- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Mon, 8 Apr 2019 15:55:21 +0100
- To: Bud Bruegger <uld613@datenschutzzentrum.de>, Eva Schlehahn <uld67@datenschutzzentrum.de>, Rigo Wenning <rigo@w3.org>
- Cc: public-dpvcg@w3.org
Replies are inline. If I have not replied to something - I agree with it. On 08/04/2019 14:30, Bud Bruegger wrote: > Rigo just provided a subset of Art 4(11). It was not meant to be > comprehensive. If I remember correctly, Rigo provided it as a definition for 'consent', and that is what we have listed on the spreadsheet. My point is that we cannot use that as a definition for the legal basis of consent (to which you agree, as you suggested A4-11 for the definition). So - this definition needs to be replaced with A4-11 in the spreadsheet. > The GDPR speaks in two places of "explicit" consent, where the risk is > higher and the data subject requires an increased level of protection. > Namely, this is in Art 9(2)(a) and 22(2)(c). As well as in A49(1)(a) for transfers to third country > Looking at it as sets: > 6(1)(a) is the set of all "valid" consents. > 6(1)(a)-explicit is a subset of 6(1)(a) that contains only those > "consents" that satisfy the additional requirements for "explicit" > > 6(1)(a) - 6(1)(a)-explicit, i.e., the complement of 6(1)(a)-explicit > within 6(1)(a) is not named in the GDPR. > I insist however, that the Art 29 Working Party introduces the term > "'regular' consent" for this complement (page 8, 2nd paragraph of > section 4). Since this claim of mine is simply based on the > understanding of English grammar, IMHO this doesn't require legal advice > but simply careful reading. In my reading, this is simple and clear and > therefore I insist. I disagree with this point. I think A29WP used 'regular' consent to refer to all valid consent, and therefore 'explicit' consent is the subset of 'regular' consent. Consider this text in Sec.4, pg.18 of the Guidelines document, taking it sentence by sentence - 1) The GDPR prescribes that a “statement or clear affirmative action” is a prerequisite for ‘regular’ consent. - Here, 'regular' would mean the 'default' or 'defined' consent (as per GDPR or DPD) - and the use of word regular is to indicate usual or normal or normative. Note that this is the first mention of the word regular in the document. 2) As the ‘regular’ consent requirement in the GDPR is already raised to a higher standard compared to the consent requirement in Directive 95/46/EC, - This means that there are requirements of regular consent, that can be compared between GDPR and DPD - and since neither document mentions 'regular' - this would mean that they are talking about the 'default' or 'defined' consent in these documents. 3) it needs to be clarified what extra efforts a controller should undertake in order to obtain the explicit consent of a data subject in line with the GDPR." - This states extra efforts in addition to regular consent to obtain explicit consent, which therefore would mean that regular is the superset and explicit is a subset of it. I'm continuing this in the your (Bud) other email so as to ensure all points are addressed. -- --- Harshvardhan Pandit PhD Researcher ADAPT Centre Trinity College Dublin
Received on Monday, 8 April 2019 14:56:16 UTC