Re: Proposal and notes for Consent Concepts from Harshvardhan J. Pandit on 2022-07-19 (public-dpvcg@w3.org from July 2022)

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Tue, 19 Jul 2022 16:09:22 +0100
To: Mark Lizar <mark@openconsent.com>
Cc: "public-dpvcg@w3.org" <public-dpvcg@w3.org>
Message-ID: <0b803a81-f830-51ed-cf99-986e2f4f38a2@harshp.com>

Hi. Thank you for the comments. My replies are inline.

On 19/07/2022 13:14, Mark Lizar wrote:
> Although in data protection law, explicit, informed, and meaningful consent is defined. This represents one data governance risk vector but doesn’t actually address the individuals governance risk vector or a shared/community  governance risk frameworks.
> 

I've just transposed the legal requirements, nothing else here. 
Everything else is subjective and difficult to represent in the 
interests of interoperability.
> 
>> On Jul 15, 2022, at 7:07 PM, Harshvardhan J. Pandit<me@harshp.com>  wrote:
>>
>>
>> **New Concepts**
>>
>> 1.  ConsentRecord subtype of DataProcessingRecords
>> 2.  ConsentStatus subtype of Status, with subtypes Unknown, Requested, Refused,
>>     Given, Expired, Invalidated, Revoked, Reaffirmed
>> 3.  ConsentExpression with subtypes UninformedConsent, and InformedConsent - which
>>     has more subtypes as ImpliedConsent, and ExpressedConsent - which has more
>>     subtypes as ExplicitlyExpressedConsent.
> # 3 seems very complicated -

Not complicated enough - it doesn't include Freely Given, Unambigious, 
etc ... ;) But we'd add these in DPV-GDPR.

> 
>  From the human centric perspective everything can be interpreted as sometype of consent .

We're scoping ourselves to data protection / privacy laws and terms for 
the group.

> 
> e.g. implied, implicit, explicit, directed or even altruistic - the quality of the consent provided can be informed, meaningful and explicit, and all of these indicate a state of consent.  But not it’s status - which is missing - and I like
> 

Not sure what you mean by status, but there is a concept for the 
state/status of consent as expected for its validity.

> 
> 
>> **Breaking backwards compatibility**
>>
>> -   IF there are strong considerations for existing use of these properties, we
>>     can offer a "sunset period" where the current concepts/properties will
>>     continue to be in DPV for a period of time after which they will be
>>     retired, with a note to this effect in the spec. The new concepts will be
>>     added now and will be indicated as the preferred ones.
> Which properties ?

Existing properties specified for consent, i.e. 
https://w3c.github.io/dpv/dpv/#vocab-consent

> 
>> -   It is no longer possible to express both 'given time' and 'withdrawal time'
>>     over the same instance of consent. However, this loss has made awy to indicate
>>     a wider range of 'states' such as refused and reaffirmed which need their own
>>     timestamps (such as under GDPR and EU-DSA)
> Does re-affirmed = renewed?
> 

Yes, reaffirmed means to affirm or confirm something (again). "renew" 
would mean to repeat or reaffirm as well, but I chose what I thought was 
the most clear term to indicate confirming/granting again (i.e. 
repetition) that would not be confused again (e.g. repeating earlier 
refusal).

Regards,
-- 
---
Harshvardhan J. Pandit, Ph.D
Research Fellow
ADAPT Centre, Trinity College Dublin
https://harshp.com/

Received on Tuesday, 19 July 2022 15:08:21 UTC