Re: Adding Permission, Consent, Opt-in, Opt-out

Thanks for the further clarity Harsh,

I think we might actually be talking about 2 different type of permissions, or at least 2 different definitions, using the same word permission.   A significant issue is a technical term also being used as a human term, which are vocabulary words the have this extra risk, which clearly needs to be identifiable.

These 2 appear to be,

1. For an individual to permit something to happen, an individual is permissive to a service for example.   Rather than agree, or consent, the processing is permitted by the Principal (or delegate) very much agreement and contract based semantic,
2. The distinction between purpose - e.g consent to a purpose of use and its associated  permissions is different, that the individual having to be permissive.   In that notice and consent can be used for information sharing in this way.   Which arguably  native to how a human operates, and human centric  based through engagement.

There is a lot of science behind

Differentiating system permissions and pop-ups that are for permitting read/write/delete type of access controls, for preferences,  (not consent) like those managed by  digital identity management technologies for example,  permission to use my credit card # for the purpose of buying an item online, vs my preference to not be marketed too, while still being tracked without consent, is a well know problem scenario with permission-ing.

For a consented purpose, these permissions can be presented and bundled, in one dialogue, or even less with an industry icon, like the Voila Verified Icon, for the Pan Canadian Trust Framework.

WRT  - Opt-in and  Opt-Out

* These are very good for permissive settings, which do not provide any evidence or knowledge of what you are opting into, (no receipt) and when separate from the notice, there is big security / dark pattern problem, we are all well aware of, data broker to now LLM.



Kind Regards,


Mark


FWIW, A

There are a few methods for obtaining and providing proof of knowledge for meaningful consent, which is a law in Canada. Providing a Notice Receipt, is definitely what is being recommended by the ANCR WG, as a way to govern with transparency, and as a way to address Digital transparency and trust requirements.
In the ANCR WG, we also, have  Two Factor Concentric Notice - which provides proof of notice Receipt. The presentation of the controller credential and privacy rights, with a public privacy policy, (or what is called in Quebec Privacy Law, a Confidentiality Policy) is required.   With this a  receipt that is generated upon engaging with a notice, notification, or disclosure dialog. By either the PII Principal or Controller.
[Note: This could also be called, A  Digital Transparency Privacy Agreement, if required to create some interoperable vocabulary is justified]

FWIW, B

The proof of notice receipt, like a transaction receipt, can be used to complain with, it can be used to delete data remotely (aka return goods) as a coupon, a ticket or  an access token, and it can be used to compare the state in which a PII Principal agrees’ to provide explicit consent, to the current / most recent state of processing  to see independently if the service provider, meets personal expectations and is therefore  trustworthy to me, the individuals expectations, and my free, prior and informed choice.




On Sep 5, 2023, at 11:45 AM, Harshvardhan J. Pandit <me@harshp.com> wrote:

Hi. Thanks - it seems to me that we are looking at different perspectives. Mine is about how an organisation justifies its processing activities. Yours to me seems to be about how the individuals perceive its requests.

To clarify, DPV doesn't necessarily model concepts based on what the individual/user 'sees' - that's up to the implementation to decide what wording or phrasing best suits. So it can be consent, but if it makes it easier for users to understand 'permission' - then using 'permission' label instead of 'consent' is fine for that use-case.

What DPV focuses on is how the law requires information e.g. GDPR says you MUST justify using data with one of these (Art.6-1). Most of the other global regulations now follow the same model where a legal basis is required. In this, a 'Permission' when used as a legal basis is distinct from how a 'system' uses 'permissions' because it has legally defined requirements for where it can be used, how, etc. In effect, there are two different 'languages' - one for describing things in a way that is legally relevant i.e. what information must organisations keep in their records, and another one describing things in a way that is system/UX relevant i.e. how to describe what is being shown to the user. DPV is the former. We need another language to describe the latter - but this language will be limited to the use-cases it draws requirements from.

