Re: Consent Terms Feedback from Mark Lizar on 2022-07-28 (public-dpvcg@w3.org from July 2022)

From: Mark Lizar <mark@openconsent.com>
Date: Thu, 28 Jul 2022 15:35:54 +0000
To: "Harshvardhan J. Pandit" <me@harshp.com>
CC: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Message-ID: <E6A2307A-79DD-4669-BAA7-16B2E9B7DBB5@openconsent.com>

Thanks for sending to the list Harsh,

I really like a grant of consent, in terms of a specified purpose and in regards to a specific consent status,

What is missing is the difference between the legal justification called consent - and the technical instance / use of this consent by a system. They are greatly conflated,

This is why - for systems the term grant works very well when referring to a purpose specification for electronic notice and consent. E.g. A grant of consent for specific purpose and instance of processing, in an already established privacy state.

I agree with the approach for GDPR specific legal justification called consent. But this is not the technical justification, nor is it the human understanding of consent - which may be legally used to provision rights.

On Jul 28, 2022, at 5:27 AM, Harshvardhan J. Pandit <me@harshp.com<mailto:me@harshp.com>> wrote:

Hi. Replies are inline.
Is there any specific reason to not send this to the DPVCG mailing list? IF so, please let me know.
I'm forwarding this to the mailing list in any case since this is pertinent to the discussion there, and I don't see any problematic content in here to not do this.

On 26/07/2022 07:39, Mark Lizar wrote:
Hi Harsh,
A couple of questions regarding consent.
1. Could consent given be changed to consent grant? There is a lot of confusion between permission for everyone and consent for a purpose in a system for an instance of processing. The technical term grant is being used in protocols as well,

I'm not sure what you mean by "consent grant(ed)" as distinct from "given consent". In DPV, currently there is just consent as a legal basis. My proposal [1] to add specific stages of consent has "given consent" because that is what the laws have (in those exact words e.g. GDPR Art. 6-1a). So the preference is to adhere to what the legal terms are and to reflect them in DPV.

[1] https://lists.w3.org/Archives/Public/public-dpvcg/2022Jul/0003.html

2. For consent 'has notice, could we express this as “ notice has consent “? As consent is subject of notice in context, and well established rules/laws (out of context)
Given how? hasProvisionMethod hasIndicationMethod

You can use concepts as they suit your model with the updated proposal for consent terms. You can state "consent has notice" or "notice has legal basis consent".

Granted not Given, (for which purpose and what instance?)

We recommend using personal data handling to state purposes (etc.) and that the legal basis is consent. So consent does not have to be tied directly to a purpose, but indirectly via the personal data handling instance. You can follow another model based on your use-case, e.g. state consent is the legal basis for your app or service or purpose. See GConsent (https://w3id.org/GConsent) for an example of this.

Withdrawal how? hasWithdrawalMethod hasIndicationMethod
In terms of withdrawal - there is some confusion of what this legally means, aka does it mean the data subjects data?

Withdrawal means that consent has been rendered inactive by the data subject and is unable to be further used as justification to process data.

I like this - where is this explanation to consent withdraws located ? And technically what does it mean? e.g. revocation of access to personal data for processing ? Revoke, delete? Does the Controller have the right to anonymize and use under Legitimate interest?

Are these questions out of scope?

IN the ANCR Specification, we map legal justifications to consent types and vice/versa to enable human interoperability and access to privacy controls. Like withdrawal, and the controls and requirements for the effect of withdraws. The key purpose of this is to enable scalable transparency around the state of privacy and status of consent, in order to operationalized privacy standards.
Terms,
State of privacy refers to the privacy state a person is notified too. This traditionally involves a privacy state event log, like a pretty static table in a privacy policy. Which at minimum informs on changes in company status, ownership, and beneficial ownership of personal data. Change in the material state of processing.
Semantics
Status of consent refers to whether or not there has been a change to the ‘state' of privacy notified, which in turn effects the status of processing. Once status is notified, the risk is mitigated by the accessibility to personal data controls.
A change to the state of privacy (data protection, or data control) as well as changes, or additional purpose) and the subsequent status of consent, which in some legal context, processing must become automatically restricted until the PII Principal is notified.

Were these proposals for terms to add to DPV? I don't see their sources - if they are self-defined and don't tie to anything legally or otherwise then I suggest first finalising them, publishing them, and then proposing them here.

I will post this in a separate thread.

Regards,
--
---
Harshvardhan J. Pandit, Ph.D
Research Fellow
ADAPT Centre, Trinity College Dublin
https://harshp.com/

Received on Thursday, 28 July 2022 15:36:10 UTC