[minutes] 2019-01-22 dpvcg

See also: https://www.w3.org/2019/01/22-dpvcg-minutes


      [1] https://www.w3.org/

                             – DRAFT –
 Data Privacy Vocabularies and Controls Community Group Teleconference

22 January 2019

   [2]Previous meeting [3]Agenda [4]IRC log

      [2] https://www.w3.org/2019/01/08-dpvcg-minutes.html
      [3] https://www.w3.org/mid/36891304.CWuKmcZnDW@nyx
      [4] https://www.w3.org/2019/01/22-dpvcg-irc


          Bert, Bud, Eva, Harsh, Javier, Mark, Martin, simonstey





     * [5]Meeting minutes
     * [6]Summary of action items
     * [7]Summary of issues

Meeting minutes

   Agenda for today: [8]https://lists.w3.org/Archives/Public/

      [8] https://lists.w3.org/Archives/Public/public-dpvcg/2019Jan/0008.html

   Bert: any concerns about previous minutes of meeting? (no

   Bert: Axel proposed (via email) to move the next meeting by -/+
   1 hour. We'll talk about that at the end of the meeting.

   <Bert> [9]actions

      [9] https://www.w3.org/community/dpvcg/track/actions/open

   Bert: looking for any actions we can close

   <Bert> action-13?

   <trackbot> action-13 -- Stefano Bocconi to Propose use case(s)
   for the decode project -- due 2018-08-14 -- CLOSED

   <trackbot> [10]https://www.w3.org/community/dpvcg/track/

     [10] https://www.w3.org/community/dpvcg/track/actions/13

   <Bert> action-33?

   <trackbot> action-33 -- Harshvardhan Pandit to Summarize
   elements of consent from the mails and align with mark lizar on
   "concent receipt" definition (e.g. on delegation) -- due
   2018-11-13 -- OPEN

   <trackbot> [11]https://www.w3.org/community/dpvcg/track/

     [11] https://www.w3.org/community/dpvcg/track/actions/33

   <Bert> action-42?

   <trackbot> action-42 -- Eva Schlehahn to Look into requirements
   of data protection assessment, and whether it would make sense
   to formalize that in terms of what we standardize -- due
   2018-12-10 -- OPEN

   <trackbot> [12]https://www.w3.org/community/dpvcg/track/

     [12] https://www.w3.org/community/dpvcg/track/actions/42

   harsh: regarding consent, we (me and Mark) are talking about a
   minimum version of consent receipt which can incorporate DPVCG

   Eva: I'm looking(-ed) at the opinion of Article 29 WP, for
   cases such as impact assessment which can assist us in
   understanding which data can be considered sensitive

   Eva: it is difficult to assess whether data is sensitive
   because they are context sensitive and this makes it difficult
   to capture it in a vocabulary

   Eva: I would consider this action point as done since the
   information cannot be categorised based on the opinion

   <Bert> close action-42

   <trackbot> Closed action-42.

   harsh: would it be helpful to list the criteria / concepts
   about the assessment and have them as the ontology?

   Eva: I can share the points of assessment (from my research)
   with the mailing list and we can discuss if it is useful to use

   Mark: is this the difference between high risk and risk?

   Action: Eva to send mail to list with the criteria for data
   protection assessment from EDPB

   <trackbot> Created ACTION-59 - Send mail to list with the
   criteria for data protection assessment from edpb [on Eva
   Schlehahn - due 2019-01-29].

   Eva: In the opinion (A29 WP) they have described if such a high
   risk exists or can exist and controllers are expected to carry
   out the assessment to see if this is possible

   Mark: In Canada, there was a call for comments, and resulted in
   update to privacy laws, where risk must be provided for
   meaningul consent. So this is a similar activity on risk.

   Eva: Let's discuss these criteria on the mailing list (after I
   share them), as they are highly context dependant which are
   evolving constantly.

   Mark: (regarding consent) Kantara is working with/for a working
   group for ISO 29184 for consent/privacy notices, and this work
   is going in an annex in that report. The idea is to create a
   minimal viable consent report which can be extended by
   different organisations.

   Mark: so there can be an extension submitted by this work group
   and reviewed in that context.

   <Bert> action-48?

   <trackbot> action-48 -- Harshvardhan Pandit to Look into
   classifications of organisations that could serve as a basis
   for clsssifying data controllers -- due 2018-12-11 -- OPEN

   <trackbot> [13]https://www.w3.org/community/dpvcg/track/

     [13] https://www.w3.org/community/dpvcg/track/actions/48

   shared email for categories of organisations [14]https://

     [14] https://lists.w3.org/Archives/Public/public-dpvcg/2018Dec/0021.html

   Mark: There are SIC codes (different ones for North America,
   EU, UN (UK?). So we can use that as a company classification.
   And a company can have a service which can be different from
   the company classification. In GDPR, it refers to categories
   from SIC codes.

   Eva: what might be relevant is that there could be different
   purposes or could mix into each other (for big corps)

   Mark: the primary purpose or the core purpose has been brought
   up a few times - too much flexibility can increase confusion

   harsh: should we summarise this as using SIC (or compatible)
   codes to define categories of organisations?

   Mark: GDPR specifically mentions terms/categories defined by
   trade bodies

   Eva: it is useful to revisit the question of "why" we need
   categories of controllers

   harsh: GDPR code of conduct mentions categories

   Bert: so it may be that there are far lesser categories than
   SIC codes specify

   Bert: we can close this action and have another look at where
   this categories are useful?

   <Bert> close action-48

   <trackbot> Closed action-48.

