- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Tue, 5 Mar 2019 15:05:22 +0000
- To: public-dpvcg@w3.org
- Cc: Bud Bruegger <uld613@datenschutzzentrum.de>
Hi Bud,everyone. Thanks for making those points. I agree with you that A4(2) isn't the best basis for our taxonomy. Progressing from your arguments, we have a few 'dimensions' along which processing can be categorised. 1) Relation to data a) no effect on data - use (ways to use/consume data) - share, disclose, release (ways to disclose data) b) can have an effect on the data - collect, obtain, record, observe (ways to obtain data) - store, record, persist (ways to keep data) - erase, delete, destroy (ways to remove data) - transfer, move (ways to move data) - combine, merge, coalesce (ways to amalgamate data) - refine, sort, structure, modify (ways to modify data) - (pseudo-)anonymisation (special case of modification) 2) scale - individual (processing is applied to specific individuals i.e. each individual is explicitly known - sample (processing is applied to a specific sample of individuals where the size of sample is not significant to the number of individuals, essentially this is filtering) - large/big scale 3) impact on data subject 4) use of automated methods - includes machine learning (note that is not the same as using data as input to train machine learning models) - note: is not the same as use of algorithm - the difference is that an algorithm is considered pre-deterministic (for a simple explanation), whereas automation means machine learning means the outcome is not pre-determined from the data itself (requires better explanation and definition) 5) generation of effect - evaluation, scoring, profiling - creation of physical artefacts 6) use of methods and technologies - using human labour (manual work) - using untested technologies (experimental) 7) scope and boundary - cross-border - localised The words nature, scope, and context are too vague and abstract (for me) to base the categories on them, especially since there are no examples of what they exactly mean. In the same vein, we must be careful not to conflate processing with purpose i.e. the reason of processing must not be mixed with the category of processing e.g. production or delivery of goods Based on comments and discussions on this, we can decide how best to move forward. - Harsh On 26/02/2019 13:37, Bud Bruegger wrote: > Hi Harsh, > > apologies for the delayed reply. > > Disclaimer: I am not a lawyer but have worked with lawyers for some > time now. Also, Eva is on sick leave and so I can't talk with her > about it. > > Art 4(2) GDPR, in my understanding, just tries to give the widest > possible definition for "processing" without concerns of > orthogonality, completeness, or suitedness to indicate certain cases > that need to be treated specifically. > > Also, the GDPR always speaks of data--while modern processing is goes > way beyond the ancent data in, data out paradigm. In particular, what > is excluded is (i) the "production" of "physical products" (e.g., a > passport or a dental pretesis--both based on personal data but much > more than the data) and (ii) effects acting on the physical world (for > example, the control of a personal medical device that for examle > controls the dispension of medication based on various sensors). > > The GDPR uses the term "nature of processing" without giving a > definition. So I propose that nature of processing could be: > [output of data/information product, production of a physical > artefact, control of the physical environment/cyber-physical system] > > It seems that so far, the GDPR and consequently we have focuses on the > first of the three. > > [NB, the GDPR uses other interesting ajectives of processing beyond > "nature": scope, context. And the Art29WP speaks of "scale" and " > > > The specific structuring is problematic because the GDPR definition > > contains a lot of words which are difficult to understand e.g. > > alteration and transfer. Sometimes it is not clear whether to use the > > legal meaning of the term or one more closely aligned to technologies. > > Can the legal experts assist with this? > > As said above, I am not a legal expert. BUT, I don't think that 4(2) > is a good basis for the vocabulary. > > When I think of the GDPR and what kinds of processing triggers certain > things, what comes in mind without systematic digging, is "Automated > individual decision-making, including profiling" (Art 22) and > "produces legal effects concerning him or her or similarly > significantly affects him or her" (also Art 22). > > The Art 29. Working Party (now European Data Protection Board) also > has issued an opinion [1] that uses other terms that characterize > processing including: > > * Evaluation or scoring > > * Automated-decision making with legal or similar significant > effect [Bud: financial effects??] > > * Systematic monitoring > > * Matching or combining datasets > > * processing that involves new technological or organisational solutions > > * processing that “prevents data subjects from exercising a > right or using a service or a contract” (Article 22 and recital > 91) > > These more or less seem to fit in the same dimension, although I don't > believe they are necessarily mutually exclusive.. > > What isn't explicitly mentioned by the Art29WP is processing based on > machine learning or similar forms of AI. > > > I've also added profiling and cross-border processing as types from > > their definitions in Article-4. > > Profiling is also mentioned by Art29WP and included above. > "Cross-border" in my conceptionalization fits in a different > dimension, maybe the same that "scale of processing" fits in (The > Art29WP gives a definition of scale, one aspect being geographic extent). > > BTW, the bullet list above is a subset of things the Art29WP lists as > indicators of possible high risk--namely those that in my head fit > under "type of processing". Others such as "scale", type of data > (sensitive, data of a highly personal nature--eg. location), type of > affected data subjects (children, vulnerable data subjects) I left out... > > Do you all think that we could start with the above sub-list from > Art29WP and discuss how to make it orthogonal and complete? > > best cheers > -b > > [1] https://ec.europa.eu/newsroom/document.cfm?doc_id=47711 see pages > 9 and 10 > > Am 22.02.2019 um 16:11 schrieb Harshvardhan J. Pandit: >> Hello. >> Here is a rudimentary categorisation of processing types, taken from >> the definition of processing in GDPR (A4-2) >> https://github.com/dpvcg/processing >> >> At the broadest level, processing is categorised as obtaining data, >> using data, storing data, disclosing data, transfering data, >> transforming data, organising data, removing data, and automation >> (i.e. automated processing) >> >> The specific structuring is problematic because the GDPR definition >> contains a lot of words which are difficult to understand e.g. >> alteration and transfer. Sometimes it is not clear whether to use the >> legal meaning of the term or one more closely aligned to technologies. >> Can the legal experts assist with this? >> >> I've also added profiling and cross-border processing as types from >> their definitions in Article-4. >> >> For processing (URI DataProcessing), I've added links to the >> definition of processing in Eurovoc. Eurovoc contains definitions for >> terms such as data collection and processing as well as links to >> other vocabularies such as UN and UNESCO. We should define links to >> such vocabularies once we have finalised the terms. >> >> Best, >> Harsh >> >> On 12/02/19 7:21 PM, Data Privacy Vocabularies and Controls Community >> Group Issue Tracker wrote: >>> dpvcg-ACTION-66: Look into structuring processing categories, >>> ramisa, bud, eva to help/review. >>> >>> https://www.w3.org/community/dpvcg/track/actions/66 >>> >>> Assigned to: Harshvardhan Pandit >>> >>> >>> >>> >>> >>> >>> >>> >> > -- --- Harshvardhan Pandit PhD Researcher ADAPT Centre Trinity College Dublin
Received on Tuesday, 5 March 2019 15:12:19 UTC