Re: DPV Concepts for T&C, privacy policies, etc. from Mark Lizar on 2021-03-25 (public-dpvcg@w3.org from March 2021)

From: Mark Lizar <mark@openconsent.com>
Date: Thu, 25 Mar 2021 21:45:06 +0000
To: "Harshvardhan J. Pandit" <me@harshp.com>
CC: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Message-ID: <26F43D06-3FD6-4958-B8E1-97FD41D5FC19@openconsent.com>

Hi Harsh,

I would like to introduce : privacy agreement, which is a legal policy tool for superseding some T&C’s and specifying a high quality consent which could use some discussion.

Use Case example,

The Canada v. USA use case where eLearning services use T&C + Contract Frameworks (IAB Canada) to standup tracking and cookies + legal framework for children and youth meta-surveillance.

In non-US countries where a overarching public privacy framework is implemented rights supersede the T&C’s, so for example, contracts are subject to the Charter of Rights and Freedoms, PIPEDA, and the like.

mass data aggregation on people from many services can’t be combined and commercialized in Canada. Which is what google does with meta-data of children across most 3rd Party eLearning services, including its own eLearning platforms. Arguably, in Canada, the public expectation is consent by design, school records are essentially data trusts, and the meta data produced from the records made for schooling and surveillance should be apart of this school record. It certainly should be protected by Government as Children and Youth’s Data is very sensitive, as it can be used by social media platforms to manipulate people

On closer examination, their is no provision of notice of risks for meaningful consent when processing personal data, and no implementation of privacy rights in terms and conditions, or provisions for external complaints and access to data about the risks of services for data protection and security. (Required in a meaningful consent notice)

Extra-Territorial Issue: due to USA - Foreign Intelligence Surveillance Act, any non-US Citizen data is not protected with federal privacy rights. So, Canadian children’s eLearning data is not only not protected, it is commercialized. Due to lack of US federal privacy law, Google can collect meta-data, and copy data from everywhere in the world and combine it together with the T&C’s. Which then brings up the question of what safeguards, if not COPPA privacy protections and rights apply over the data once collected with a T&C framework from a foriegn legal jurisidction. Then of course the monopoly made where legally/policy disadvantages Canadian innovation are not allowed to collect eLearning metadata without consent.

To address problems like these in a performative way, the mechanism of a Privacy Agreement is also proposed, also usable as a tool (beyond enhancing a privacy policy) in which the data subject, or approved org/ NGO, can create a Privacy Agreement for Consent controls, where the technical standards for rights and permissions are agreed to provide a governance framework or scheme)

In the Canadian use case, in which it is imagined Canadian privacy law will one day be enforceable, these extra-territorial T&C's highlight the lack of legitimacy of T&C’s or its accompanying privacy policy for use in many processing contexts. The issues of T&C’s (defined as a contract of adhesion) was the core use case of the Consent Receipt work at Kantara, Which required an international consent record standard, so that any person, can themselves make (or request) a consent receipt and withdraw consent for T&C’s.

in the case of eLearning services in Toronto Schools surveyed T&C’s are indemnifying contracts that are internal processing focused, and most often (reference out dated Privacy Shield and EU 94/95 Adequacy. With no mechanism for parental consent or rights defined/implemented. Purposely conflating the systems permissions with a human consent,. (Arguably deceptive and breaking multiple Canadian privacy conditions)

IMO - The best features about proposed privacy agreement, as we are defining them in ANCR WG (@Kantara) is that its is a high quality [risk defined] consent directive, because people define the consent and set the defaults themselves guaranteeing a high online consent quality. (Reversing the data policy definition architecture) Ensuring a high level of consent and notice comprehension and reducing processing requirements and frictions, Arguably covering 3 types of consent specification - Directed Consent (Like Health Care Directives for any sensitive PII category, ), Consent by Design (notarized and tested understanding of consent or eConsent), Altrustic Consent ( philanthropic - the consented party does not need to be identified prior to consent)

Regards,

Mark

PS One very laudable Canadian Legislative response, is the proposed Bill 64 from Quebec<http://m.assnat.qc.ca/en/travaux-parlementaires/projets-loi/projet-loi-64-42-1.html> it is worth studying because it is progressive and it has provisions for what look like privacy agreements and agents. The specific reference I am including here is attached for 63.10. in which it appears the law turns (what we have been calling in the consent receipt) a purpose specification, into an example privacy agreement for public body processing of personal data.

[cid:BFB29EE5-4EF2-4B82-B39D-B2A791EDC702]

On Mar 25, 2021, at 10:56 AM, Harshvardhan J. Pandit <me@harshp.com<mailto:me@harshp.com>> wrote:

Hello,
As we discussed in the last call [1], it would be useful to define T&C, Privacy Policy, ROPA, etc. as concepts as they are relevant in the real-world use-cases.

From what I understand, T&C is essentially a form of contract, privacy policy is a 'policy document' - which is not legally binding but in practice fulfils obligations for information provision (e.g. GDPR Art.13 and Art.14), and ROPA is a document maintained by organisations for meeting legal obligations towards GDPR compliance.

So we have three concepts:
1. ContractAgreement --> Contract --> Terms & Conditions or Terms of Service ;; ControllerProcessorContract
2. Policies --> privacy-policy
3. RecordsDocumentation --> ROPA (specific to GDPR, I'll come to this later)

I propose that we have the concepts in DPV for contract, policies, records under OrganisationalMeasure. This does not preclude their use as legal obligations or artefacts. For example, we talked in the call about modelling a concept as LegalObligation, and where any organisational measure or activitiy can be defined as an obligation.

For the GDPR-specific concepts, such as ROPA, we extend them in DPV-GDPR from the base concepts in DPV. In this case, as a subclass of RecordsDocumentation.

Note that the ControllerProcessorContract is a general concept because it is not unique to GDPR, and is widely used in practice. Though I've seen this mentioned as "Controller - Processor Agreement' [2], my limited legal knowledge says that this is a contract (legally enforceable agreement) and in line with GDPR Art.28 regarding Processors [2].

Please correct me where I'm wrong. Thoughts, opinions, criticisms, suggestions welcome.

[1] https://www.w3.org/2021/03/24-dpvcg-minutes.html

[2] https://gdpr-info.eu/art-28-gdpr/ (when writing articles please do not use this as a canonical source of GDPR, use the official ELI/Eur-Lex citation)

Regards,
Harsh
--
--
Harshvardhan J. Pandit, PhD
ADAPT Research Centre @ Trinity College Dublin
https://harshp.com/research/

Attachments

image/png attachment: Screen_Shot_2021-03-25_at_5.28.52_PM.png

Received on Thursday, 25 March 2021 21:46:47 UTC