- From: Eva Schlehahn <uld67@datenschutzzentrum.de>
- Date: Tue, 9 Apr 2019 13:51:49 +0200
- To: "Harshvardhan J. Pandit" <me@harshp.com>, Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>, Mark Lizar <mark@openconsent.com>
Hi Harsh, hi all,
let me make a brief clarification, plus a compromise suggestion. :)
First the clarification: What Bud and I are aiming at (by repatedly
nagging you with this topic) is that Art. 6 para (a) can have also two
different cases namely explicit (yes, it exists there too!) and
non-explicit consent. In contrast to the case of processing sensitive
data (Art. 9), both expressions of consent are possible there. This is
why we need a differentiation of these two possibilities under Art. 6
para 1 (a).
So my compromise suggestion is now: Instead of acknowledging the two
different cases by naming them 'explicit' and 'regular' consent, we
could rather call them 'explicit' and 'non-explicit' consent. Problem
solved! :)
One additional comment with regard to Art. 22 para 2 (c) and Art. 49
para. 1 (a) GDPR - these are NOT legal bases on their own! Rather, they
describe situations where e.g. consent based on Art. 6 para 1 (a) is
possible, but which trigger the additional condition that it needs to be
the explicit version of this consent.
Greetings,
Eva
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Eva Schlehahn, uld67@datenschutzzentrum.de
Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
mail@datenschutzzentrum.de - https://www.datenschutzzentrum.de/
Informationen über die Verarbeitung der personenbezogenen Daten durch
die Landesbeauftragte für Datenschutz und zur verschlüsselten
E-Mail-Kommunikation: https://datenschutzzentrum.de/datenschutzerklaerung/
Am 09.04.2019 um 13:25 schrieb Harshvardhan J. Pandit:
> **Sending to the public mailing list for archival purposes**
>
> To clarify: NO, I'm not saying we create a term called 'regular' consent.
>
> My proposal is to acknowledge in the description (dcterms:description
> or rdfs:comment) of the term <A6(1)(a)> in our vocabulary that it is
> the legal basis for what is referred to as "regular" consent in the
> Guidelines on Consent by A29WP.
>
> The 'definition' of <A6(1)(a)> as a term in our vocabulary is the URI
> for the text of A6(1)(a) in GDPR (rdfs:isDefinedBy) to indicate its
> source, with the definition (skos:definition) as -
> "legal basis where the data subject has given consent to the
> processing of his or her personal data for one or more specific
> purposes;" --> taking text straight from 6(1)(a).
>
> I think this way we can have our ~'regular' cake~ and eat it too :P
>
>
> On 09/04/2019 12:14, Mark @ OC wrote:
>> Hi Harsh,
>>
>> Are you suggesting we use the word ‘Regular’ in the definition? Can
>> we please refrain from using the word regular and go with just
>> ‘consent’ or ‘explicit consent’ as suggested?
>>
>> The reason being, is that we will have to account for irregular
>> consent if we use the word regular. This would open another can of
>> worms.
>>
>> - Mark
>>
>>
>>> On 9 Apr 2019, at 12:08, Harshvardhan J. Pandit <me@harshp.com
>>> <mailto:me@harshp.com>> wrote:
>>>
>>> Thanks Eva, Bud, Rigo, Mark.
>>>
>>> For our taxonomy/vocabulary, we have a 'flat' list (no-hierarchy)
>>> for v1, because to create hierarchies we would need further
>>> discussion on how the other legal basis are related.
>>>
>>> So I propose we go with the following from Eva's email today -
>>>
>>> * A6(1)(a) as the legal basis, and in its description, we mention
>>> that it requires what is referred to as regular consent by A29WP
>>> (note - no split into regular and explicit as it is listed currently
>>> in the spreadsheet)
>>>
>>> * A9(2)(a) as the legal basis, and in its description we mention
>>> that it requires what is referred to as explicit consent by GDPR and
>>> A29WP
>>>
>>> * Add additional legal basis that require explicit consent i.e.
>>> A22(2)(c) and A49(1)(a) to the list as it currently only covers A6
>>> and A9
>>>
>>> @Eva do you think this is okay to go ahead with?
