W3C home > Mailing lists > Public > public-dpvcg@w3.org > April 2019

Re: Taxonomy of legal bases

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Mon, 8 Apr 2019 16:13:25 +0100
To: Bud Bruegger <uld613@datenschutzzentrum.de>, Eva Schlehahn <uld67@datenschutzzentrum.de>, Rigo Wenning <rigo@w3.org>
Cc: public-dpvcg@w3.org
Message-ID: <90e8bfc2-ff2f-ee8f-db56-be419164625c@harshp.com>
I suggest we have two approaches elaborated by this email and bud's 
regarding how to model consent and its legal basis.
I propose we now leave it up to the lawyers (Eva, Rigo) to reach a 
consensus on these, or to propose their own if they disagree with both.

Given the assumption that explicit consent is a subset of consent but 
not equal to it, it would mean that explicit consent has additional 
requirements in addition to those of consent - I think this is what the 
A29WP guidelines document is trying to describe when it uses the word 
Therefore, regular consent is defined by 4-11, and explicit consent is 
subset of consent

1) regular consent is consent that is defined by 4(11), just termed 
regular to distinguish with explicit - in our vocabulary we refer to 
this as just 'consent'
2) legal basis of regular consent is defined by 6(1)(a)
3) explicit consent has no definition yet (NOTE: which we will need for 
the vocabulary)
4) explicit consent is a subset of regular consent since explicit 
consent requires *extra efforts* in addition to regular consent (from 
Sec. 4 para 2 pg.18 of AP29WP guidelines)
4) legal basis of explicit consent is not provided in GDPR, i.e. 
explicitly stated as explicit consent - 6(1)(a) only states consent
5) since explicit consent is subset of regular consent, legal basis of 
explicit consent is a subset of legal basis of regular consent - NOTE 
that this would mean explicit consent needs to meet all requirements and 
obligations of regular consent PLUS some others in addition to these
6) explicit consent is required for special categories of personal data 
A9(2)(a), automated individual decision making and profiling A22(2)(c), 
and third country data transfers A49(1)(a)
7) we can separate each of these as a separate type of explicit consent, 
e.g. explicit consent for special categories of personal data is a 
subset of explicit consent
8) therefore, legal basis of explicit consent for special categories... 
is a subset of legal basis of explicit consent

So in our vocabulary:
6(1)(a) consent
	-- def of consent --> 4(11)
explicit consent
	-- def of explicit consent --> TBD
	-- sub-type of 6(1)(a)
9(2)(a) explicit consent for spl. categories of personal data
	-- sub-type of explicit consent
22(2)(c) automated individual decision making and profiling
	-- sub-type of explicit consent
49(1)(a) and third country data transfers
	-- sub-type of explicit consent


