Re: Taxonomy of legal bases

Thanks Eva, Bud, Rigo, Mark.

For our taxonomy/vocabulary, we have a 'flat' list (no-hierarchy) for 
v1, because to create hierarchies we would need further discussion on 
how the other legal basis are related.

So I propose we go with the following from Eva's email today -

* A6(1)(a) as the legal basis, and in its description, we mention that 
it requires what is referred to as regular consent by A29WP (note - no 
split into regular and explicit as it is listed currently in the 
spreadsheet)

* A9(2)(a) as the legal basis, and in its description we mention that it 
requires what is referred to as explicit consent by GDPR and A29WP

* Add additional legal basis that require explicit consent i.e. 
A22(2)(c) and A49(1)(a) to the list as it currently only covers A6 and A9

@Eva do you think this is okay to go ahead with?

- Harsh


On 09/04/2019 10:35, Eva Schlehahn wrote:
>
> Dear Harsh, dear all,
>
> after wading through all the back and forth emails touching upon this 
> topic, I am going back to the roots here. In short: I think Bud is 
> right. :)
>
> I discussed at length with Bud in advance and as his preparation for 
> the community group meeting. He is right because we have a need to 
> capture following structure:
>
>   * Consent - as legal basis with the definition: 'A data subject's
>     unambigious/clear affirmative action that signifies an agreement
>     to process their personal data'
>       o Regular consent -> Legal basis of Art. 6 para 1 (a) GDPR
>       o Explicit consent -> Legal basis of Art 9 para. 2 (a) GDPR
>
> Even though Rigo originally saw the term 'regular' critically, I still 
> think it is useful to simply express that there is a difference 
> between the consent required by Art. 6 in contrast to Art. 9. So in 
> principle, we need some term to highlight this difference. And Bud 
> relies on what the former Art. 29 Working Group said since it simply 
> makes no sense to make up something else out of thin air.
>
> Btw. 'freely given & informed' are not definitions, they are 
> conditions. There is a difference. :) And they probably cannot be 
> expressed in a vocabulary since they are always context-dependent and 
> subject to interpretation. :)
>
> Harsh, I like your examples given in your email - and I agree insofar 
> as the explicit consent required a very clear statement from the data 
> subject what they are agreeing to. Please note that this is even a 
> step further than the consent just being 'informed' - in a way, this 
> informed-ness also needs to be expressed explicitly.
>
> Greetings,
>
> Eva
>
> Am 08.04.2019 um 13:39 schrieb Harshvardhan J. Pandit:
>> tldr; This email is regarding using two separate legal basis for 
>> consent as provided by A6(1)(a)
>>
>> Dear Eva, Rigo, and Bud.
>> I'm having trouble understanding the two separate legal basis for 
>> consent as provided by A6(1)(a).
>> This discussion was mostly conducted in the F2F, and because this is 
>> the first time I have come across this interpretation of two legal 
>> basis under A6(1)(a), it would be good to have it in the mailing list 
>> so as to have a point of reference in the future.
>>
>> My understanding of the discussion so far:
>> Please do specify (and if possible, correct) any errors made in 
>> capturing the gist of the discussion.
>> For consent as the legal basis, Eva and Bud suggested 
>> (https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0005.html 
>> 1-APR) two types ('regular' and 'explicit') of consent from Article 
>> 6(1)(a), with a reference to A29WP guidelines on consent - that also 
>> mention these two terms.
>> Rigo (skype call in F2F, 4-APR) suggested to remove the word 
>> 'regular' and simply call it consent, and provided the following 
>> definition for (previously regular) consent - "A data subject's 
>> unambigious/clear affirmative action that signifies an agreement to 
>> process their personal data". (personal opinion - I think this was to 
>> provide a definition of 'consent' as a top-level concept in the 
>> taxonomy)
>>
>> Points I'm struggling with -
>>
>> (1) If the (regular) consent is used as a legal basis with the above 
>> definition - would it be valid under the GDPR given that it does not 
>> follow the definition of consent (A4-11) for being "freely given, 
>> informed".
>>
>> (2) Where do we use the GDPR definition of consent (A4-11) in the 
>> taxonomy for legal basis of A6(1)(a) - 'regular' or 'explicit'?
>>
>> (3) In the guidelines for consent by A29WP (Sec.4, pg.18), 'regular' 
>> consent is mentioned in context - The GDPR prescribes that a 
>> “statement or clear affirmative action” is a prerequisite for 
>> ‘regular’ consent.
>> In the same section, 'explicit' consent is mentioned as - "The term 
>> explicit refers to the way consent is expressed by the data subject. 
>> It means that the data subject must give an express statement of 
>> consent."
>> Given that I have no legal background, I'm confused as to wouldn't 
>> every 'regular' consent required by GDPR also be 'explicit' given the 
>> requirement for every consent to be informed, specific, unambiguous 
>> indication by a statement or action (A4-11) - which covers 
>> descriptions of both terms by A29WP?
>> Or, is the difference as follows:
>> - regular - saying "I Agree"
>> - explicit - saying "I Agree to XYZ" ← note explicit mention of what 
>> I'm agreeing to?
>> But wouldn't this be covered by the information in the description of 
>> what they are agreeing to because consent should be informed?. It 
>> does come to my mind, that the 'explicit' in this case may refer to 
>> the requirement of stating that some information, such as special 
>> categories of data, need to be mentioned in an 'explicit' form in the 
>> 'informed' part of consent - in which case, does it qualify as a 
>> separate legal basis OR as the requirements for valid consent (and 
>> therefore not part of legal basis taxonomy)?
>>
>> (4) If conditions provided by A9(2)(a) count as a legal basis based 
>> on 'explicit' consent for special categories of personal data, do the 
>> following also count as a legal basis given that they are based on 
>> 'explicit' consent and are types of processing?
>> - R72 Profiling
>> - A22(2)(c) Automated individual decision-making, including profiling
>> - A49(1)(a) transfers of personal data to a third country or an 
>> international organisation
>>
>> I don't mean to start a long discussion that may delay the work on 
>> wrapping up the taxonomy, so am willing to accept short answers (e.g. 
>> yes/no, use 'this' as definition); but at the same time it would be 
>> very helpful to clarify this things - both for the group as well as 
>> (personally) for my PhD work.
>>
>> Best,
>> Harsh
>>
>> On 01/04/2019 14:36, Eva Schlehahn wrote:
>>>
>>> Dear all,
>>>
>>> Bud and I developed further the taxonomy of legal bases according to 
>>> the GDPR. Please find attached
>>>
>>>   * in the Word document file Bud's version of such a vocabulary, as
>>>     well as
>>>   * in the image file my extension of the already existing
>>>     visualization from lawyer perspective. ;-)
>>>
>>> A pity I cannot make it to Vienna. I wish you all a fruitful meeting 
>>> there. :-)
>>>
>>> Greetings,
>>>
>>> Eva
>>>
>>> -- 
>>> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
>>> Eva Schlehahn,uld67@datenschutzzentrum.de
>>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
>>> mail@datenschutzzentrum.de -https://www.datenschutzzentrum.de/
>>>
>>> Informationen über die Verarbeitung der personenbezogenen Daten durch
>>> die Landesbeauftragte für Datenschutz und zur verschlüsselten
>>> E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/ 
>>>
>>
-- 
---
Harshvardhan Pandit
PhD Researcher
ADAPT Centre
Trinity College Dublin