MyData dictionaries seem to 1) not contain information how they work with legal bases (which is okay); and 2) operate on the 'implementation' side where the 'permission' is a reduction from a legal basis that only specifies whether something can be done or not (true/false). So in this sense, MyData permissions are like the end-state indicator for whether some process is allowed or prohibited after a legal basis has been evaluated. E.g.

1) if consent is given for Purpose X, then the permission for X is true.
2) if contract allows Purpose X, then the permission for X is true.
3) if legal obligation requires purpose X, then the permission for X is true.

Such 'technical uses' of 'permission' are 'lossy' because they do not contain information on what kind of permission it is, and their primary use is to describe if a process should be executed or not. But the word 'Permission' is still useful to denote IF used in the sense that you provide the users with a choice in either of the three cases. Hence the addition of 'Obtaining Permission' as an organisational measure so that it is compatible with what is legally required/allowed.

- Harsh

On 05/09/2023 15:34, Iain Henderson wrote:
Yes, as I see it “permission’ is always the word that should be what the individual sees; but yes there are different types of permission that carry different rights and duties. So they do involve additional, specific processes; but they still create permissions. When individuals are managing hundreds of relationships, most of which don’t ’self clean’ then that simplification is the best option in my view.
I’m see-ing ‘permission’ as being a sub-set of an agreement which would cover multiple permissions (themselves having differing types which would be visible at lower levels of detail/ through iconography).
Might need more discussion.
Cheers
Iain
On 5 Sep 2023, at 15:21, Harshvardhan J. Pandit <me@harshp.com> wrote:

Hi.
To summarise, some of these 'Permission' instances will be 'Consent'? As in 'Consent' is a special form of 'Permission'?
IF yes, then I think we are in agreement.

Though the difference between Permission and Consent is important, because for Consent the 'simple' toggle/checkbox may not be sufficient - and why we need to distinguish the concepts.

I note that linguistically, it would be better to have 'Agreement' as the broader concept for 'Permission' as it would cover consent and contracts. And then, it would indicate to choose the most appropriate form of 'agreement' from the taxonomy - whether it be t&c, permission, or consent.

Regards,
Harsh

On 05/09/2023 15:11, Iain Henderson wrote:
My take would be that ‘Permission’ is a good word that sits on the side of the individual, can easily be explained; and amounts to a yes/ no flag at a point in time. Individuals do not have the time nor the inclination to understand the various nuances beyond that.
Then, on the organisational side, there should be a mapping between each data related permission granted or withdrawn by an individual and one of the GDPR/ DPV legal bases for data processing.
That model then allows us to build out a large and extensible list of permissions that can be standardised over time (some already are); so that when an individual says ‘I give you permission to do XXX with YYY data’ then both parties can be referring to the same thing. That allows us to move beyond each and every organisation having a different way to say ‘would you like to subscribe to our newsletter’ for example.
You can see a start point for that approach to using Permissions at the MyData Dictionary, which is the start of a core, open personal data model as seen from the individual perspective.
Implementation example attached with some standardisable permissions.
MyData Dictionary <https://dictionary.mydata.org/ <https://dictionary.mydata.org/>>
dictionary.mydata.org<http://dictionary.mydata.org/> <http://dictionary.mydata.org/><https://dictionary.mydata.org/<https://dictionary.mydata.org/>>
<https://dictionary.mydata.org/ <https://dictionary.mydata.org/>>
<https://dictionary.mydata.org/ <https://dictionary.mydata.org/>>
MyData Dictionary <https://dictionary.mydata.org/perms/<https://dictionary.mydata.org/perms/>>
dictionary.mydata.org<http://dictionary.mydata.org/> <http://dictionary.mydata.org/><https://dictionary.mydata.org/perms/<https://dictionary.mydata.org/perms/>>
<https://dictionary.mydata.org/perms/ <https://dictionary.mydata.org/perms/>>
<https://dictionary.mydata.org/perms/ <https://dictionary.mydata.org/perms/>>
Happy to discuss further if useful.
Cheers
Iain
Screenshot 2023-09-05 at 15.10.14.png
On 4 Sep 2023, at 18:41, Harshvardhan J. Pandit <me@harshp.com> wrote:

Hi.
Currently we have no way to specify "permission" of the data subject without the legal basis being consent - as required by the PSD3 use-case below.

