W3C home > Mailing lists > Public > public-dpvcg@w3.org > April 2019

Fwd: Re: Taxonomy of legal bases

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Tue, 9 Apr 2019 12:25:47 +0100
To: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>, Mark Lizar <mark@openconsent.com>, Eva Schlehahn <uld67@datenschutzzentrum.de>
Message-ID: <9a3508c2-4aa4-2a63-19d6-6c85cfb50710@harshp.com>
**Sending to the public mailing list for archival purposes**

To clarify: NO, I'm not saying we create a term called 'regular' consent.

My proposal is to acknowledge in the description (dcterms:description or 
rdfs:comment) of the term <A6(1)(a)> in our vocabulary that it is the 
legal basis for what is referred to as "regular" consent in the 
Guidelines on Consent by A29WP.

The 'definition' of <A6(1)(a)> as a term in our vocabulary is the URI 
for the text of A6(1)(a) in GDPR (rdfs:isDefinedBy) to indicate its 
source, with the definition (skos:definition) as -
"legal basis where the data subject has given consent to the processing 
of his or her personal data for one or more specific purposes;" --> 
taking text straight from 6(1)(a).

I think this way we can have our ~'regular' cake~ and eat it too :P

On 09/04/2019 12:14, Mark @ OC wrote:
> Hi Harsh,
> Are you suggesting we use the word ‘Regular’ in the definition?  Can we 
> please refrain from using the word regular and go with just ‘consent’ or 
> ‘explicit consent’ as suggested?
> The reason being, is that we will have to account for irregular consent 
> if we use the word regular. This would open another can of worms.
> - Mark
>> On 9 Apr 2019, at 12:08, Harshvardhan J. Pandit <me@harshp.com 
>> <mailto:me@harshp.com>> wrote:
>> Thanks Eva, Bud, Rigo, Mark.
>> For our taxonomy/vocabulary, we have a 'flat' list (no-hierarchy) for 
>> v1, because to create hierarchies we would need further discussion on 
>> how the other legal basis are related.
>> So I propose we go with the following from Eva's email today -
>> * A6(1)(a) as the legal basis, and in its description, we mention that 
>> it requires what is referred to as regular consent by A29WP (note - no 
>> split into regular and explicit as it is listed currently in the 
>> spreadsheet)
>> * A9(2)(a) as the legal basis, and in its description we mention that 
>> it requires what is referred to as explicit consent by GDPR and A29WP
>> * Add additional legal basis that require explicit consent i.e. 
>> A22(2)(c) and A49(1)(a) to the list as it currently only covers A6 and A9
>> @Eva do you think this is okay to go ahead with?
>> - Harsh
>> On 09/04/2019 10:35, Eva Schlehahn wrote:
>>> Dear Harsh, dear all,
>>> after wading through all the back and forth emails touching upon this 
>>> topic, I am going back to the roots here. In short: I think Bud is 
>>> right. :)
>>> I discussed at length with Bud in advance and as his preparation for 
>>> the community group meeting. He is right because we have a need to 
>>> capture following structure:
>>>   * Consent - as legal basis with the definition: 'A data subject's
>>>     unambigious/clear affirmative action that signifies an agreement
>>>     to process their personal data'
>>>       o Regular consent -> Legal basis of Art. 6 para 1 (a) GDPR
>>>       o Explicit consent -> Legal basis of Art 9 para. 2 (a) GDPR
>>> Even though Rigo originally saw the term 'regular' critically, I 
>>> still think it is useful to simply express that there is a difference 
>>> between the consent required by Art. 6 in contrast to Art. 9. So in 
>>> principle, we need some term to highlight this difference. And Bud 
>>> relies on what the former Art. 29 Working Group said since it simply 
>>> makes no sense to make up something else out of thin air.
>>> Btw. 'freely given & informed' are not definitions, they are 
>>> conditions. There is a difference. :) And they probably cannot be 
>>> expressed in a vocabulary since they are always context-dependent and 
>>> subject to interpretation. :)
>>> Harsh, I like your examples given in your email - and I agree insofar 
>>> as the explicit consent required a very clear statement from the data 
>>> subject what they are agreeing to. Please note that this is even a 
>>> step further than the consent just being 'informed' - in a way, this 
>>> informed-ness also needs to be expressed explicitly.
>>> Greetings,
>>> Eva
>>> Am 08.04.2019 um 13:39 schrieb Harshvardhan J. Pandit:
>>>> tldr; This email is regarding using two separate legal basis for 
>>>> consent as provided by A6(1)(a)
>>>> Dear Eva, Rigo, and Bud.
>>>> I'm having trouble understanding the two separate legal basis for 
>>>> consent as provided by A6(1)(a).
>>>> This discussion was mostly conducted in the F2F, and because this is 
>>>> the first time I have come across this interpretation of two legal 
>>>> basis under A6(1)(a), it would be good to have it in the mailing 
>>>> list so as to have a point of reference in the future.
