W3C home > Mailing lists > Public > public-dpvcg@w3.org > April 2019

Re: Taxonomy of legal bases

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Mon, 8 Apr 2019 14:02:55 +0100
To: Bud Bruegger <uld613@datenschutzzentrum.de>, Eva Schlehahn <uld67@datenschutzzentrum.de>, Rigo Wenning <rigo@w3.org>
Cc: public-dpvcg@w3.org
Message-ID: <0cb4fc85-d122-65e1-5ae4-7ba67e2ac1be@harshp.com>
Thanks for the set-theory approach Bud, this is good : )

Rephrasing my question (2) and (3) in terms of Bud's sets, I'm asking 
whether C == E (are they equal?) for the case of GDPR.
If they are not, then what is the definition of C (all valid consent) 
and what is the definition of E (explicit consent) ?
Note: if their definitions can be shown to be equivalent - then wouldn't 
the terms also be equivalent?
A4-11 is the definition for which - C or E?

Note: there are two issues here: first is two types of legal basis for 
consent in A6(1)(a),
and the second is 'regular' vs 'explicit' which is also relevant for 
differences of consent in A6(1)(a) vs A9(2)(a)

- Harsh

On 08/04/2019 13:39, Bud Bruegger wrote:
> Hello again,
> I do not agree with Rigo on this and have sent him the following mail 
> asking the rational behind his advice:  (With the bad audio, I couldn't 
> follow what Rigo said at the F2F meeting--which wasn't at all F2F)
> I would  like to ask you a set naming question
> The GDPR defines conditions for valid consent.
> Let us define C as the set of all consents that meet this requirements 
> and is valid according to the GDPR.
> The GDPR also speaks of "explicit consent", posing more stringent 
> requirements.
> Let E be the set of consents of all consents that meet the requirements 
> for explicit consent.
> Then E is a (proper) subset of C:  Every explicit consent is also a 
> valid consent; but not every valid consent is an explicit consent.
> C and E imply another subset, namely the set of all consents that are 
> valid but not explicit.  Let it be denoted by (C - E).
> The existance of this set is clearly based on the GDPR.  The GDPR fails 
> to name this set.
> In my reading, the Art 29 Working Party in their guidelines on consent 
> actually name this set as "regular consent":  See [1] page 18, section 
> 4, 2nd paragraph.
> So here concrete questions:
> (i) do you agree that the Art29WP names (C-E) as "regular consent"?
> (ii) if not, can you explain what "regular consent" means in terms of 
> the above defined sets?
> (iii) if yes, for what reason should the DPVCG vocabulary not use the 
> term "regular consent"?
> Many thanks and kind regards
> -b
> [1] https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051
> Am 08.04.2019 um 13:39 schrieb Harshvardhan J. Pandit:
>> tldr; This email is regarding using two separate legal basis for 
>> consent as provided by A6(1)(a)
>> Dear Eva, Rigo, and Bud.
>> I'm having trouble understanding the two separate legal basis for 
>> consent as provided by A6(1)(a).
>> This discussion was mostly conducted in the F2F, and because this is 
>> the first time I have come across this interpretation of two legal 
>> basis under A6(1)(a), it would be good to have it in the mailing list 
>> so as to have a point of reference in the future.
>> My understanding of the discussion so far:
>> Please do specify (and if possible, correct) any errors made in 
>> capturing the gist of the discussion.
>> For consent as the legal basis, Eva and Bud suggested 
>> (https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0005.html 
>> 1-APR) two types ('regular' and 'explicit') of consent from Article 
>> 6(1)(a), with a reference to A29WP guidelines on consent - that also 
>> mention these two terms.
>> Rigo (skype call in F2F, 4-APR) suggested to remove the word 'regular' 
>> and simply call it consent, and provided the following definition for 
>> (previously regular) consent - "A data subject's unambigious/clear 
>> affirmative action that signifies an agreement to process their 
