W3C home > Mailing lists > Public > public-dpvcg@w3.org > April 2019

Re: Taxonomy of legal bases

From: Bud Bruegger <uld613@datenschutzzentrum.de>
Date: Mon, 8 Apr 2019 15:58:44 +0200
To: rjc@enterprivacy.com, "Harshvardhan J. Pandit" <me@harshp.com>, Eva Schlehahn <uld67@datenschutzzentrum.de>, Rigo Wenning <rigo@w3.org>
Cc: public-dpvcg@w3.org
Message-ID: <d9580079-38b5-1dcd-99b8-6108ac0f0dd6@datenschutzzentrum.de>
Maybe an important disclaimer:

* The terms we use are not chosen by us, but come either from the GDPR 
or from the Art29WP/EDPB.  I agree that their choice of terms is not 
always optimal and can lead to confusion and misunderstanding.  But 
using different terms is in my opinion a suiside mission--don't fight 
lawyers, you can't win.

* The terms used in these legal sources absolutely have to be put into a 
namespace of their own.  Their semantics are described in those sources 
and differ from the semantics of regular or IT English.  So GDPR:<some 
term> is not the same as English:<some term>.  I think we have to state 
this very prominently and clearly somewhere to avoid misconceptions from 
users of our vocabulary.


Am 08.04.2019 um 14:52 schrieb rjc@enterprivacy.com:
> I'm not a big fan of the term "regular" consent. I would suggest looking 
> at what is implied by not attaching the modifier explicit to the word 
> consent. If you think of this in terms of all consent and break it into 
> two categories, explicit and everything else, what terms can we use to 
> describe everything else. One word is non-explicit. Another would be 
> implicit. So rather than explicit and regular, I would suggest (at least 
> mentally) dividing consent between explicit and implicit.
> IMPLICIT - implied though not plainly expressed
> So lets look at an example.  Suppose I have a website where people can 
> place orders of a product to be shipped to them. After purchase, I have 
> a form with the following
> Please provide your address for shipping
> Address [____________________________]
> Country [____________________________]
> Postal Code [____________________________]
> If someone were to complete that form, they would have consented to the 
> use of that address for me to ship their purchase.  Looking at this from 
> the GDPR perspective, the elements of consent have been met
>  1. Freely given
>     a. There is no imbalance of power (such as in an employer/employee
>     context) coercing the user to give up their address
>     b. I'm not conditioning some unrelated service on providing this
>     information
>     c. I'm not, presumably, bundling unnecessary processing operations
>     d. [You have to suspend for the moment that a controller would
>     actually rely on performance of a contract for collection and use of
>     this information, not consent]
>  2. Specific - this relates to purpose limitation, here the purpose is
>     to ship a person their order. Its clear from the context, and use of
>     the word "shipping", that the reason the address is being collected
>     is for this purpose
>  3. Informed - The statement "Please provide your address for shipping"
>     provides the necessary information to the individual - what data is
>     collected and the purpose. Presumably, the other necessary elements
>     of informing the individual are provided elsewhere (such as who the
>     controller is, the right to withdraw, etc).
>  4. Finally, completing the form is an unambiguous affirmative act on
>     the part of the individual and this is where the crux of the
>     difference between implicit and explicit come into play
> If we now want to take this out of the implicit realm and into the 
> implicit, we would add a button or checkbox and some additional language.
> [      ] Type "I agree" in the box if you agree to the use of your 
> address to ship order
> By checking the box, the user has now explicitly consented to the use of 
> the information for the specified purposes. Now, under GDPR, we don't 
> need this for this purpose, but we would if the use were for Art 49 
> purposes. so let change up that final statement to demonstrate where we 
> need explicit consent
> [     ] Type "I agree" in the box if you agree to the transfer of your 
> address to our fulfillment center in China. China has not been deemed to 
> have adequate data protection laws and there are risks that your data 
> will be used in ways we can't control or anticipate.
> Note, I'm not advising that this language meets all the criteria under 
> Art 49(1)(a) or Art 13(1)(f), just using it to demonstrate how explicit 
> consent would be gathered.
> Jason
> .*.*.*.*.................................................................
> R. Jason Cronk                  | Juris Doctor
> Privacy and Trust Consultant    | IAPP Fellow of Information Privacy
> *Enterprivacy Consulting Group <http://www.enterprivacy.com/>*    | CIPT, CIPM, CIPP/US, PbD Ambassador
> /Privacy notices made simple: https://simpleprivacynotice.com 
> <https://simpleprivacynotice.com/>
> /....................................................................
> *Upcoming Training**
> *Privacy by Design Professional:Cyprus (April <https://enterprivacy.com/cyprus-training/>), Belarus - 
> English/Russian (July)
> Online (coming soon):https://privacybydesign.training  <https://privacybydesign.training/>
>     ----- Original Message -----
>     From:
>     "Harshvardhan J. Pandit" <me@harshp.com>
>     To:
>     "Eva Schlehahn" <uld67@datenschutzzentrum.de>, "Rigo Wenning"
>     <rigo@w3.org>, "Bud Bruegger" <uld613@datenschutzzentrum.de>
>     Cc:
>     <public-dpvcg@w3.org>
>     Sent:
>     Mon, 8 Apr 2019 12:39:49 +0100
>     Subject:
>     Re: Taxonomy of legal bases
>     tldr; This email is regarding using two separate legal basis for
