Re: Consent Terms Feedback from Mark Lizar on 2022-07-28 (public-dpvcg@w3.org from July 2022)

From: Mark Lizar <mark@openconsent.com>
Date: Thu, 28 Jul 2022 16:11:40 +0000
To: "Harshvardhan J. Pandit" <me@harshp.com>
CC: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Message-ID: <23370AE6-A834-4CE4-9E1D-C5B87B138BE7@openconsent.com>

Hi Harsh, (DPV Colleagues)

It would be great to get some feedback on this work, and to see if can be useful to other projects and DPV.

On Jul 28, 2022, at 11:35 AM, Mark OCG <mark@openconsent.com<mailto:mark@openconsent.com>> wrote:

Were these proposals for terms to add to DPV? I don't see their sources - if they are self-defined and don't tie to anything legally or otherwise then I suggest first finalising them, publishing them, and then proposing them here.

I will post this in a separate thread.

This is proposed to solicit further engagement around defining technical state of privacy, and for querying the status of processing under a specified legal justification.

You have been quite clear that consent referenced is specific to GDPR - and the legal interpretation of a type of justification for processing in DPV is specific to GDPR.

The aim of this table is to standardize consent types to legal justifications. In this table below, we refer to this as Explicit Consent type. (Not consent) so that it might be usable for advancing transparency signalling for privacy rights and negotiating processing control between people and systems.

Note: This table below currently - references CoE: Convention 108 as authoritative internationally and ISO/IEC standards for references. The Convention 108 it is in the process of being adobted by European Counties - I believe more that half have already adopted it. I have also included a table for referencing GDPR.

1.
Human Interoperability

Consent and its resulting consensus is fundamentally about interoperability between people and systems. Which is why a consent specification should be centric to the PII Principle rather than the enterprise or regulation in order to provide clarity to all stakeholders.
Which is why consent is incredibly valuable as a human interoperability protocol for trust and data control

1.
Consent Types

Consent types cover the spectrum of human contextual understanding which are mapped to an identified or contextually explicit legal justification. The consent types are defined from the human centric (PII Principal perspective).
The key purpose of this table is to automate transparency and access to rights-based data controls that transfer liabilities and mitigate risks.

1.
Mapping Consent Types to Legal Justifications

These are mapped here in order to provide a set of default transparency requirement for informing PII Principals of privacy state and status.
The aim is to simplify transparency for people and systems in regard to the legal regulations that are being standardized for international use.
The intent is to make easier for PII Principal and PII Controller to gain a shared understanding of digital privacy state and status so that a PII Principal can access and use privacy rights to control personal information and its benefits.
Table : Legal Justifications to Consent Types
Legal Justification

Description
Consent Type

Privacy Rights
Control
References
Vital Interest of PII Principal
When unable or incapable of acting on ones own behalf. (like emergency break glass situations)
Implicit Consent
Access, Rectify, Forget/Erase, Restrict,

ISO/IEC 29184, 5.4.2
CoE 108+ 10.2(c)
Vital Interest
Processing for Preventative and Occupational medicine
Directed Consent
Access, Rectify, Forget/Erase, Restrict,

CoE 108+ 10.2(h,i) 10.3
Consent
Explicit consent to processing one or more specified3 purpose
Explicit consent, Directed Consent, Altruistic Consent
Access, Rectify, Forget/Erase, Restrict, Object, / Withdraw, Portability

29184, 5.4.2
CoE 108+ 10.2(a)

And where manifestly published by the PII Principal
Implicit Consent
Access, Rectify, Forget/Erase, Restrict, Object, / Withdraw, Portability

CoE 108 + 10.2€
Contractual Necessity

Implied consent
Access, Rectify, Forget/Erase, Restrict, Portability

Right to be heard, Form

29184, 5.4.2
CoE 108+(43)
Legitimate Interest

Implied consent
None(according to DPC)`

29184, 5.4.2
CoE 108+ 10.2(d)
Public Interest

Implied Consent/Consensus
Access, Rectification, Restriction, Object

29184, 5.4.2
CoE 108+ 10.2(I,g,j)
Legal Obligation
Compliance with a legal obligation e.g. Processing is necessary for the establishment, exercise or defense of legal claims

Access, Rectification, Restriction

ISO/IEC 29184, 5.4.2, CoE 108+ (f)

Privacy Rights Short Code

*
Access
*
Rectify
*
Forget/Erase
*
Withdraw,
*
object,
*
Restrict
*
Portability

Note: Participatory Consensus, and Concentric data control are two outcome specific conditions that will be added to this specification to include an assessment for operational evidence of these two outcomes.
Concentric transparency is a design principle of electronic Notice and evidence of consent. The outcomes are for a shared / concentric understanding of a relationship and the purpose of digital interaction, the data control impact, and associated risks centric to the PII Principal.
Irish Data Protection Commissioner: Legal Justification to Rights 4

Right of Access
Right to Rectification
Right to Erasure
Right to Restriction
Right to Portability
Right to Object
Consent
ü
ü
ü
ü
ü
~

Can withdraw consent
Contract
ü
ü
ü
ü
ü
û
Legal Obligation
ü
ü
û
ü
û
û
Vital Interests
ü
ü
ü
ü
û
û
Public Task
ü
ü
û
ü
û
ü
Legitimate Interests

1.
Mapping Consent Type to Legal Justifications

The objective of mapping consent types to legal justifications provides a mechanism for standardizing transparency of processing from a PII Principle perspective.
Consent Types facilitates the human understanding, knowledge and transparency of the status of consent, and enables more refined controls to grant an instance of consent, to manage this instance as a category, which can then be revoked, restrict and objected to.
Consent types are further specified here and referenced to some sources that are non-normative internationally, which shoud be further specified to enable greater understanding, transparency and nuance in standardized privacy signaling.

Consent Type

Description
Legal Justification

Legal Ref
Non-Operational
N/O
Not enough notice/security information for digital privacy
Not compliant with any if unable to determine or confirm Controller, or contact
CoE 108+ 79.1(a) GDPR
Implied Consensus/Consent
This refers to an explicit, directed or altruistic consent from a prevision context. (specified in medical industry) (is not valid for implicit consent)
Vital Interest, Public Interest
IPC, Canada5
Implicit
Refers to governance that is implicit to the action of the PII Controller.
Legitimate interest, Contract,
Legal obligation

Expressed Consent
Expressed through the implicit action of a Notified individual.
Informed Consent

Explicit Consent
Informed, freely given, knowledgeable consent,.
Consent witch is knowledgeable of risk
CoE 108+.1(4)1b
Directed Consent
A consent directive is consent explicitly defined by the PII Principal for specific purposes, according to disclosures of risks that are notified.
meaningful consent, in which the individual has specified the consented purpose
Health Care Industry 6
US CFRA 42, 7

Altruistic Consent
Not knowing who the Controller of PII will be. Consent to a purpose and public benefit governance framework, without knowing who is the beneficiary
Consent
DGA, Recital 1,2,4,36,39

Received on Thursday, 28 July 2022 16:12:01 UTC