>> personal data". (personal opinion - I think this was to provide a 
>> definition of 'consent' as a top-level concept in the taxonomy)
>> Points I'm struggling with -
>> (1) If the (regular) consent is used as a legal basis with the above 
>> definition - would it be valid under the GDPR given that it does not 
>> follow the definition of consent (A4-11) for being "freely given, 
>> informed".
>> (2) Where do we use the GDPR definition of consent (A4-11) in the 
>> taxonomy for legal basis of A6(1)(a) - 'regular' or 'explicit'?
>> (3) In the guidelines for consent by A29WP (Sec.4, pg.18), 'regular' 
>> consent is mentioned in context - The GDPR prescribes that a 
>> “statement or clear affirmative action” is a prerequisite for 
>> ‘regular’ consent.
>> In the same section, 'explicit' consent is mentioned as - "The term 
>> explicit refers to the way consent is expressed by the data subject. 
>> It means that the data subject must give an express statement of 
>> consent."
>> Given that I have no legal background, I'm confused as to wouldn't 
>> every 'regular' consent required by GDPR also be 'explicit' given the 
>> requirement for every consent to be informed, specific, unambiguous 
>> indication by a statement or action (A4-11) - which covers 
>> descriptions of both terms by A29WP?
>> Or, is the difference as follows:
>> - regular - saying "I Agree"
>> - explicit - saying "I Agree to XYZ" ← note explicit mention of what 
>> I'm agreeing to?
>> But wouldn't this be covered by the information in the description of 
>> what they are agreeing to because consent should be informed?. It does 
>> come to my mind, that the 'explicit' in this case may refer to the 
>> requirement of stating that some information, such as special 
>> categories of data, need to be mentioned in an 'explicit' form in the 
>> 'informed' part of consent - in which case, does it qualify as a 
>> separate legal basis OR as the requirements for valid consent (and 
>> therefore not part of legal basis taxonomy)?
>> (4) If conditions provided by A9(2)(a) count as a legal basis based on 
>> 'explicit' consent for special categories of personal data, do the 
>> following also count as a legal basis given that they are based on 
>> 'explicit' consent and are types of processing?
>> - R72 Profiling
>> - A22(2)(c) Automated individual decision-making, including profiling
>> - A49(1)(a) transfers of personal data to a third country or an 
>> international organisation
>> I don't mean to start a long discussion that may delay the work on 
>> wrapping up the taxonomy, so am willing to accept short answers (e.g. 
>> yes/no, use 'this' as definition); but at the same time it would be 
>> very helpful to clarify this things - both for the group as well as 
>> (personally) for my PhD work.
>> Best,
>> Harsh
>> On 01/04/2019 14:36, Eva Schlehahn wrote:
>>> Dear all,
>>> Bud and I developed further the taxonomy of legal bases according to 
>>> the GDPR. Please find attached
>>>   * in the Word document file Bud's version of such a vocabulary, as
>>>     well as
>>>   * in the image file my extension of the already existing
>>>     visualization from lawyer perspective. ;-)
>>> A pity I cannot make it to Vienna. I wish you all a fruitful meeting 
>>> there. :-)
>>> Greetings,
>>> Eva
>>> -- 
>>> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
>>> Eva Schlehahn,uld67@datenschutzzentrum.de
>>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
>>> mail@datenschutzzentrum.de  -https://www.datenschutzzentrum.de/
>>> Informationen über die Verarbeitung der personenbezogenen Daten durch
>>> die Landesbeauftragte für Datenschutz und zur verschlüsselten
>>> E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/ 
>> -- 
>> ---
>> Harshvardhan Pandit
>> PhD Researcher
>> ADAPT Centre
>> Trinity College Dublin

Harshvardhan Pandit
PhD Researcher
ADAPT Centre
Trinity College Dublin
Received on Monday, 8 April 2019 13:03:57 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:57 UTC