- From: Harshvardhan J. Pandit <me@harshp.com>
- Date: Mon, 2 Oct 2023 09:23:07 +0100
- To: public-dpvcg@w3.org
- Cc: Delaram Golpayegani <delaram.golpayegani@adaptcentre.ie>
Hi All. I support these proposals having previously discussed these with Delaram in the context of AI impact assessments, and think they are useful to distinguish and understand the nature of impact on an intended/active subject or otherwise. For Active Data Subjects - I am aware of two possible interpretations relating to 'active' being used for 'awareness' as Delaram's description does, and another one for 'involvement'. In either case, I suggest we do not limit the criteria to be defined only based on 'consent' - GDPR has several other legal bases with the subject's 'active' involvement. 1) For 'active' as 'aware': We can expand the definition to subjects who have been 'informed' about the 'specific intended processing'. This allows better representation for cases such as legitimate interest, public interest, and legal obligation where data subject may not be aware of the processing - but a notice may inform them about it. 2) For 'active' as 'involved': whether the subjects have an ability to control the processing - consent is self-explanatory, legitimate interest has opt-out. Contracts are complicated - the data subject agrees to it, but it may involve mandatory obligations which may have the subject in a passive role. So this categorisation refers to 'controls' available to the subject to stop the processing. To distinguish these, I suggest we use 'active' in the sense of #2 above to denote subjects who have 'active capacity to control processing', and use 'aware' or 'informed' (and unaware/uninformed) subjects for #1 to denote subjects who are informed or are aware of the processing. @delaram - let us know if the JRC folks already have a preference for either of the two interpretations. It would be best if we use the same terms to mean the same things. NOTE: this week's meeting will be upon request - I won't be attending, so if folks want to discuss this or other things, I will leave the meeting room open. We will be meeting as usual on WED next week. Regards, Harsh On 02/10/2023 09:08, Delaram Golpayegani wrote: > Dear all, > > Following a discussion with Harsh, I would like to propose adding the > following categories of *dpv:DataSubject*: > > *Intended Data Subject*: The data subjects whose data is intended to be > processed by the system, e.g. an examinee sitting on an online test that > is proctored by an AI system or a passenger, passing the border control > check, whose data is being processed for migration monitoring. > > > *Unintended Data Subject*: The data subjects whose data is not intended > to be collected and processed by the system, however there is a chance > that it would, e.g. a person, other than the examinee, whose video is > captured and processed by a student proctoring system. > > *Active Data Subject:* The data subjects who are aware of and have given > consent to collection and processing of their data, e.g. an examinee > sitting on an online exam proctored by an AI-based system. > > *Passive Data Subject*: The data subjects who are not aware of > collection and processing of their data, e.g. a passenger, passing the > border control check, whose data is being processed for migration > monitoring. > > > Happy to discuss it further in the next DPVCG meeting. > > Regards, > Delaram > > -- --- Harshvardhan J. Pandit, Ph.D Assistant Professor ADAPT Centre, Dublin City University https://harshp.com/
Received on Monday, 2 October 2023 08:23:16 UTC