Re: Taxonomy of legal bases from Rigo Wenning on 2019-04-08 (public-dpvcg@w3.org from April 2019)

From: Rigo Wenning <rigo@w3.org>
Date: Mon, 08 Apr 2019 22:46:52 +0200
To: "Harshvardhan J. Pandit" <me@harshp.com>
Cc: Bud Bruegger <uld613@datenschutzzentrum.de>, Eva Schlehahn <uld67@datenschutzzentrum.de>, public-dpvcg@w3.org
Message-ID: <2362862.bfbgDpvbpG@montaigne>

Bud, Harsh, 

On Montag, 8. April 2019 16:55:21 CEST Harshvardhan J. Pandit wrote:
> I disagree with this point. I think A29WP used 'regular' consent to
> refer to all valid consent, and therefore 'explicit' consent is the
> subset of 'regular' consent.

you're losing yourself in a circular term based argumentation. The name is not 
the definition. 

If you look at GDPR and the introductory considerations, "consent" is a 
slider. There are minimum requirements with words in GDPR and definitions 
given by the Art. 29 WP

1/ Free
2/ Specific
3/ Informed
4/ Unambiguous indication of will

 ==> consent

Now, we consider things a bit more sensitive, say location data.

In this case, the requirements on 1-4 are higher. The old 2002/58EC ePrivacy 
required e.g. that a device shows if the location information is active. It 
also had higher expectations on 4/, so just a pre-ticked box would not be 
sufficient. 

And then, on the very end of the slider is Art. 9 with the special categories 
of data with a legal definition of requirements on "explicit". A consent that 
fulfills Art. 9 requirements fulfills (by construction) ALL consent 
requirements and thus is ALWAYS valid. 

I said to Axel that we are ALWAYS in a taxonomy in law as there are clear 
hierarchies (if you want to know why, google for "Kelsen"). This is not in 
anyway different here, except it is perhaps an upside down view as Art. 9 has 
the strongest requirements. But the tree here goes from light to heavy. 

In all this, terms like "regular", "normal" or "italian" consent are just made 
up by people outside the legislation process. Sometimes they are useful, 
sometimes they aren't. It doesn't matter whether we talk about "simple" or 
"regular" consent as long as it is clear that 1-4 are at minimum. 

BTW, below 1-4 you can link many more sub-requirements that we can rate by 
security/severity of the risk and calculate that like entropy.  This system 
will be probably more consistent than the courts who will do the same, but in 
a more disordered way. 

 --Rigo

Received on Monday, 8 April 2019 20:46:57 UTC