W3C home > Mailing lists > Public > public-dpvcg@w3.org > April 2019

Re: Taxonomy of legal bases

From: Bud Bruegger <uld613@datenschutzzentrum.de>
Date: Mon, 8 Apr 2019 15:48:08 +0200
To: "Harshvardhan J. Pandit" <me@harshp.com>, Eva Schlehahn <uld67@datenschutzzentrum.de>, Rigo Wenning <rigo@w3.org>
Cc: public-dpvcg@w3.org
Message-ID: <ed060ce7-12f6-fd1d-c987-208bf1a347f9@datenschutzzentrum.de>
Am 08.04.2019 um 15:02 schrieb Harshvardhan J. Pandit:
> Thanks for the set-theory approach Bud, this is good : )
> Rephrasing my question (2) and (3) in terms of Bud's sets, I'm asking 
> whether C == E (are they equal?) for the case of GDPR.

x element E => x element C  (but not the other way round)

E < C   (proper subset, excluding equal)

> If they are not, 

which is the case

> then what is the definition of C (all valid consent) 

Art 4(11), 7, ...

> and what is the definition of E (explicit consent) ?

The GDPR makes it clear that this is a higher level of consent with 
additional protection of the data subject, but fails to provide a 
definition for it.

The Art 29 WP has attempted to fill this gap but it is still mostly 

For the case of web-form based consent, I attempted a more concrete set 
of requirements to make it explicit that Eva has approved in a first 

> Note: if their definitions can be shown to be equivalent - then wouldn't 
> the terms also be equivalent?
> A4-11 is the definition for which - C or E?

Yes, but they are not equivalent.

An IT person would have written the GDPR differently, untangling some 
things.  In particular, it would have defined the following full set:

* minimal conditions for valid consent (this is defined in the GDPR in 
4(11) and 7

* additional conditions for explicit consent (this is missing)

Also, it would have split 6(1)(a) into two (as we do in the vocabulary) 
since 6(1)(a) regular is not sufficient for 22(2)(c) and 49(1)(a)

> Note: there are two issues here: first is two types of legal basis for 
> consent in A6(1)(a),
> and the second is 'regular' vs 'explicit' which is also relevant for 
> differences of consent in A6(1)(a) vs A9(2)(a)

A6(1)(a) doesn't state whether there is "regular" or "explicit" level 
consent.  In some cases (namely 22(2)(c) and 49(1)(a)), where the legal 
basis is A6(1)(a), explicit consent is required.

In 9(2)(a), explicit consent is always required; there are not cases, 
where "regular" consent is sufficient.