>     consent as provided by A6(1)(a)
>     Dear Eva, Rigo, and Bud.
>     I'm having trouble understanding the two separate legal basis for
>     consent as provided by A6(1)(a).
>     This discussion was mostly conducted in the F2F, and because this is
>     the first time I have come across this interpretation of two legal
>     basis under A6(1)(a), it would be good to have it in the mailing
>     list so as to have a point of reference in the future.
>     My understanding of the discussion so far:
>     Please do specify (and if possible, correct) any errors made in
>     capturing the gist of the discussion.
>     For consent as the legal basis, Eva and Bud suggested
>     (https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0005.html
>     1-APR) two types ('regular' and 'explicit') of consent from Article
>     6(1)(a), with a reference to A29WP guidelines on consent - that also
>     mention these two terms.
>     Rigo (skype call in F2F, 4-APR) suggested to remove the word
>     'regular' and simply call it consent, and provided the following
>     definition for (previously regular) consent - "A data subject's
>     unambigious/clear affirmative action that signifies an agreement to
>     process their personal data". (personal opinion - I think this was
>     to provide a definition of 'consent' as a top-level concept in the
>     taxonomy)
>     Points I'm struggling with -
>     (1) If the (regular) consent is used as a legal basis with the above
>     definition - would it be valid under the GDPR given that it does not
>     follow the definition of consent (A4-11) for being "freely given,
>     informed".
>     (2) Where do we use the GDPR definition of consent (A4-11) in the
>     taxonomy for legal basis of A6(1)(a) - 'regular' or 'explicit'?
>     (3) In the guidelines for consent by A29WP (Sec.4, pg.18), 'regular'
>     consent is mentioned in context - The GDPR prescribes that a
>     “statement or clear affirmative action” is a prerequisite for
>     ‘regular’ consent.
>     In the same section, 'explicit' consent is mentioned as - "The term
>     explicit refers to the way consent is expressed by the data subject.
>     It means that the data subject must give an express statement of
>     consent."
>     Given that I have no legal background, I'm confused as to wouldn't
>     every 'regular' consent required by GDPR also be 'explicit' given
>     the requirement for every consent to be informed, specific,
>     unambiguous indication by a statement or action (A4-11) - which
>     covers descriptions of both terms by A29WP?
>     Or, is the difference as follows:
>     - regular - saying "I Agree"
>     - explicit - saying "I Agree to XYZ" ← note explicit mention of what
>     I'm agreeing to?
>     But wouldn't this be covered by the information in the description
>     of what they are agreeing to because consent should be informed?. It
>     does come to my mind, that the 'explicit' in this case may refer to
>     the requirement of stating that some information, such as special
>     categories of data, need to be mentioned in an 'explicit' form in
>     the 'informed' part of consent - in which case, does it qualify as a
>     separate legal basis OR as the requirements for valid consent (and
>     therefore not part of legal basis taxonomy)?
>     (4) If conditions provided by A9(2)(a) count as a legal basis based
>     on 'explicit' consent for special categories of personal data, do
>     the following also count as a legal basis given that they are based
>     on 'explicit' consent and are types of processing?
>     - R72 Profiling
>     - A22(2)(c) Automated individual decision-making, including profiling
>     - A49(1)(a) transfers of personal data to a third country or an
>     international organisation
>     I don't mean to start a long discussion that may delay the work on
>     wrapping up the taxonomy, so am willing to accept short answers
>     (e.g. yes/no, use 'this' as definition); but at the same time it
>     would be very helpful to clarify this things - both for the group as
>     well as (personally) for my PhD work.
>     Best,
>     Harsh
>     On 01/04/2019 14:36, Eva Schlehahn wrote:
>         Dear all,
>         Bud and I developed further the taxonomy of legal bases
>         according to the GDPR. Please find attached
>           * in the Word document file Bud's version of such a
>             vocabulary, as well as
>           * in the image file my extension of the already existing
>             visualization from lawyer perspective. ;-)
>         A pity I cannot make it to Vienna. I wish you all a fruitful
>         meeting there. :-)
>         Greetings,
>         Eva
>         -- 
>         Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
>         Eva Schlehahn,uld67@datenschutzzentrum.de
>         Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
>         mail@datenschutzzentrum.de  -https://www.datenschutzzentrum.de/
>         Informationen über die Verarbeitung der personenbezogenen Daten durch
>         die Landesbeauftragte für Datenschutz und zur verschlüsselten
>         E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/
>     -- 
>     ---
>     Harshvardhan Pandit
>     PhD Researcher
>     ADAPT Centre
>     Trinity College Dublin

Bud P. Bruegger, Dipl.-Ing. (ETH), Ph.D. (University of Maine)
Unabhaengiges Landeszentrum fuer Datenschutz (ULD) Schleswig-Holstein
Dienststelle der Landesbeauftragten für Datenschutz Schleswig-Holstein
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1217, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/

Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung
Received on Monday, 8 April 2019 13:59:21 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:57 UTC