W3C home > Mailing lists > Public > public-dpvcg@w3.org > April 2019

Re: Taxonomy of legal bases

From: Bud Bruegger <uld613@datenschutzzentrum.de>
Date: Mon, 8 Apr 2019 18:17:57 +0200
To: "Harshvardhan J. Pandit" <me@harshp.com>, Eva Schlehahn <uld67@datenschutzzentrum.de>, Rigo Wenning <rigo@w3.org>
Cc: public-dpvcg@w3.org
Message-ID: <02390cbd-5bd1-be7d-f805-13b0651ce12f@datenschutzzentrum.de>
Am 08.04.2019 um 16:55 schrieb Harshvardhan J. Pandit:
> Replies are inline. If I have not replied to something - I agree with it.
> On 08/04/2019 14:30, Bud Bruegger wrote:
>> Rigo just provided a subset of Art 4(11).  It was not meant to be 
>> comprehensive.
> If I remember correctly, Rigo provided it as a definition for 'consent', 
> and that is what we have listed on the spreadsheet.
> My point is that we cannot use that as a definition for the legal basis 
> of consent (to which you agree, as you suggested A4-11 for the definition).
> So - this definition needs to be replaced with A4-11 in the spreadsheet.
I agree in essence.  The definition of consent is not limited to 4(11), 
however.  To understand its semantics, Articles 7 and 8 and several 
recitals need to be taken into account too.  So I would refer to 4(1), 
7, and 8.

>> The GDPR speaks in two places of "explicit" consent, where the risk is 
>> higher and the data subject requires an increased level of protection. 
>> Namely, this is in Art 9(2)(a) and 22(2)(c).
> As well as in A49(1)(a) for transfers to third country

Yes, that was oversight on my side.

>> Looking at it as sets:
>> 6(1)(a) is the set of all "valid" consents.
>> 6(1)(a)-explicit is a subset of 6(1)(a) that contains only those 
>> "consents" that satisfy the additional requirements for "explicit"
>> 6(1)(a) - 6(1)(a)-explicit, i.e., the complement of 6(1)(a)-explicit 
>> within 6(1)(a) is not named in the GDPR.
>> I insist however, that the Art 29 Working Party introduces the term 
>> "'regular' consent" for this complement (page 8, 2nd paragraph of 
>> section 4).  Since this claim of mine is simply based on the 
>> understanding of English grammar, IMHO this doesn't require legal 
>> advice but simply careful reading.  In my reading, this is simple and 
>> clear and therefore I insist.
> I disagree with this point. 

But you haven't convinced me.

But what we seem to agree on is that there is a set of valid consent (I 
call this "the whole", a subset for explicit consent (I call this 
"explicit subset" and a complement subset ("the whole" sans "explicit 
subset") that I call "complement subset".

What we still disagree on is how to call them.

My naming is:

the whole:  "consent" or "valid consent"
explicit subset: "explicit consent"
complement subset: "regular consent"

Your naming:

the whole:  "regular consent"
explicit subset: "explicit consent"
complement subset" ????

While the GDPR already uses the terms "consent" (and "valid consent") 
and "explicit consent", we need to find a term for the complement subset.

In my reading--you haven't convinced me of the contrary--the Art29WP has 
exactly introduced the term "regular consent" to name this yet unnamed 

> I think A29WP used 'regular' consent to 
> refer to all valid consent, and therefore 'explicit' consent is the 
> subset of 'regular' consent.
> Consider this text in Sec.4, pg.18 of the Guidelines document, taking it 
> sentence by sentence -
> 1) The GDPR prescribes that a “statement or clear affirmative action” is 
> a prerequisite for ‘regular’ consent.
> - Here, 'regular' would mean the 'default' or 'defined' consent (as per 
> GDPR or DPD) - and the use of word regular is to indicate usual or 
> normal or normative. Note that this is the first mention of the word 
> regular in the document.

I would have preferred "already for regular consent", but I still don't 
see that this excludes my semantics.

> 2) As the ‘regular’ consent requirement in the GDPR is already raised to 
> a higher standard compared to the consent requirement in Directive 
> 95/46/EC,
> - This means that there are requirements of regular consent, that can be 
> compared between GDPR and DPD - and since neither document mentions 
> 'regular' - this would mean that they are talking about the 'default' or 
> 'defined' consent in these documents.
> 3) it needs to be clarified what extra efforts a controller should 
> undertake in order to obtain the explicit consent of a data subject in 
> line with the GDPR."
> - This states extra efforts in addition to regular consent to obtain 
> explicit consent, which therefore would mean that regular is the 
> superset and explicit is a subset of it.

So what I read is:  regular is already high, what extra effort is 
necessary to reach explicit?  [That reads the above two sentenses together].

When looking at it as "requirements" for a certain type of consent, this 
probably becomes clearer:

regular consent is the set of all consents that fulfill the regular 

Explicit consent requires extra effort, therefore:
explicit consent is the set of all consents that fulfills both, the 
regular requirements plus the additional explicit requirements.

What is important to me is the structure.  I'm not hung up on one naming 
of complement or another.  But we need to name it in the vocabulary.

What I much prefer is have some kind of a legal authority name it (the 
GDPR or the Art29WP).  If we name it, it can only be wrong.

Since I believe that anyone in their right (legal) mind will stay far 
away from naming something that is already named, I believe that the 
Art29WP introduced a new term only since there was no name for it already.

Consent, in the sense of "the whole", is already defined.  Why introduce 
a synomym of "regular consent"?  But use a adjective to further 
distinguish "consent" into two subclasses makes perfect sense to me.

Eva is not available at the moment--not sure when she'll be back.  But 
let's wait for Rigo's reply and I will ask two colleagues who are 
lawyers and who are part of the EDPB.  That should yield an 
authoritative answer.


> I'm continuing this in the your (Bud) other email so as to ensure all 
> points are addressed.

Bud P. Bruegger, Dipl.-Ing. (ETH), Ph.D. (University of Maine)
Unabhaengiges Landeszentrum fuer Datenschutz (ULD) Schleswig-Holstein
Dienststelle der Landesbeauftragten für Datenschutz Schleswig-Holstein
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1217, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/

Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung
Received on Monday, 8 April 2019 16:18:32 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:57 UTC