On 08/04/2019 14:48, Bud Bruegger wrote:
> Am 08.04.2019 um 15:02 schrieb Harshvardhan J. Pandit:
>> Thanks for the set-theory approach Bud, this is good : )
>> Rephrasing my question (2) and (3) in terms of Bud's sets, I'm asking 
>> whether C == E (are they equal?) for the case of GDPR.
> x element E => x element C  (but not the other way round)
> E < C   (proper subset, excluding equal)
>> If they are not, 
> which is the case
>> then what is the definition of C (all valid consent) 
> Art 4(11), 7, ...
>> and what is the definition of E (explicit consent) ?
> The GDPR makes it clear that this is a higher level of consent with 
> additional protection of the data subject, but fails to provide a 
> definition for it.
> The Art 29 WP has attempted to fill this gap but it is still mostly 
> examples.
> For the case of web-form based consent, I attempted a more concrete set 
> of requirements to make it explicit that Eva has approved in a first round.
>> Note: if their definitions can be shown to be equivalent - then 
>> wouldn't the terms also be equivalent?
>> A4-11 is the definition for which - C or E?
> Yes, but they are not equivalent.
> An IT person would have written the GDPR differently, untangling some 
> things.  In particular, it would have defined the following full set:
> * minimal conditions for valid consent (this is defined in the GDPR in 
> 4(11) and 7
> * additional conditions for explicit consent (this is missing)
> Also, it would have split 6(1)(a) into two (as we do in the vocabulary) 
> since 6(1)(a) regular is not sufficient for 22(2)(c) and 49(1)(a)
>> Note: there are two issues here: first is two types of legal basis for 
>> consent in A6(1)(a),
>> and the second is 'regular' vs 'explicit' which is also relevant for 
>> differences of consent in A6(1)(a) vs A9(2)(a)
> A6(1)(a) doesn't state whether there is "regular" or "explicit" level 
> consent.  In some cases (namely 22(2)(c) and 49(1)(a)), where the legal 
> basis is A6(1)(a), explicit consent is required.
> In 9(2)(a), explicit consent is always required; there are not cases, 
> where "regular" consent is sufficient.
>> - Harsh
>> On 08/04/2019 13:39, Bud Bruegger wrote:
>>> Hello again,
>>> I do not agree with Rigo on this and have sent him the following mail 
>>> asking the rational behind his advice:  (With the bad audio, I 
>>> couldn't follow what Rigo said at the F2F meeting--which wasn't at 
>>> all F2F)
>>> I would  like to ask you a set naming question
>>> The GDPR defines conditions for valid consent.
>>> Let us define C as the set of all consents that meet this 
>>> requirements and is valid according to the GDPR.
>>> The GDPR also speaks of "explicit consent", posing more stringent 
>>> requirements.
>>> Let E be the set of consents of all consents that meet the 
>>> requirements for explicit consent.
>>> Then E is a (proper) subset of C:  Every explicit consent is also a 
>>> valid consent; but not every valid consent is an explicit consent.
>>> C and E imply another subset, namely the set of all consents that are 
>>> valid but not explicit.  Let it be denoted by (C - E).
>>> The existance of this set is clearly based on the GDPR.  The GDPR 
>>> fails to name this set.
>>> In my reading, the Art 29 Working Party in their guidelines on 
>>> consent actually name this set as "regular consent":  See [1] page 
>>> 18, section 4, 2nd paragraph.
>>> So here concrete questions:
>>> (i) do you agree that the Art29WP names (C-E) as "regular consent"?
>>> (ii) if not, can you explain what "regular consent" means in terms of 
>>> the above defined sets?
>>> (iii) if yes, for what reason should the DPVCG vocabulary not use the 
>>> term "regular consent"?
>>> Many thanks and kind regards
>>> -b
>>> [1] 
>>> https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051
>>> Am 08.04.2019 um 13:39 schrieb Harshvardhan J. Pandit:
>>>> tldr; This email is regarding using two separate legal basis for 
>>>> consent as provided by A6(1)(a)
>>>> Dear Eva, Rigo, and Bud.
>>>> I'm having trouble understanding the two separate legal basis for 
>>>> consent as provided by A6(1)(a).
>>>> This discussion was mostly conducted in the F2F, and because this is 
>>>> the first time I have come across this interpretation of two legal 
>>>> basis under A6(1)(a), it would be good to have it in the mailing 
>>>> list so as to have a point of reference in the future.
>>>> My understanding of the discussion so far:
>>>> Please do specify (and if possible, correct) any errors made in 
>>>> capturing the gist of the discussion.
>>>> For consent as the legal basis, Eva and Bud suggested 
>>>> (https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0005.html 
