TPI Scheme Up for Comment.

Dear DPV,

It is with great pleasure that  I am able to announce new work, now that the consent receipt information structure is published by ISO, we have a conformance scheme we are working on for digital consent adeqauacyl

Everyone here is invited to take a look at the ANCR WG at Kantara Initiative Digital Transparency and Consent, conformance and compliance scheme, specifying to Convention 108+ - which is the international law that the GDPR mirrors (required, so that the spec is internationally usable in Canada) But, this TPI scheme is designed for ISO/IEC 29100 and can be used for 27560, as well as national privacy laws.

The TPI  Digital Transparency 4 Consent Assessment Specification is  here<https://github.com/KantaraInitiative/WG-ANCR/blob/main/TPI/ANCR-TPI-Conformity%20Specification%20v0.7.5.docx>,   for anyone interested in commenting here is the comment form, <https://github.com/KantaraInitiative/WG-ANCR/blob/main/TPI/ANCR%20WG-Comment-Submission-TPI-Scheme1.xlsx>  link on Git,

And, we have an event to announce, on Sept 22nd, to mark the day consent law becomes enforceable in Canada.  You are all welcome of courser ;-)

<https://www.sept22.0pn.org/>
[MicrosoftTeams-image.jpeg]
0PN<https://www.sept22.0pn.org/>
sept22.0pn.org<https://www.sept22.0pn.org/>


Kind Regards,

Mark





On Sep 4, 2023, at 6:34 PM, Mark Lizar <mark@openconsent.com> wrote:

I propose we make it crystal clear,.  Humans manage consent and systems manage permissions.

On Sep 4, 2023, at 6:31 PM, Mark Lizar <mark@openconsent.com> wrote:

Hi Harsh,

We would like to request a very clear separation between consent and permission.

Eg.  Consent is provided for a purpose and a context, permissions can be bundled to a consent for a purpose.

In Canada Consent Law, a consent for a secondary purpose is allowed for any legal justifcaiton for processing, which required a permissions, to ask for a secondary consent.  As it is normally the individual that direct or request consent.

This is a critical privacy control, confusing or at all conflating consent with a system permission is a significant point with regards to the I Agree, button in which Meta was fined on May 22nd 1.2 billion, and then on Aug 14th, Norwqeigon data protection authority starting fining Meta 100 k a day.

Permissions obtained are not valid consent.  And, tbh, this is the purpose behind the consent receipt and subsequently 27560.   Please be sure to make it very clear that a permission for a processing activity is not a purpose for consent.  And in particular cookies, or and digital identity management requires the permission to be opt-in for digital identity management to be legally compliant.  E.g. a cookie is a receipt, which is auction off to the highest bidder,  Meta data is actually very sensitive micro-data, that is being processed without consent @ Meta.,

And Finally, to make things more fun - Meta is currently blocking news to Canada on their platform.     IN this regard please take more consideration on this critically significant point.  =

Mark


On Sep 4, 2023, at 1:41 PM, Harshvardhan J. Pandit <me@harshp.com> wrote:

Hi.
Currently we have no way to specify "permission" of the data subject without the legal basis being consent - as required by the PSD3 use-case below.

---

https://edps.europa.eu/press-publications/press-news/press-releases/2023/financial-and-payment-services-use-personal-data-should-remain-proportionate-and-fair_en


"The EDPS welcomes the efforts made to ensure the Proposals’ consistency with the General Data Protection Regulation (GDPR).  Both Proposals should specify that the granting of ‘permissions’ to access financial data does not equate to giving consent under the GDPR. Likewise, all processing of personal data following a request to access an individual’s financial data must have an appropriate legal basis under the GDPR."

---

My proposal is as follows:


- `Consent`: is already a legal basis, and is the individual's permission (based on validity criteria e.g. information in notice)
- `Permission`: will be added as a legal basis (exact term TBD), and is an affirmative action in order to initiate or continue a process; this makes consent a type of permission with specific additional requirements

- `ObtainPermission`: an organisational measure that asks for permission in order to start or continue a process
- `AddressObjection`: an organisational measure that addresses an objection before starting or while continuing a process

- `ProvideOptIn`: an organisational measure that provides the ability to someone else to initiate the process i.e. to opt into the process
- `ProvideOptOut`: an organisational measure that provides the ability to someone else to stop the process i.e. to opt out of the process

---

Confusion questions:

1) Permission (legal basis) vs Obtaining Permission (TOMs) - a legal basis is a process providing a justification for enabling something which is regulated or required by law, and where the law determines where it can be used and its validity. An Organisational Measure is determined by the Organisation in terms of how and where it is used. Therefore, if the permission is legally required, then it is a legal basis, and if it is the organisation's decision - then it is a TOMs. We have to use different terms - i.e. "Obtaining Permission" for one of these (I chose TOMs) - to distinguish the concepts.

2) Permission vs Consent: Permission can be by the data subject or another entity, and can be for personal data or non-personal data. Permission for personal data does not necessarily mean consent e.g. in the above statement by EDPS, it is clearly stated thus. Consent is a type of Permission however - "prior permission" to be more specific. But we should not get into the pedantic modelling of this within DPV. What matters is that users can issue permissions without it being 'consent' (under GDPR).

3) Obtaining Permission vs Providing Opt-in: These two reflect two different perspectives with the same end result of the (e.g.) user deciding when to start a process. Permission is asking the user if they want to permit. Opt-in is giving the ability for the user to decide - whenever they want to - whether they want to start a process. A checkbox or dialog asking if it is okay to do something is obtaining a permission rather than an opt-in. A dialog or checkbox asking if you would like to use the beta version is an opt-in rather than a permission. So the phrasing and intent matters in choosing the correct term.

These concepts have obvious overlaps, but my intent here is to point out that if defined in the manner above - they have their distinctions and uses from being distinguished. Their common use has led to confusion about their usage, which is definitely not helped with idiotic uses such as "opt-in consent" or its evil counterpart - "opt-out consent". For DPV, these concepts should be defined precisely as their legal meaning rather than the technical haphazard interpretations. In the end, no harms will come to pass if someone uses "Obtaining Permission" instead of "Providing Opt-in", but having the ability to accurately represent the term of choice would certainly help.

---

NOTE1: No DPVCG meeting this THU SEP-07. Next meeting is on THU SEP-14.
NOTE2: There are two major proposals which will be implemented on SEP-30. Please see https://lists.w3.org/Archives/Public/public-dpvcg/2023Aug/0015.html


Regards,
--
---
Harshvardhan J. Pandit, Ph.D
Assistant Professor
ADAPT Centre, Dublin City University
https://harshp.com/

Received on Monday, 4 September 2023 23:25:42 UTC