   Issue: where are categories of data controllers used, where are
   they useful? (cf. recital 98, 99, 100)

   <trackbot> Created ISSUE-9 - Where are categories of data
   controllers used, where are they useful? (cf. recital 98, 99,
   100). Please complete additional details at <[15]https://

     [15] https://www.w3.org/community/dpvcg/track/issues/9/edit>.

   Mark: R98, R99, R100 are relevant for categories of controllers

   <Bert> action-57?

   <trackbot> action-57 -- Harshvardhan Pandit to Start
   definitionsions of the high-level purposes at [16]https://
   -be-discussed.29 and map them to purposes collected from use
   cases -- due 2018-12-18 -- OPEN

     [16] https://www.w3.org/community/dpvcg/wiki/purposes_for_handling_personal_data#high-level_categories_.28to-be-discussed.29

   <trackbot> [17]https://www.w3.org/community/dpvcg/track/

     [17] https://www.w3.org/community/dpvcg/track/actions/57

   page in wiki: [18]https://www.w3.org/community/dpvcg/wiki/

     [18] https://www.w3.org/community/dpvcg/wiki/Purposes_for_handling_Personal_Data

   harsh: I have added brief descriptions to the wiki page (link

   <Bert> action-58?

   <trackbot> action-58 -- Eva Schlehahn to Look at iab europe
   consent framework -- due 2019-01-15 -- OPEN

   <trackbot> [19]https://www.w3.org/community/dpvcg/track/

     [19] https://www.w3.org/community/dpvcg/track/actions/58

   Eva: there are only 5 purposes which are generic, and there's
   no information on how they envision changes to the policy or
   consent (withdraw, updates, changes), or if data subject wants
   to have something rectified

   Eva: I don't understand vendor as a concept, and some of the
   terms are generic . I'm sceptical of its use to the community.

   <Javier> sorry we can also discuss action-55

   Eva: what would be useful is where the vendors are located, how
   they share data - these are all missing.

   harsh: vendors in this sense refers to anyone who wants to sell
   ads and thereby collect consent

   <Bert> close action-58

   <trackbot> Closed action-58.

   <Bert> action-55?

   <trackbot> action-55 -- Javier D. Fernández to Look into how to
   align special duration vocab with “deletion-ideas” from eva’s
   slide (e.g. include no-retention, deleted-by, etc.) in our
   vocabulary -- due 2018-12-11 -- OPEN

   <trackbot> [20]https://www.w3.org/community/dpvcg/track/

     [20] https://www.w3.org/community/dpvcg/track/actions/55

   <Javier> - no-retention: no storage beyond using once

   <Bert> close action-55

   <trackbot> Closed action-55.

   <Javier> - stated purpose: until purpose has been fulfilled

   <Javier> - legal-requirement: storage period defined by a law
   requiring it

   <Javier> - business practices: requires a deletion concept of

   <Javier> - Indefinitely: e.g. for really anonymized data,
   public archives...

   <Javier> - delete-by_ or delete-x-date_month_after <event>

   javier: for action-55, I spoke with Eva for our SPECIAL
   use-cases and these are the options for retention.

   Javier: (to Eva) do you have any specific events for the last

   Eva: this was for example for controllers that have legal
   obligations to keep the data after a certain time e.g. billing

   Javier: if it is a time then its fine, but if it's event-based
   then can we know what these events are?

   Eva: these are context-dependant, e.g. purpose fulfilling in a

   Eva: I can look at the use-cases to see if it matches with the
   deletion rules ideas

   Mark: (to Eva) are these the exceptions to the specified
   purpose (as in retention for one purpose but deletion for some
   other purpose)

   Eva: there can be differentiation between usage data and
   billing data, then these datasets can be handled according to
   different storing periods

   Action: eva to look at use cases in the wiki to see if one
   matches the deletion rules ideas Eva posted (especially
   deletion depending on an event or purpose rather than a fixed

   <trackbot> Created ACTION-60 - Look at use cases in the wiki to
   see if one matches the deletion rules ideas eva posted
   (especially deletion depending on an event or purpose rather
   than a fixed period) [on Eva Schlehahn - due 2019-01-29].

   harsh: in this case, the law overrides the GDPR rather than the
   GDPR having an exception?

   Javier: we have a term legal / law (?) that can be a URI to a

   Bert: about the next call, there was an request from Axel if we
   can have the call +/-1 hour

   Proposed is next telco on 12th (rather than 5th) February and
   holding it at 2 rather than 4

   no objections

   Next call confirmed on 12th Feb 14:00

   Action: bbos to schedule webex for 12 Feb 14:00

   <trackbot> Created ACTION-61 - Schedule webex for 12 feb 14:00
   [on Bert Bos - due 2019-01-29].

Summary of action items

    1. [21]Eva to send mail to list with the criteria for data
       protection assessment from EDPB
    2. [22]eva to look at use cases in the wiki to see if one
       matches the deletion rules ideas Eva posted (especially
       deletion depending on an event or purpose rather than a
       fixed period)
    3. [23]bbos to schedule webex for 12 Feb 14:00

Summary of issues

    1. [24]where are categories of data controllers used, where
       are they useful? (cf. recital 98, 99, 100)

    Minutes manually created (not a transcript), formatted by
    Bert Bos's [25]scribe.perl version 2.52 (2019/01/22
    11:01:10), a reimplementation of David Booth's
    [26]scribe.perl. See [27]CVS log.

     [25] https://dev.w3.org/2002/scribe2/scribedoc.html
     [26] https://dev.w3.org/2002/scribe/scribedoc.htm
     [27] https://dev.w3.org/cvsweb/2002/scribe2/

Received on Thursday, 24 January 2019 18:51:06 UTC