Re: Proposal and notes for Consent Concepts from Mark Lizar on 2022-07-20 (public-dpvcg@w3.org from July 2022)

From: Mark Lizar <mark@openconsent.com>
Date: Wed, 20 Jul 2022 04:57:58 +0000
To: "Harshvardhan J. Pandit" <me@harshp.com>
CC: "public-dpvcg@w3.org" <public-dpvcg@w3.org>
Message-ID: <FC135760-9D8E-4BC6-81CB-AA282A942F08@openconsent.com>
H Harsh, 

> On Jul 19, 2022, at 8:55 PM, Harshvardhan J. Pandit <me@harshp.com> wrote:
> 
> Hi. Thank you for the comments. My replies are inline.
> 
> On 19/07/2022 13:14, Mark Lizar wrote:
>> Although in data protection law, explicit, informed, and meaningful consent is defined. This represents one data governance risk vector but doesn’t actually address the individuals governance risk vector or a shared/community  governance risk frameworks.
> 
> I've just transposed the legal requirements, nothing else here. Everything else is subjective and difficult to represent in the interests of interoperability.

Actually, everything else isn’t subjective.   If anything GDPR data protections vector of governance is more subjective that the internatonal counterparts. 

In Canada we have something in legislation called meaningful consent.  Meaningful consent, and evidence of this, is what is required to make a proof of consent digitally in our impementation. 

In our implementation, how consent is defined is human centric not data protection centric,
This maps to implied consent  being a reference to a legal justification other than consent, e.g.  for a  legal obligation, best interests of the PII Principal, or in the Public Interest.  A contract is an agreement which we have taken great pain to pull apart from privacy, which has been enabled by the GPDR, which defined the 6 legal justification. 

Implicit consent standardized and codified (not just explicit consent - which is defined in data protection law) is a technical opportunity to stream line interaction with a code of practice / conduct.  But the DPV currently indicates that its is the Controller that defines purpose, and this is not always the case.  (And it shouldn’t be) 
> 
>>> On Jul 15, 2022, at 7:07 PM, Harshvardhan J. Pandit<me@harshp.com>  wrote:
>>> 
>>> 
>>> **New Concepts**
>>> 
>>> 1.  ConsentRecord subtype of DataProcessingRecords
>>> 2.  ConsentStatus subtype of Status, with subtypes Unknown, Requested, Refused,
>>>    Given, Expired, Invalidated, Revoked, Reaffirmed
>>> 3.  ConsentExpression with subtypes UninformedConsent, and InformedConsent - which
>>>    has more subtypes as ImpliedConsent, and ExpressedConsent - which has more
>>>    subtypes as ExplicitlyExpressedConsent.
>> # 3 seems very complicated -
> 
> Not complicated enough - it doesn't include Freely Given, Unambigious, etc ... But we'd add these in DPV-GDPR.
- what do you think the reference “freely given” actually refers too? 
> 
>> From the human centric perspective everything can be interpreted as sometype of consent .
> 
> We're scoping ourselves to data protection / privacy laws and terms for the group.

then your not scoping consent .  Your scoping consent for the data protector (not the human consent controller) which is where the DPV should note this limitation. . 
> 
>> e.g. implied, implicit, explicit, directed or even altruistic - the quality of the consent provided can be informed, meaningful and explicit, and all of these indicate a state of consent.  But not it’s status - which is missing - and I like
> 
> Not sure what you mean by status, but there is a concept for the state/status of consent as expected for its validity.

The ability to see and share the Active privacy state. 
> 
>>> **Breaking backwards compatibility**
>>> 
>>> -   IF there are strong considerations for existing use of these properties, we
>>>    can offer a "sunset period" where the current concepts/properties will
>>>    continue to be in DPV for a period of time after which they will be
>>>    retired, with a note to this effect in the spec. The new concepts will be
>>>    added now and will be indicated as the preferred ones.
>> Which properties ?
> 
> Existing properties specified for consent, i.e. https://w3c.github.io/dpv/dpv/#vocab-consent

> 
>>> -   It is no longer possible to express both 'given time' and 'withdrawal time'
>>>    over the same instance of consent. However, this loss has made awy to indicate
>>>    a wider range of 'states' such as refused and reaffirmed which need their own
>>>    timestamps (such as under GDPR and EU-DSA)
>> Does re-affirmed = renewed?
> Yes, reaffirmed means to affirm or confirm something (again). "renew" would mean to repeat or reaffirm as well, but I chose what I thought was the most clear term to indicate confirming/granting again (i.e. repetition) that would not be confused again (e.g. repeating earlier refusal).

We use renew, and renewals reuirements, 
> 
> Regards,
> -- 
> ---
> Harshvardhan J. Pandit, Ph.D
> Research Fellow
> ADAPT Centre, Trinity College Dublin
> https://harshp.com/
Received on Wednesday, 20 July 2022 04:58:14 UTC