Rigo (skype call in F2F, 4-APR) suggested to remove the word
'regular' and simply call it consent, and provided the following
definition for (previously regular) consent - "A data subject's
unambigious/clear affirmative action that signifies an agreement to
process their personal data". (personal opinion - I think this was to
provide a definition of 'consent' as a top-level concept in the
taxonomy)  

	 Points I'm struggling with -  

	 (1) If the (regular) consent is used as a legal basis with the above
definition - would it be valid under the GDPR given that it does not
follow the definition of consent (A4-11) for being "freely given,
informed".  

	 (2) Where do we use the GDPR definition of consent (A4-11) in the
taxonomy for legal basis of A6(1)(a) - 'regular' or 'explicit'?  

	 (3) In the guidelines for consent by A29WP (Sec.4, pg.18), 'regular'
consent is mentioned in context - The GDPR prescribes that a
“statement or clear affirmative action” is a prerequisite for
‘regular’ consent. 
 In the same section, 'explicit' consent is mentioned as - "The term
explicit refers to the way consent is expressed by the data subject.
It means that the data subject must give an express statement of
consent."
 Given that I have no legal background, I'm confused as to wouldn't
every 'regular' consent required by GDPR also be 'explicit' given the
requirement for every consent to be informed, specific, unambiguous
indication by a statement or action (A4-11) - which covers
descriptions of both terms by A29WP? 
 Or, is the difference as follows:
 - regular - saying "I Agree"
 - explicit - saying "I Agree to XYZ" ← note explicit mention of
what I'm agreeing to?
 But wouldn't this be covered by the information in the description of
what they are agreeing to because consent should be informed?. It does
come to my mind, that the 'explicit' in this case may refer to the
requirement of stating that some information, such as special
categories of data, need to be mentioned in an 'explicit' form in the
'informed' part of consent - in which case, does it qualify as a
separate legal basis OR as the requirements for valid consent (and
therefore not part of legal basis taxonomy)?  

	 (4) If conditions provided by A9(2)(a) count as a legal basis based
on 'explicit' consent for special categories of personal data, do the
following also count as a legal basis given that they are based on
'explicit' consent and are types of processing?
 - R72 Profiling
 - A22(2)(c) Automated individual decision-making, including profiling
 - A49(1)(a) transfers of personal data to a third country or an
international organisation  

	 I don't mean to start a long discussion that may delay the work on
wrapping up the taxonomy, so am willing to accept short answers (e.g.
yes/no, use 'this' as definition); but at the same time it would be
very helpful to clarify this things - both for the group as well as
(personally) for my PhD work.  

	 Best,
 Harsh  On 01/04/2019 14:36, Eva Schlehahn wrote:

	Dear all, 

	Bud and I developed further the taxonomy of legal bases according to
the GDPR. Please find attached 

	* in the Word document file Bud's version of such a vocabulary, as
well as 

	* in the image file my extension of the already existing
visualization from lawyer perspective. ;-)

	A pity I cannot make it to Vienna. I wish you all a fruitful meeting
there. :-)

	Greetings, 

	Eva

	-- 

 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein

 Eva Schlehahn, uld67@datenschutzzentrum.de [6]

 Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
mail@datenschutzzentrum.de [7] - https://www.datenschutzzentrum.de/
[8]

 Informationen über die Verarbeitung der personenbezogenen Daten
durch

 die Landesbeauftragte für Datenschutz und zur verschlüsselten

 E-Mail-Kommunikation:
https://datenschutzzentrum.de/datenschutzerklaerung/ [9]  

	-- 

 ---

 Harshvardhan Pandit

 PhD Researcher

 ADAPT Centre

 Trinity College Dublin



Links:
------
[1] http://webmail.dreamhost.com/HTTP://WWW.ENTERPRIVACY.COM/
[2] https://simpleprivacynotice.com/
[3] https://enterprivacy.com/cyprus-training/
[4] https://privacybydesign.training/
[5]
https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0005.html
[6] mailto:uld67@datenschutzzentrum.de
[7] mailto:mail@datenschutzzentrum.de
[8] https://www.datenschutzzentrum.de/
[9] https://datenschutzzentrum.de/datenschutzerklaerung/