W3C home > Mailing lists > Public > public-dpvcg@w3.org > April 2019

Re: Taxonomy of legal bases

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Mon, 8 Apr 2019 15:55:21 +0100
To: Bud Bruegger <uld613@datenschutzzentrum.de>, Eva Schlehahn <uld67@datenschutzzentrum.de>, Rigo Wenning <rigo@w3.org>
Cc: public-dpvcg@w3.org
Message-ID: <57ae4c65-1615-2f76-f99a-9bb8cd12d263@harshp.com>
Replies are inline. If I have not replied to something - I agree with it.

On 08/04/2019 14:30, Bud Bruegger wrote:
> Rigo just provided a subset of Art 4(11).  It was not meant to be 
> comprehensive.
If I remember correctly, Rigo provided it as a definition for 'consent', 
and that is what we have listed on the spreadsheet.
My point is that we cannot use that as a definition for the legal basis 
of consent (to which you agree, as you suggested A4-11 for the definition).
So - this definition needs to be replaced with A4-11 in the spreadsheet.

> The GDPR speaks in two places of "explicit" consent, where the risk is 
> higher and the data subject requires an increased level of protection. 
> Namely, this is in Art 9(2)(a) and 22(2)(c).
As well as in A49(1)(a) for transfers to third country

> Looking at it as sets:
> 6(1)(a) is the set of all "valid" consents.
> 6(1)(a)-explicit is a subset of 6(1)(a) that contains only those 
> "consents" that satisfy the additional requirements for "explicit"
> 6(1)(a) - 6(1)(a)-explicit, i.e., the complement of 6(1)(a)-explicit 
> within 6(1)(a) is not named in the GDPR.
> I insist however, that the Art 29 Working Party introduces the term 
> "'regular' consent" for this complement (page 8, 2nd paragraph of 
> section 4).  Since this claim of mine is simply based on the 
> understanding of English grammar, IMHO this doesn't require legal advice 
> but simply careful reading.  In my reading, this is simple and clear and 
> therefore I insist.

I disagree with this point. I think A29WP used 'regular' consent to 
refer to all valid consent, and therefore 'explicit' consent is the 
subset of 'regular' consent.

Consider this text in Sec.4, pg.18 of the Guidelines document, taking it 
sentence by sentence -
1) The GDPR prescribes that a “statement or clear affirmative action” is 
a prerequisite for ‘regular’ consent.
- Here, 'regular' would mean the 'default' or 'defined' consent (as per 
GDPR or DPD) - and the use of word regular is to indicate usual or 
normal or normative. Note that this is the first mention of the word 
regular in the document.

2) As the ‘regular’ consent requirement in the GDPR is already raised to 
a higher standard compared to the consent requirement in Directive 
- This means that there are requirements of regular consent, that can be 
compared between GDPR and DPD - and since neither document mentions 
'regular' - this would mean that they are talking about the 'default' or 
'defined' consent in these documents.

3) it needs to be clarified what extra efforts a controller should 
undertake in order to obtain the explicit consent of a data subject in 
line with the GDPR."
- This states extra efforts in addition to regular consent to obtain 
explicit consent, which therefore would mean that regular is the 
superset and explicit is a subset of it.

I'm continuing this in the your (Bud) other email so as to ensure all 
points are addressed.
Harshvardhan Pandit
PhD Researcher
ADAPT Centre
Trinity College Dublin
Received on Monday, 8 April 2019 14:56:16 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:57 UTC