Re: Taxonomy of legal bases

Here a quick reaction

Am 08.04.2019 um 13:39 schrieb Harshvardhan J. Pandit:
> tldr; This email is regarding using two separate legal basis for consent 
> as provided by A6(1)(a)
> 
> Dear Eva, Rigo, and Bud.
> I'm having trouble understanding the two separate legal basis for 
> consent as provided by A6(1)(a).
> This discussion was mostly conducted in the F2F, and because this is the 
> first time I have come across this interpretation of two legal basis 
> under A6(1)(a), it would be good to have it in the mailing list so as to 
> have a point of reference in the future.
> 
> My understanding of the discussion so far:
> Please do specify (and if possible, correct) any errors made in 
> capturing the gist of the discussion.
> For consent as the legal basis, Eva and Bud suggested 
> (https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0005.html 
> 1-APR) two types ('regular' and 'explicit') of consent from Article 
> 6(1)(a), with a reference to A29WP guidelines on consent - that also 
> mention these two terms.
> Rigo (skype call in F2F, 4-APR) suggested to remove the word 'regular' 
> and simply call it consent, and provided the following definition for 
> (previously regular) consent - "A data subject's unambigious/clear 
> affirmative action that signifies an agreement to process their personal 
> data". (personal opinion - I think this was to provide a definition of 
> 'consent' as a top-level concept in the taxonomy)
> 
> Points I'm struggling with -
> 
> (1) If the (regular) consent is used as a legal basis with the above 
> definition - would it be valid under the GDPR given that it does not 
> follow the definition of consent (A4-11) for being "freely given, 
> informed".

Rigo just provided a subset of Art 4(11).  It was not meant to be 
comprehensive.

To be "valid" according to the GDPR, a consent has to satisfy Art 4(11), 
Art 7, and all other conditions for consent described, for example, in 
recitals.  Valid thus requires multiple properties, such as "free", 
"informed", expressed with a "clear affirmative action" and more.

The vocabulary only deals with "valid" consent.   Consent that is not 
valid under the GDPR cannot be used as a valid legal basis (obviously).

The GDPR speaks in two places of "explicit" consent, where the risk is 
higher and the data subject requires an increased level of protection. 
Namely, this is in Art 9(2)(a) and 22(2)(c).

"Explicit" consent has to fulfill all requirements for "valid" consent, 
plus additional requirements that raise it to the level of "explicit".

Therefore:  every "explicit" consent is also "valid".  BUT, not every 
"valid" consent is considered "explicit".

Looking at it as sets:
6(1)(a) is the set of all "valid" consents.
6(1)(a)-explicit is a subset of 6(1)(a) that contains only those 
"consents" that satisfy the additional requirements for "explicit"

6(1)(a) - 6(1)(a)-explicit, i.e., the complement of 6(1)(a)-explicit 
within 6(1)(a) is not named in the GDPR.

I insist however, that the Art 29 Working Party introduces the term 
"'regular' consent" for this complement (page 8, 2nd paragraph of 
section 4).  Since this claim of mine is simply based on the 
understanding of English grammar, IMHO this doesn't require legal advice 
but simply careful reading.  In my reading, this is simple and clear and 
therefore I insist.

[1] https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051

> 
> (2) Where do we use the GDPR definition of consent (A4-11) in the 
> taxonomy for legal basis of A6(1)(a) - 'regular' or 'explicit'?

A6(1)(a) is the union of A6(1)(a)-regular and A6(1)(a)-explicit

> 
> (3) In the guidelines for consent by A29WP (Sec.4, pg.18), 'regular' 
> consent is mentioned in context - The GDPR prescribes that a “statement 
> or clear affirmative action” is a prerequisite for ‘regular’ consent.

This is to point out that "explicit" in the GDPR is not the opposite of 
"implicit".  I.e., it tries to avoid the possible misinterpretation that 
"clear affirmative action” is the same as "explicit".

Instead, it clearly states that already "regular" consent requires 
"clear affirmative action”.  I.e., that the interpretation that "regular 
consent" is the same as "implicit" consent is wrong.

> In the same section, 'explicit' consent is mentioned as - "The term 
> explicit refers to the way consent is expressed by the data subject. It 
> means that the data subject must give an express statement of consent."
> Given that I have no legal background, I'm confused as to wouldn't every 
> 'regular' consent required by GDPR also be 'explicit' given the 
> requirement for every consent to be informed, specific, unambiguous 
> indication by a statement or action (A4-11) - which covers descriptions 
> of both terms by A29WP?

