W3C home > Mailing lists > Public > public-dpvcg@w3.org > April 2019

Re: Fwd: Re: Taxonomy of legal bases

From: Eva Schlehahn <uld67@datenschutzzentrum.de>
Date: Tue, 9 Apr 2019 13:51:49 +0200
To: "Harshvardhan J. Pandit" <me@harshp.com>, Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>, Mark Lizar <mark@openconsent.com>
Message-ID: <cfbd30a6-50d1-5d44-f59c-f3d9e7886b3f@datenschutzzentrum.de>
Hi Harsh, hi all,

let me make a brief clarification, plus a compromise suggestion. :)

First the clarification: What Bud and I are aiming at (by repatedly 
nagging you with this topic) is that Art. 6 para (a) can have also two 
different cases namely explicit (yes, it exists there too!) and 
non-explicit consent. In contrast to the case of processing sensitive 
data (Art. 9), both expressions of consent are possible there. This is 
why we need a differentiation of these two possibilities under Art. 6 
para 1 (a).

So my compromise suggestion is now: Instead of acknowledging the two 
different cases by naming them 'explicit' and 'regular' consent, we 
could rather call them 'explicit' and 'non-explicit' consent. Problem 
solved! :)

One additional comment with regard to Art. 22 para 2 (c) and Art. 49 
para. 1 (a) GDPR - these are NOT legal bases on their own! Rather, they 
describe situations where e.g. consent based on Art. 6 para 1 (a) is 
possible, but which trigger the additional condition that it needs to be 
the explicit version of this consent.

Greetings,

Eva



Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Eva Schlehahn, uld67@datenschutzzentrum.de
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/

Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung/

Am 09.04.2019 um 13:25 schrieb Harshvardhan J. Pandit:
> **Sending to the public mailing list for archival purposes**
>
> To clarify: NO, I'm not saying we create a term called 'regular' consent.
>
> My proposal is to acknowledge in the description (dcterms:description 
> or rdfs:comment) of the term <A6(1)(a)> in our vocabulary that it is 
> the legal basis for what is referred to as "regular" consent in the 
> Guidelines on Consent by A29WP.
>
> The 'definition' of <A6(1)(a)> as a term in our vocabulary is the URI 
> for the text of A6(1)(a) in GDPR (rdfs:isDefinedBy) to indicate its 
> source, with the definition (skos:definition) as -
> "legal basis where the data subject has given consent to the 
> processing of his or her personal data for one or more specific 
> purposes;" --> taking text straight from 6(1)(a).
>
> I think this way we can have our ~'regular' cake~ and eat it too :P
>
>
> On 09/04/2019 12:14, Mark @ OC wrote:
>> Hi Harsh,
>>
>> Are you suggesting we use the word ‘Regular’ in the definition?  Can 
>> we please refrain from using the word regular and go with just 
>> ‘consent’ or ‘explicit consent’ as suggested?
>>
>> The reason being, is that we will have to account for irregular 
>> consent if we use the word regular. This would open another can of 
>> worms.
>>
>> - Mark
>>
>>
>>> On 9 Apr 2019, at 12:08, Harshvardhan J. Pandit <me@harshp.com 
>>> <mailto:me@harshp.com>> wrote:
>>>
>>> Thanks Eva, Bud, Rigo, Mark.
>>>
>>> For our taxonomy/vocabulary, we have a 'flat' list (no-hierarchy) 
>>> for v1, because to create hierarchies we would need further 
>>> discussion on how the other legal basis are related.
>>>
>>> So I propose we go with the following from Eva's email today -
>>>
>>> * A6(1)(a) as the legal basis, and in its description, we mention 
>>> that it requires what is referred to as regular consent by A29WP 
>>> (note - no split into regular and explicit as it is listed currently 
>>> in the spreadsheet)
>>>
>>> * A9(2)(a) as the legal basis, and in its description we mention 
>>> that it requires what is referred to as explicit consent by GDPR and 
>>> A29WP
>>>
>>> * Add additional legal basis that require explicit consent i.e. 
>>> A22(2)(c) and A49(1)(a) to the list as it currently only covers A6 
>>> and A9
>>>
>>> @Eva do you think this is okay to go ahead with?
>>>
>>> - Harsh
>>>
>>>
>>> On 09/04/2019 10:35, Eva Schlehahn wrote:
>>>>
>>>> Dear Harsh, dear all,
>>>>
>>>> after wading through all the back and forth emails touching upon 
>>>> this topic, I am going back to the roots here. In short: I think 
>>>> Bud is right. :)
>>>>
>>>> I discussed at length with Bud in advance and as his preparation 
>>>> for the community group meeting. He is right because we have a need 
>>>> to capture following structure:
>>>>
>>>>   * Consent - as legal basis with the definition: 'A data subject's
>>>>     unambigious/clear affirmative action that signifies an agreement
>>>>     to process their personal data'
>>>>       o Regular consent -> Legal basis of Art. 6 para 1 (a) GDPR
>>>>       o Explicit consent -> Legal basis of Art 9 para. 2 (a) GDPR
>>>>
>>>> Even though Rigo originally saw the term 'regular' critically, I 
>>>> still think it is useful to simply express that there is a 
>>>> difference between the consent required by Art. 6 in contrast to 
>>>> Art. 9. So in principle, we need some term to highlight this 
>>>> difference. And Bud relies on what the former Art. 29 Working Group 
>>>> said since it simply makes no sense to make up something else out 
>>>> of thin air.
>>>>
>>>> Btw. 'freely given & informed' are not definitions, they are 
>>>> conditions. There is a difference. :) And they probably cannot be 
>>>> expressed in a vocabulary since they are always context-dependent 
>>>> and subject to interpretation. :)
>>>>
>>>> Harsh, I like your examples given in your email - and I agree 
>>>> insofar as the explicit consent required a very clear statement 
>>>> from the data subject what they are agreeing to. Please note that 
>>>> this is even a step further than the consent just being 'informed' 
>>>> - in a way, this informed-ness also needs to be expressed explicitly.
>>>>
>>>> Greetings,
>>>>
>>>> Eva
>>>>
>>>> Am 08.04.2019 um 13:39 schrieb Harshvardhan J. Pandit:
>>>>> tldr; This email is regarding using two separate legal basis for 
>>>>> consent as provided by A6(1)(a)
>>>>>
>>>>> Dear Eva, Rigo, and Bud.
>>>>> I'm having trouble understanding the two separate legal basis for 
>>>>> consent as provided by A6(1)(a).
>>>>> This discussion was mostly conducted in the F2F, and because this 
>>>>> is the first time I have come across this interpretation of two 
>>>>> legal basis under A6(1)(a), it would be good to have it in the 
>>>>> mailing list so as to have a point of reference in the future.
>>>>>
>>>>> My understanding of the discussion so far:
