Re: Taxonomy of legal bases from Eva Schlehahn on 2019-04-09 (public-dpvcg@w3.org from April 2019)

From: Eva Schlehahn <uld67@datenschutzzentrum.de>
Date: Tue, 9 Apr 2019 11:35:54 +0200
To: public-dpvcg@w3.org
Message-ID: <860d6d14-f184-39b7-19c8-403a5b870b1a@datenschutzzentrum.de>
Dear Harsh, dear all,

after wading through all the back and forth emails touching upon this 
topic, I am going back to the roots here. In short: I think Bud is right. :)

I discussed at length with Bud in advance and as his preparation for the 
community group meeting. He is right because we have a need to capture 
following structure:

  * Consent - as legal basis with the definition: 'A data subject's
    unambigious/clear affirmative action that signifies an agreement to
    process their personal data'
      o Regular consent -> Legal basis of Art. 6 para 1 (a) GDPR
      o Explicit consent -> Legal basis of Art 9 para. 2 (a) GDPR

Even though Rigo originally saw the term 'regular' critically, I still 
think it is useful to simply express that there is a difference between 
the consent required by Art. 6 in contrast to Art. 9. So in principle, 
we need some term to highlight this difference. And Bud relies on what 
the former Art. 29 Working Group said since it simply makes no sense to 
make up something else out of thin air.

Btw. 'freely given & informed' are not definitions, they are conditions. 
There is a difference. :) And they probably cannot be expressed in a 
vocabulary since they are always context-dependent and subject to 
interpretation. :)

Harsh, I like your examples given in your email - and I agree insofar as 
the explicit consent required a very clear statement from the data 
subject what they are agreeing to. Please note that this is even a step 
further than the consent just being 'informed' - in a way, this 
informed-ness also needs to be expressed explicitly.

Greetings,

Eva

Am 08.04.2019 um 13:39 schrieb Harshvardhan J. Pandit:
> tldr; This email is regarding using two separate legal basis for 
> consent as provided by A6(1)(a)
>
> Dear Eva, Rigo, and Bud.
> I'm having trouble understanding the two separate legal basis for 
> consent as provided by A6(1)(a).
> This discussion was mostly conducted in the F2F, and because this is 
> the first time I have come across this interpretation of two legal 
> basis under A6(1)(a), it would be good to have it in the mailing list 
> so as to have a point of reference in the future.
>
> My understanding of the discussion so far:
> Please do specify (and if possible, correct) any errors made in 
> capturing the gist of the discussion.
> For consent as the legal basis, Eva and Bud suggested 
> (https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0005.html 
> 1-APR) two types ('regular' and 'explicit') of consent from Article 
> 6(1)(a), with a reference to A29WP guidelines on consent - that also 
> mention these two terms.
> Rigo (skype call in F2F, 4-APR) suggested to remove the word 'regular' 
> and simply call it consent, and provided the following definition for 
> (previously regular) consent - "A data subject's unambigious/clear 
> affirmative action that signifies an agreement to process their 
> personal data". (personal opinion - I think this was to provide a 
> definition of 'consent' as a top-level concept in the taxonomy)
>
> Points I'm struggling with -
>
> (1) If the (regular) consent is used as a legal basis with the above 
> definition - would it be valid under the GDPR given that it does not 
> follow the definition of consent (A4-11) for being "freely given, 
> informed".
>
> (2) Where do we use the GDPR definition of consent (A4-11) in the 
> taxonomy for legal basis of A6(1)(a) - 'regular' or 'explicit'?
>
> (3) In the guidelines for consent by A29WP (Sec.4, pg.18), 'regular' 
> consent is mentioned in context - The GDPR prescribes that a 
> “statement or clear affirmative action” is a prerequisite for 
> ‘regular’ consent.
> In the same section, 'explicit' consent is mentioned as - "The term 
> explicit refers to the way consent is expressed by the data subject. 
> It means that the data subject must give an express statement of 
> consent."
> Given that I have no legal background, I'm confused as to wouldn't 
> every 'regular' consent required by GDPR also be 'explicit' given the 
> requirement for every consent to be informed, specific, unambiguous 
> indication by a statement or action (A4-11) - which covers 
> descriptions of both terms by A29WP?
> Or, is the difference as follows:
> - regular - saying "I Agree"
> - explicit - saying "I Agree to XYZ" ← note explicit mention of what 
> I'm agreeing to?
> But wouldn't this be covered by the information in the description of 
> what they are agreeing to because consent should be informed?. It does 
> come to my mind, that the 'explicit' in this case may refer to the 
> requirement of stating that some information, such as special 
> categories of data, need to be mentioned in an 'explicit' form in the 
> 'informed' part of consent - in which case, does it qualify as a 
> separate legal basis OR as the requirements for valid consent (and 
> therefore not part of legal basis taxonomy)?
>
> (4) If conditions provided by A9(2)(a) count as a legal basis based on 
> 'explicit' consent for special categories of personal data, do the 
> following also count as a legal basis given that they are based on 
> 'explicit' consent and are types of processing?
> - R72 Profiling
> - A22(2)(c) Automated individual decision-making, including profiling
> - A49(1)(a) transfers of personal data to a third country or an 
> international organisation
>
> I don't mean to start a long discussion that may delay the work on 
> wrapping up the taxonomy, so am willing to accept short answers (e.g. 
> yes/no, use 'this' as definition); but at the same time it would be 
> very helpful to clarify this things - both for the group as well as 
> (personally) for my PhD work.
>
> Best,
> Harsh
>
> On 01/04/2019 14:36, Eva Schlehahn wrote:
>>
>> Dear all,
>>
>> Bud and I developed further the taxonomy of legal bases according to 
>> the GDPR. Please find attached
>>
>>   * in the Word document file Bud's version of such a vocabulary, as
>>     well as
>>   * in the image file my extension of the already existing
>>     visualization from lawyer perspective. ;-)
>>
>> A pity I cannot make it to Vienna. I wish you all a fruitful meeting 
>> there. :-)
>>
>> Greetings,
>>
>> Eva
>>
>> -- 
>> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
>> Eva Schlehahn,uld67@datenschutzzentrum.de
>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
>> mail@datenschutzzentrum.de -https://www.datenschutzzentrum.de/
>>
>> Informationen über die Verarbeitung der personenbezogenen Daten durch
>> die Landesbeauftragte für Datenschutz und zur verschlüsselten
>> E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/ 
>>
>
Received on Tuesday, 9 April 2019 09:36:28 UTC