> - Harsh
> On 08/04/2019 13:39, Bud Bruegger wrote:
>> Hello again,
>> I do not agree with Rigo on this and have sent him the following mail 
>> asking the rational behind his advice:  (With the bad audio, I 
>> couldn't follow what Rigo said at the F2F meeting--which wasn't at all 
>> F2F)
>> I would  like to ask you a set naming question
>> The GDPR defines conditions for valid consent.
>> Let us define C as the set of all consents that meet this requirements 
>> and is valid according to the GDPR.
>> The GDPR also speaks of "explicit consent", posing more stringent 
>> requirements.
>> Let E be the set of consents of all consents that meet the 
>> requirements for explicit consent.
>> Then E is a (proper) subset of C:  Every explicit consent is also a 
>> valid consent; but not every valid consent is an explicit consent.
>> C and E imply another subset, namely the set of all consents that are 
>> valid but not explicit.  Let it be denoted by (C - E).
>> The existance of this set is clearly based on the GDPR.  The GDPR 
>> fails to name this set.
>> In my reading, the Art 29 Working Party in their guidelines on consent 
>> actually name this set as "regular consent":  See [1] page 18, section 
>> 4, 2nd paragraph.
>> So here concrete questions:
>> (i) do you agree that the Art29WP names (C-E) as "regular consent"?
>> (ii) if not, can you explain what "regular consent" means in terms of 
>> the above defined sets?
>> (iii) if yes, for what reason should the DPVCG vocabulary not use the 
>> term "regular consent"?
>> Many thanks and kind regards
>> -b
>> [1] 
>> https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051
>> Am 08.04.2019 um 13:39 schrieb Harshvardhan J. Pandit:
>>> tldr; This email is regarding using two separate legal basis for 
>>> consent as provided by A6(1)(a)
>>> Dear Eva, Rigo, and Bud.
>>> I'm having trouble understanding the two separate legal basis for 
>>> consent as provided by A6(1)(a).
>>> This discussion was mostly conducted in the F2F, and because this is 
>>> the first time I have come across this interpretation of two legal 
>>> basis under A6(1)(a), it would be good to have it in the mailing list 
>>> so as to have a point of reference in the future.
>>> My understanding of the discussion so far:
>>> Please do specify (and if possible, correct) any errors made in 
>>> capturing the gist of the discussion.
>>> For consent as the legal basis, Eva and Bud suggested 
>>> (https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0005.html 
>>> 1-APR) two types ('regular' and 'explicit') of consent from Article 
>>> 6(1)(a), with a reference to A29WP guidelines on consent - that also 
>>> mention these two terms.
>>> Rigo (skype call in F2F, 4-APR) suggested to remove the word 
>>> 'regular' and simply call it consent, and provided the following 
>>> definition for (previously regular) consent - "A data subject's 
>>> unambigious/clear affirmative action that signifies an agreement to 
>>> process their personal data". (personal opinion - I think this was to 
>>> provide a definition of 'consent' as a top-level concept in the 
>>> taxonomy)
>>> Points I'm struggling with -
>>> (1) If the (regular) consent is used as a legal basis with the above 
>>> definition - would it be valid under the GDPR given that it does not 
>>> follow the definition of consent (A4-11) for being "freely given, 
>>> informed".
>>> (2) Where do we use the GDPR definition of consent (A4-11) in the 
>>> taxonomy for legal basis of A6(1)(a) - 'regular' or 'explicit'?
>>> (3) In the guidelines for consent by A29WP (Sec.4, pg.18), 'regular' 
>>> consent is mentioned in context - The GDPR prescribes that a 
>>> “statement or clear affirmative action” is a prerequisite for 
>>> ‘regular’ consent.
>>> In the same section, 'explicit' consent is mentioned as - "The term 
>>> explicit refers to the way consent is expressed by the data subject. 
>>> It means that the data subject must give an express statement of 
>>> consent."
>>> Given that I have no legal background, I'm confused as to wouldn't 
>>> every 'regular' consent required by GDPR also be 'explicit' given the 
>>> requirement for every consent to be informed, specific, unambiguous 
>>> indication by a statement or action (A4-11) - which covers 
>>> descriptions of both terms by A29WP?
>>> Or, is the difference as follows:
>>> - regular - saying "I Agree"
>>> - explicit - saying "I Agree to XYZ" ← note explicit mention of what 
>>> I'm agreeing to?
>>> But wouldn't this be covered by the information in the description of 
>>> what they are agreeing to because consent should be informed?. It 
>>> does come to my mind, that the 'explicit' in this case may refer to 
>>> the requirement of stating that some information, such as special 
>>> categories of data, need to be mentioned in an 'explicit' form in the 
>>> 'informed' part of consent - in which case, does it qualify as a 
>>> separate legal basis OR as the requirements for valid consent (and 
>>> therefore not part of legal basis taxonomy)?
>>> (4) If conditions provided by A9(2)(a) count as a legal basis based 
>>> on 'explicit' consent for special categories of personal data, do the 
>>> following also count as a legal basis given that they are based on 
>>> 'explicit' consent and are types of processing?
>>> - R72 Profiling
>>> - A22(2)(c) Automated individual decision-making, including profiling
>>> - A49(1)(a) transfers of personal data to a third country or an 
>>> international organisation
>>> I don't mean to start a long discussion that may delay the work on 
>>> wrapping up the taxonomy, so am willing to accept short answers (e.g. 
>>> yes/no, use 'this' as definition); but at the same time it would be 
>>> very helpful to clarify this things - both for the group as well as 
>>> (personally) for my PhD work.
>>> Best,
>>> Harsh
>>> On 01/04/2019 14:36, Eva Schlehahn wrote:
>>>> Dear all,
>>>> Bud and I developed further the taxonomy of legal bases according to 
>>>> the GDPR. Please find attached
>>>>   * in the Word document file Bud's version of such a vocabulary, as
>>>>     well as
>>>>   * in the image file my extension of the already existing
>>>>     visualization from lawyer perspective. ;-)
>>>> A pity I cannot make it to Vienna. I wish you all a fruitful meeting 
>>>> there. :-)
>>>> Greetings,
>>>> Eva
>>>> -- 
>>>> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
>>>> Eva Schlehahn,uld67@datenschutzzentrum.de
>>>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
>>>> mail@datenschutzzentrum.de  -https://www.datenschutzzentrum.de/
>>>> Informationen über die Verarbeitung der personenbezogenen Daten durch
>>>> die Landesbeauftragte für Datenschutz und zur verschlüsselten
>>>> E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/ 
>>> -- 
>>> ---
>>> Harshvardhan Pandit
>>> PhD Researcher
>>> ADAPT Centre
>>> Trinity College Dublin

Bud P. Bruegger, Dipl.-Ing. (ETH), Ph.D. (University of Maine)
Unabhaengiges Landeszentrum fuer Datenschutz (ULD) Schleswig-Holstein
Dienststelle der Landesbeauftragten für Datenschutz Schleswig-Holstein
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1217, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/

Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung
Received on Monday, 8 April 2019 13:48:45 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:57 UTC