I believe the confusion comes when "explicit" in the GDPR is understood 
as it is in common English language.  Using namespaces, 
"common-English:explicit" is something totally different from 
"GDPR:explicit".


> Or, is the difference as follows:
> - regular - saying "I Agree"
> - explicit - saying "I Agree to XYZ" ← note explicit mention of what I'm 
> agreeing to?

It is more complicated than that and the clearest thing yet is provided 
by the Art 29 WP.  They mostly provide examples, not a set of solid 
conditions that are easy to understand/apply by techies.  This is why I 
wrote a text about "Explicit consent" that I have already sent to the 
list.

> But wouldn't this be covered by the information in the description of 
> what they are agreeing to because consent should be informed?. It does 
> come to my mind, that the 'explicit' in this case may refer to the 
> requirement of stating that some information, such as special categories 
> of data, need to be mentioned in an 'explicit' form in the 'informed' 
> part of consent - in which case, does it qualify as a separate legal 
> basis OR as the requirements for valid consent (and therefore not part 
> of legal basis taxonomy)?
> 
> (4) If conditions provided by A9(2)(a) count as a legal basis based on 
> 'explicit' consent for special categories of personal data, do the 
> following also count as a legal basis given that they are based on 
> 'explicit' consent and are types of processing?
> - R72 Profiling

I'm confused about the question.  A recital cannot be a legal basis. 
The GDPR basically states, that the processing of personal data is 
prohibited and provides exceptions for this in Arts 6 and 9.  Therefore, 
the legal bases are always one of the exceptions that are listed in 6 or 
9.

If the question was about Art 29 WP opinions and guidelines, they have 
been endorsed by the EDPB:

https://edpb.europa.eu/node/89

> - A22(2)(c) Automated individual decision-making, including profiling

Yes, this falls under 6(1)(a) but requires a consent that is (obviously) 
valid and satisfies the additional requirements to be considered 
"GDPR:explicit".

The requirements for the consent are exactly the same as for 9(2)(a)

But Art 22 is not a legal basis since it is not one of the provided 
exceptions to the prohibition of processing personal data.

> - A49(1)(a) transfers of personal data to a third country or an 
> international organisation

Yes, here there are again the same requirements for "explicit" consent. 
It also provides further guidance of what "informed" means in this 
context, namely that the data subject need to be "informed of the 
possible risks of such transfers for the data subject due to the absence 
of an adequacy decision and appropriate safeguards".

But Art 49 is not a legal basis since it is not one of the provided 
exceptions to the prohibition of processing personal data.

> I don't mean to start a long discussion that may delay the work on 
> wrapping up the taxonomy, so am willing to accept short answers (e.g. 
> yes/no, use 'this' as definition); but at the same time it would be very 
> helpful to clarify this things - both for the group as well as 
> (personally) for my PhD work.

Rigo, may I ask you for clarity to clearly state where you agree or 
disagree with me (and in the latter case why) much rather than providing 
a 2nd parallel but unrelated answer to the questions.  In this way, 
should we indeed disagree, we can at least pinpoint it and more easily 
resolve it.

best
-b

> 
> Best,
> Harsh
> 
> On 01/04/2019 14:36, Eva Schlehahn wrote:
>>
>> Dear all,
>>
>> Bud and I developed further the taxonomy of legal bases according to 
>> the GDPR. Please find attached
>>
>>   * in the Word document file Bud's version of such a vocabulary, as
>>     well as
>>   * in the image file my extension of the already existing
>>     visualization from lawyer perspective. ;-)
>>
>> A pity I cannot make it to Vienna. I wish you all a fruitful meeting 
>> there. :-)
>>
>> Greetings,
>>
>> Eva
>>
>> -- 
>> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
>> Eva Schlehahn,uld67@datenschutzzentrum.de
>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
>> mail@datenschutzzentrum.de  -https://www.datenschutzzentrum.de/
>>
>> Informationen über die Verarbeitung der personenbezogenen Daten durch
>> die Landesbeauftragte für Datenschutz und zur verschlüsselten
>> E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/
> 
> -- 
> ---
> Harshvardhan Pandit
> PhD Researcher
> ADAPT Centre
> Trinity College Dublin
> 

-- 
Bud P. Bruegger, Dipl.-Ing. (ETH), Ph.D. (University of Maine)
ULD613@datenschutzzentrum.de
Unabhaengiges Landeszentrum fuer Datenschutz (ULD) Schleswig-Holstein
Dienststelle der Landesbeauftragten für Datenschutz Schleswig-Holstein
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1217, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/

Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung

Received on Monday, 8 April 2019 13:31:21 UTC