Re: Consent Terms Feedback

Hi. Replies are inline.
Is there any specific reason to not send this to the DPVCG mailing list? 
IF so, please let me know.
I'm forwarding this to the mailing list in any case since this is 
pertinent to the discussion there, and I don't see any problematic 
content in here to not do this.

On 26/07/2022 07:39, Mark Lizar wrote:
> Hi Harsh,
> A couple of questions regarding consent.
> 
> 1. Could  consent given be changed to consent grant?  There is a lot of 
> confusion between permission for everyone and consent for a purpose in a 
> system for an instance of processing.   The technical term grant is 
> being used in protocols as well,

I'm not sure what you mean by "consent grant(ed)" as distinct from 
"given consent".  In DPV, currently there is just consent as a legal 
basis. My proposal [1] to add specific stages of consent has "given 
consent" because that is what the laws have (in those exact words e.g. 
GDPR Art. 6-1a). So the preference is to adhere to what the legal terms 
are and to reflect them in DPV.

[1] https://lists.w3.org/Archives/Public/public-dpvcg/2022Jul/0003.html

> 
> 2. For consent 'has notice, could we express this as “ notice has 
> consent “?  As consent is subject of notice in context, and well 
> established rules/laws (out of context)
> 
> 
> Given how?  hasProvisionMethod  hasIndicationMethod

You can use concepts as they suit your model with the updated proposal 
for consent terms. You can state "consent has notice" or "notice has 
legal basis consent".

> 
> 
> Granted not Given, (for which purpose and what instance?)

We recommend using personal data handling to state purposes (etc.) and 
that the legal basis is consent. So consent does not have to be tied 
directly to a purpose, but indirectly via the personal data handling 
instance. You can follow another model based on your use-case, e.g. 
state consent is the legal basis for your app or service or purpose. See 
GConsent (https://w3id.org/GConsent) for an example of this.

> 
> Withdrawal how?  hasWithdrawalMethod  hasIndicationMethod
> 
> 
> In terms of withdrawal - there is some confusion of what this legally 
> means, aka does it mean the data subjects data?

Withdrawal means that consent has been rendered inactive by the data 
subject and is unable to be further used as justification to process data.

> 
> IN the ANCR Specification, we map legal justifications to consent types 
> and vice/versa to enable human interoperability and access to privacy 
> controls. Like withdrawal, and the controls and requirements for the 
> effect of withdraws.  The key purpose of this is to enable scalable 
> transparency around the state of privacy and status of consent, in order 
> to operationalized privacy standards.
> 
> Terms,
> 
> State of privacy refers to the privacy state a person is notified too. 
>   This traditionally involves a privacy state event log, like a pretty 
> static table in a privacy policy.  Which at minimum informs on changes 
> in company status, ownership, and beneficial ownership of personal data. 
>   Change in the material state of processing.
> 
> Semantics
> 
> Status of consent refers to whether or not there has been a change to 
> the ‘state' of privacy notified, which in turn effects the status of 
> processing.  Once status is notified, the risk is mitigated by the 
> accessibility to personal data controls.
> A change to the state of privacy (data protection, or data control)  as 
> well as changes, or additional purpose)  and the subsequent status of 
> consent, which in some legal context, processing must become 
> automatically restricted until the PII Principal is notified.

Were these proposals for terms to add to DPV? I don't see their sources 
- if they are self-defined and don't tie to anything legally or 
otherwise then I suggest first finalising them, publishing them, and 
then proposing them here.

Regards,
-- 
---
Harshvardhan J. Pandit, Ph.D
Research Fellow
ADAPT Centre, Trinity College Dublin
https://harshp.com/

Received on Thursday, 28 July 2022 09:28:14 UTC