>>>
>>> - Harsh
>>>
>>>
>>> On 09/04/2019 10:35, Eva Schlehahn wrote:
>>>>
>>>> Dear Harsh, dear all,
>>>>
>>>> after wading through all the back and forth emails touching upon
>>>> this topic, I am going back to the roots here. In short: I think
>>>> Bud is right. :)
>>>>
>>>> I discussed at length with Bud in advance and as his preparation
>>>> for the community group meeting. He is right because we have a need
>>>> to capture following structure:
>>>>
>>>> * Consent - as legal basis with the definition: 'A data subject's
>>>> unambigious/clear affirmative action that signifies an agreement
>>>> to process their personal data'
>>>> o Regular consent -> Legal basis of Art. 6 para 1 (a) GDPR
>>>> o Explicit consent -> Legal basis of Art 9 para. 2 (a) GDPR
>>>>
>>>> Even though Rigo originally saw the term 'regular' critically, I
>>>> still think it is useful to simply express that there is a
>>>> difference between the consent required by Art. 6 in contrast to
>>>> Art. 9. So in principle, we need some term to highlight this
>>>> difference. And Bud relies on what the former Art. 29 Working Group
>>>> said since it simply makes no sense to make up something else out
>>>> of thin air.
>>>>
>>>> Btw. 'freely given & informed' are not definitions, they are
>>>> conditions. There is a difference. :) And they probably cannot be
>>>> expressed in a vocabulary since they are always context-dependent
>>>> and subject to interpretation. :)
>>>>
>>>> Harsh, I like your examples given in your email - and I agree
>>>> insofar as the explicit consent required a very clear statement
>>>> from the data subject what they are agreeing to. Please note that
>>>> this is even a step further than the consent just being 'informed'
>>>> - in a way, this informed-ness also needs to be expressed explicitly.
>>>>
>>>> Greetings,
>>>>
>>>> Eva
>>>>
>>>> Am 08.04.2019 um 13:39 schrieb Harshvardhan J. Pandit:
>>>>> tldr; This email is regarding using two separate legal basis for
>>>>> consent as provided by A6(1)(a)
>>>>>
>>>>> Dear Eva, Rigo, and Bud.
>>>>> I'm having trouble understanding the two separate legal basis for
>>>>> consent as provided by A6(1)(a).
>>>>> This discussion was mostly conducted in the F2F, and because this
>>>>> is the first time I have come across this interpretation of two
>>>>> legal basis under A6(1)(a), it would be good to have it in the
>>>>> mailing list so as to have a point of reference in the future.
>>>>>
>>>>> My understanding of the discussion so far:
>>>>> Please do specify (and if possible, correct) any errors made in
>>>>> capturing the gist of the discussion.
>>>>> For consent as the legal basis, Eva and Bud suggested
>>>>> (https://lists.w3.org/Archives/Public/public-dpvcg/2019Apr/0005.html
>>>>> 1-APR) two types ('regular' and 'explicit') of consent from
>>>>> Article 6(1)(a), with a reference to A29WP guidelines on consent -
>>>>> that also mention these two terms.
>>>>> Rigo (skype call in F2F, 4-APR) suggested to remove the word
>>>>> 'regular' and simply call it consent, and provided the following
>>>>> definition for (previously regular) consent - "A data subject's
>>>>> unambigious/clear affirmative action that signifies an agreement
>>>>> to process their personal data". (personal opinion - I think this
>>>>> was to provide a definition of 'consent' as a top-level concept in
>>>>> the taxonomy)
>>>>>
>>>>> Points I'm struggling with -
>>>>>
>>>>> (1) If the (regular) consent is used as a legal basis with the
>>>>> above definition - would it be valid under the GDPR given that it
>>>>> does not follow the definition of consent (A4-11) for being
>>>>> "freely given, informed".
>>>>>
>>>>> (2) Where do we use the GDPR definition of consent (A4-11) in the
>>>>> taxonomy for legal basis of A6(1)(a) - 'regular' or 'explicit'?