>>>> My understanding of the discussion so far:
>>>> Please do specify (and if possible, correct) any errors made in 
>>>> capturing the gist of the discussion.
>>>> For consent as the legal basis, Eva and Bud suggested 
>>>> (https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0005.html 
>>>> 1-APR) two types ('regular' and 'explicit') of consent from Article 
>>>> 6(1)(a), with a reference to A29WP guidelines on consent - that also 
>>>> mention these two terms.
>>>> Rigo (skype call in F2F, 4-APR) suggested to remove the word 
>>>> 'regular' and simply call it consent, and provided the following 
>>>> definition for (previously regular) consent - "A data subject's 
>>>> unambigious/clear affirmative action that signifies an agreement to 
>>>> process their personal data". (personal opinion - I think this was 
>>>> to provide a definition of 'consent' as a top-level concept in the 
>>>> taxonomy)
>>>> Points I'm struggling with -
>>>> (1) If the (regular) consent is used as a legal basis with the above 
>>>> definition - would it be valid under the GDPR given that it does not 
>>>> follow the definition of consent (A4-11) for being "freely given, 
>>>> informed".
>>>> (2) Where do we use the GDPR definition of consent (A4-11) in the 
>>>> taxonomy for legal basis of A6(1)(a) - 'regular' or 'explicit'?
>>>> (3) In the guidelines for consent by A29WP (Sec.4, pg.18), 'regular' 
>>>> consent is mentioned in context - The GDPR prescribes that a 
>>>> “statement or clear affirmative action” is a prerequisite for 
>>>> ‘regular’ consent.
>>>> In the same section, 'explicit' consent is mentioned as - "The term 
>>>> explicit refers to the way consent is expressed by the data subject. 
>>>> It means that the data subject must give an express statement of 
>>>> consent."
>>>> Given that I have no legal background, I'm confused as to wouldn't 
>>>> every 'regular' consent required by GDPR also be 'explicit' given 
>>>> the requirement for every consent to be informed, specific, 
>>>> unambiguous indication by a statement or action (A4-11) - which 
>>>> covers descriptions of both terms by A29WP?
>>>> Or, is the difference as follows:
>>>> - regular - saying "I Agree"
>>>> - explicit - saying "I Agree to XYZ" ← note explicit mention of what 
>>>> I'm agreeing to?
>>>> But wouldn't this be covered by the information in the description 
>>>> of what they are agreeing to because consent should be informed?. It 
>>>> does come to my mind, that the 'explicit' in this case may refer to 
>>>> the requirement of stating that some information, such as special 
>>>> categories of data, need to be mentioned in an 'explicit' form in 
>>>> the 'informed' part of consent - in which case, does it qualify as a 
>>>> separate legal basis OR as the requirements for valid consent (and 
>>>> therefore not part of legal basis taxonomy)?
>>>> (4) If conditions provided by A9(2)(a) count as a legal basis based 
>>>> on 'explicit' consent for special categories of personal data, do 
>>>> the following also count as a legal basis given that they are based 
>>>> on 'explicit' consent and are types of processing?
>>>> - R72 Profiling
>>>> - A22(2)(c) Automated individual decision-making, including profiling
>>>> - A49(1)(a) transfers of personal data to a third country or an 
>>>> international organisation
>>>> I don't mean to start a long discussion that may delay the work on 
>>>> wrapping up the taxonomy, so am willing to accept short answers 
>>>> (e.g. yes/no, use 'this' as definition); but at the same time it 
>>>> would be very helpful to clarify this things - both for the group as 
>>>> well as (personally) for my PhD work.
>>>> Best,
>>>> Harsh
>>>> On 01/04/2019 14:36, Eva Schlehahn wrote:
>>>>> Dear all,
>>>>> Bud and I developed further the taxonomy of legal bases according 
>>>>> to the GDPR. Please find attached
>>>>>   * in the Word document file Bud's version of such a vocabulary, as
>>>>>     well as
>>>>>   * in the image file my extension of the already existing
>>>>>     visualization from lawyer perspective. ;-)
>>>>> A pity I cannot make it to Vienna. I wish you all a fruitful 
>>>>> meeting there. :-)
>>>>> Greetings,
>>>>> Eva
>>>>> -- 
>>>>> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
>>>>> Eva Schlehahn,uld67@datenschutzzentrum.de
>>>>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
>>>>> mail@datenschutzzentrum.de -https://www.datenschutzzentrum.de/
>>>>> Informationen über die Verarbeitung der personenbezogenen Daten durch
>>>>> die Landesbeauftragte für Datenschutz und zur verschlüsselten
>>>>> E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/ 
>> -- 
>> ---
>> Harshvardhan Pandit
>> PhD Researcher
>> ADAPT Centre
>> Trinity College Dublin

Harshvardhan Pandit
PhD Researcher
ADAPT Centre
Trinity College Dublin
Received on Tuesday, 9 April 2019 11:26:55 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:57 UTC