>>>> 1-APR) two types ('regular' and 'explicit') of consent from Article 
>>>> 6(1)(a), with a reference to A29WP guidelines on consent - that also 
>>>> mention these two terms.
>>>> Rigo (skype call in F2F, 4-APR) suggested to remove the word 
>>>> 'regular' and simply call it consent, and provided the following 
>>>> definition for (previously regular) consent - "A data subject's 
>>>> unambigious/clear affirmative action that signifies an agreement to 
>>>> process their personal data". (personal opinion - I think this was 
>>>> to provide a definition of 'consent' as a top-level concept in the 
>>>> taxonomy)
>>>> Points I'm struggling with -
>>>> (1) If the (regular) consent is used as a legal basis with the above 
>>>> definition - would it be valid under the GDPR given that it does not 
>>>> follow the definition of consent (A4-11) for being "freely given, 
>>>> informed".
>>>> (2) Where do we use the GDPR definition of consent (A4-11) in the 
>>>> taxonomy for legal basis of A6(1)(a) - 'regular' or 'explicit'?
>>>> (3) In the guidelines for consent by A29WP (Sec.4, pg.18), 'regular' 
>>>> consent is mentioned in context - The GDPR prescribes that a 
>>>> “statement or clear affirmative action” is a prerequisite for 
>>>> ‘regular’ consent.
>>>> In the same section, 'explicit' consent is mentioned as - "The term 
>>>> explicit refers to the way consent is expressed by the data subject. 
>>>> It means that the data subject must give an express statement of 
>>>> consent."
>>>> Given that I have no legal background, I'm confused as to wouldn't 
>>>> every 'regular' consent required by GDPR also be 'explicit' given 
>>>> the requirement for every consent to be informed, specific, 
>>>> unambiguous indication by a statement or action (A4-11) - which 
>>>> covers descriptions of both terms by A29WP?
>>>> Or, is the difference as follows:
>>>> - regular - saying "I Agree"
>>>> - explicit - saying "I Agree to XYZ" ← note explicit mention of what 
>>>> I'm agreeing to?
>>>> But wouldn't this be covered by the information in the description 
>>>> of what they are agreeing to because consent should be informed?. It 
>>>> does come to my mind, that the 'explicit' in this case may refer to 
>>>> the requirement of stating that some information, such as special 
>>>> categories of data, need to be mentioned in an 'explicit' form in 
>>>> the 'informed' part of consent - in which case, does it qualify as a 
>>>> separate legal basis OR as the requirements for valid consent (and 
>>>> therefore not part of legal basis taxonomy)?
>>>> (4) If conditions provided by A9(2)(a) count as a legal basis based 
>>>> on 'explicit' consent for special categories of personal data, do 
>>>> the following also count as a legal basis given that they are based 
>>>> on 'explicit' consent and are types of processing?
>>>> - R72 Profiling
>>>> - A22(2)(c) Automated individual decision-making, including profiling
>>>> - A49(1)(a) transfers of personal data to a third country or an 
>>>> international organisation
>>>> I don't mean to start a long discussion that may delay the work on 
>>>> wrapping up the taxonomy, so am willing to accept short answers 
>>>> (e.g. yes/no, use 'this' as definition); but at the same time it 
>>>> would be very helpful to clarify this things - both for the group as 
>>>> well as (personally) for my PhD work.
>>>> Best,
>>>> Harsh
>>>> On 01/04/2019 14:36, Eva Schlehahn wrote:
>>>>> Dear all,
>>>>> Bud and I developed further the taxonomy of legal bases according 
>>>>> to the GDPR. Please find attached
>>>>>   * in the Word document file Bud's version of such a vocabulary, as
>>>>>     well as
>>>>>   * in the image file my extension of the already existing
>>>>>     visualization from lawyer perspective. ;-)
>>>>> A pity I cannot make it to Vienna. I wish you all a fruitful 
>>>>> meeting there. :-)
>>>>> Greetings,
>>>>> Eva
>>>>> -- 
>>>>> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
>>>>> Eva Schlehahn,uld67@datenschutzzentrum.de
>>>>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
>>>>> mail@datenschutzzentrum.de  -https://www.datenschutzzentrum.de/
>>>>> Informationen über die Verarbeitung der personenbezogenen Daten durch
>>>>> die Landesbeauftragte für Datenschutz und zur verschlüsselten
>>>>> E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/ 
>>>> -- 
>>>> ---
>>>> Harshvardhan Pandit
>>>> PhD Researcher
>>>> ADAPT Centre
>>>> Trinity College Dublin

Harshvardhan Pandit
PhD Researcher
ADAPT Centre
Trinity College Dublin
Received on Monday, 8 April 2019 15:14:20 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:57 UTC