>>>>> Please do specify (and if possible, correct) any errors made in 
>>>>> capturing the gist of the discussion.
>>>>> For consent as the legal basis, Eva and Bud suggested 
>>>>> (https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0005.html 
>>>>> 1-APR) two types ('regular' and 'explicit') of consent from 
>>>>> Article 6(1)(a), with a reference to A29WP guidelines on consent - 
>>>>> that also mention these two terms.
>>>>> Rigo (skype call in F2F, 4-APR) suggested to remove the word 
>>>>> 'regular' and simply call it consent, and provided the following 
>>>>> definition for (previously regular) consent - "A data subject's 
>>>>> unambigious/clear affirmative action that signifies an agreement 
>>>>> to process their personal data". (personal opinion - I think this 
>>>>> was to provide a definition of 'consent' as a top-level concept in 
>>>>> the taxonomy)
>>>>>
>>>>> Points I'm struggling with -
>>>>>
>>>>> (1) If the (regular) consent is used as a legal basis with the 
>>>>> above definition - would it be valid under the GDPR given that it 
>>>>> does not follow the definition of consent (A4-11) for being 
>>>>> "freely given, informed".
>>>>>
>>>>> (2) Where do we use the GDPR definition of consent (A4-11) in the 
>>>>> taxonomy for legal basis of A6(1)(a) - 'regular' or 'explicit'?
>>>>>
>>>>> (3) In the guidelines for consent by A29WP (Sec.4, pg.18), 
>>>>> 'regular' consent is mentioned in context - The GDPR prescribes 
>>>>> that a “statement or clear affirmative action” is a prerequisite 
>>>>> for ‘regular’ consent.
>>>>> In the same section, 'explicit' consent is mentioned as - "The 
>>>>> term explicit refers to the way consent is expressed by the data 
>>>>> subject. It means that the data subject must give an express 
>>>>> statement of consent."
>>>>> Given that I have no legal background, I'm confused as to wouldn't 
>>>>> every 'regular' consent required by GDPR also be 'explicit' given 
>>>>> the requirement for every consent to be informed, specific, 
>>>>> unambiguous indication by a statement or action (A4-11) - which 
>>>>> covers descriptions of both terms by A29WP?
>>>>> Or, is the difference as follows:
>>>>> - regular - saying "I Agree"
>>>>> - explicit - saying "I Agree to XYZ" ← note explicit mention of 
>>>>> what I'm agreeing to?
>>>>> But wouldn't this be covered by the information in the description 
>>>>> of what they are agreeing to because consent should be informed?. 
>>>>> It does come to my mind, that the 'explicit' in this case may 
>>>>> refer to the requirement of stating that some information, such as 
>>>>> special categories of data, need to be mentioned in an 'explicit' 
>>>>> form in the 'informed' part of consent - in which case, does it 
>>>>> qualify as a separate legal basis OR as the requirements for valid 
>>>>> consent (and therefore not part of legal basis taxonomy)?
>>>>>
>>>>> (4) If conditions provided by A9(2)(a) count as a legal basis 
>>>>> based on 'explicit' consent for special categories of personal 
>>>>> data, do the following also count as a legal basis given that they 
>>>>> are based on 'explicit' consent and are types of processing?
>>>>> - R72 Profiling
>>>>> - A22(2)(c) Automated individual decision-making, including profiling
>>>>> - A49(1)(a) transfers of personal data to a third country or an 
>>>>> international organisation
>>>>>
>>>>> I don't mean to start a long discussion that may delay the work on 
>>>>> wrapping up the taxonomy, so am willing to accept short answers 
>>>>> (e.g. yes/no, use 'this' as definition); but at the same time it 
>>>>> would be very helpful to clarify this things - both for the group 
>>>>> as well as (personally) for my PhD work.
>>>>>
>>>>> Best,
>>>>> Harsh
>>>>>
>>>>> On 01/04/2019 14:36, Eva Schlehahn wrote:
>>>>>>
>>>>>> Dear all,
>>>>>>
>>>>>> Bud and I developed further the taxonomy of legal bases according 
>>>>>> to the GDPR. Please find attached
>>>>>>
>>>>>>   * in the Word document file Bud's version of such a vocabulary, as
>>>>>>     well as
>>>>>>   * in the image file my extension of the already existing
>>>>>>     visualization from lawyer perspective. ;-)
>>>>>>
>>>>>> A pity I cannot make it to Vienna. I wish you all a fruitful 
>>>>>> meeting there. :-)
>>>>>>
>>>>>> Greetings,
>>>>>>
>>>>>> Eva
>>>>>>
>>>>>> -- 
>>>>>> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
>>>>>> Eva Schlehahn,uld67@datenschutzzentrum.de
>>>>>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
>>>>>> mail@datenschutzzentrum.de -https://www.datenschutzzentrum.de/
>>>>>>
>>>>>> Informationen über die Verarbeitung der personenbezogenen Daten 
>>>>>> durch
>>>>>> die Landesbeauftragte für Datenschutz und zur verschlüsselten
>>>>>> E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/ 
>>>>>>
>>>>>
>>> -- 
>>> ---
>>> Harshvardhan Pandit
>>> PhD Researcher
>>> ADAPT Centre
>>> Trinity College Dublin
>>
>
Received on Tuesday, 9 April 2019 11:52:23 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:27:57 UTC