>>>>>
>>>>> (3) In the guidelines for consent by A29WP (Sec.4, pg.18),
>>>>> 'regular' consent is mentioned in context - The GDPR prescribes
>>>>> that a “statement or clear affirmative action” is a prerequisite
>>>>> for ‘regular’ consent.
>>>>> In the same section, 'explicit' consent is mentioned as - "The
>>>>> term explicit refers to the way consent is expressed by the data
>>>>> subject. It means that the data subject must give an express
>>>>> statement of consent."
>>>>> Given that I have no legal background, I'm confused as to wouldn't
>>>>> every 'regular' consent required by GDPR also be 'explicit' given
>>>>> the requirement for every consent to be informed, specific,
>>>>> unambiguous indication by a statement or action (A4-11) - which
>>>>> covers descriptions of both terms by A29WP?
>>>>> Or, is the difference as follows:
>>>>> - regular - saying "I Agree"
>>>>> - explicit - saying "I Agree to XYZ" ← note explicit mention of
>>>>> what I'm agreeing to?
>>>>> But wouldn't this be covered by the information in the description
>>>>> of what they are agreeing to because consent should be informed?.
>>>>> It does come to my mind, that the 'explicit' in this case may
>>>>> refer to the requirement of stating that some information, such as
>>>>> special categories of data, need to be mentioned in an 'explicit'
>>>>> form in the 'informed' part of consent - in which case, does it
>>>>> qualify as a separate legal basis OR as the requirements for valid
>>>>> consent (and therefore not part of legal basis taxonomy)?
>>>>>
>>>>> (4) If conditions provided by A9(2)(a) count as a legal basis
>>>>> based on 'explicit' consent for special categories of personal
>>>>> data, do the following also count as a legal basis given that they
>>>>> are based on 'explicit' consent and are types of processing?
>>>>> - R72 Profiling
>>>>> - A22(2)(c) Automated individual decision-making, including profiling
>>>>> - A49(1)(a) transfers of personal data to a third country or an
>>>>> international organisation
>>>>>
>>>>> I don't mean to start a long discussion that may delay the work on
>>>>> wrapping up the taxonomy, so am willing to accept short answers
>>>>> (e.g. yes/no, use 'this' as definition); but at the same time it
>>>>> would be very helpful to clarify this things - both for the group
>>>>> as well as (personally) for my PhD work.
>>>>>
>>>>> Best,
>>>>> Harsh
>>>>>
>>>>> On 01/04/2019 14:36, Eva Schlehahn wrote:
>>>>>>
>>>>>> Dear all,
>>>>>>
>>>>>> Bud and I developed further the taxonomy of legal bases according
>>>>>> to the GDPR. Please find attached
>>>>>>
>>>>>> * in the Word document file Bud's version of such a vocabulary, as
>>>>>> well as
>>>>>> * in the image file my extension of the already existing
>>>>>> visualization from lawyer perspective. ;-)
>>>>>>
>>>>>> A pity I cannot make it to Vienna. I wish you all a fruitful
>>>>>> meeting there. :-)
>>>>>>
>>>>>> Greetings,
>>>>>>
>>>>>> Eva
>>>>>>
>>>>>> --
>>>>>> Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
>>>>>> Eva Schlehahn,uld67@datenschutzzentrum.de
>>>>>> Holstenstraße 98, 24103 Kiel, Tel. +49 431 988-1204, Fax -1223
>>>>>> mail@datenschutzzentrum.de -https://www.datenschutzzentrum.de/
>>>>>>
>>>>>> Informationen über die Verarbeitung der personenbezogenen Daten
>>>>>> durch
>>>>>> die Landesbeauftragte für Datenschutz und zur verschlüsselten
>>>>>> E-Mail-Kommunikation:https://datenschutzzentrum.de/datenschutzerklaerung/
>>>>>>
>>>>>
>>> --
>>> ---
>>> Harshvardhan Pandit
>>> PhD Researcher
>>> ADAPT Centre
>>> Trinity College Dublin
>>
>
Received on Tuesday, 9 April 2019 11:52:23 UTC