---

https://edps.europa.eu/press-publications/press-news/press-releases/2023/financial-and-payment-services-use-personal-data-should-remain-proportionate-and-fair_en


"The EDPS welcomes the efforts made to ensure the Proposals’ consistency with the General Data Protection Regulation (GDPR).  Both Proposals should specify that the granting of ‘permissions’ to access financial data does not equate to giving consent under the GDPR. Likewise, all processing of personal data following a request to access an individual’s financial data must have an appropriate legal basis under the GDPR."

---

My proposal is as follows:


- `Consent`: is already a legal basis, and is the individual's permission (based on validity criteria e.g. information in notice)
- `Permission`: will be added as a legal basis (exact term TBD), and is an affirmative action in order to initiate or continue a process; this makes consent a type of permission with specific additional requirements

- `ObtainPermission`: an organisational measure that asks for permission in order to start or continue a process
- `AddressObjection`: an organisational measure that addresses an objection before starting or while continuing a process

- `ProvideOptIn`: an organisational measure that provides the ability to someone else to initiate the process i.e. to opt into the process
- `ProvideOptOut`: an organisational measure that provides the ability to someone else to stop the process i.e. to opt out of the process

---

Confusion questions:

1) Permission (legal basis) vs Obtaining Permission (TOMs) - a legal basis is a process providing a justification for enabling something which is regulated or required by law, and where the law determines where it can be used and its validity. An Organisational Measure is determined by the Organisation in terms of how and where it is used. Therefore, if the permission is legally required, then it is a legal basis, and if it is the organisation's decision - then it is a TOMs. We have to use different terms - i.e. "Obtaining Permission" for one of these (I chose TOMs) - to distinguish the concepts.

2) Permission vs Consent: Permission can be by the data subject or another entity, and can be for personal data or non-personal data. Permission for personal data does not necessarily mean consent e.g. in the above statement by EDPS, it is clearly stated thus. Consent is a type of Permission however - "prior permission" to be more specific. But we should not get into the pedantic modelling of this within DPV. What matters is that users can issue permissions without it being 'consent' (under GDPR).

3) Obtaining Permission vs Providing Opt-in: These two reflect two different perspectives with the same end result of the (e.g.) user deciding when to start a process. Permission is asking the user if they want to permit. Opt-in is giving the ability for the user to decide - whenever they want to - whether they want to start a process. A checkbox or dialog asking if it is okay to do something is obtaining a permission rather than an opt-in. A dialog or checkbox asking if you would like to use the beta version is an opt-in rather than a permission. So the phrasing and intent matters in choosing the correct term.

These concepts have obvious overlaps, but my intent here is to point out that if defined in the manner above - they have their distinctions and uses from being distinguished. Their common use has led to confusion about their usage, which is definitely not helped with idiotic uses such as "opt-in consent" or its evil counterpart - "opt-out consent". For DPV, these concepts should be defined precisely as their legal meaning rather than the technical haphazard interpretations. In the end, no harms will come to pass if someone uses "Obtaining Permission" instead of "Providing Opt-in", but having the ability to accurately represent the term of choice would certainly help.

---

NOTE1: No DPVCG meeting this THU SEP-07. Next meeting is on THU SEP-14.
NOTE2: There are two major proposals which will be implemented on SEP-30. Please see https://lists.w3.org/Archives/Public/public-dpvcg/2023Aug/0015.html


Regards,
--
---
Harshvardhan J. Pandit, Ph.D
Assistant Professor
ADAPT Centre, Dublin City University
https://harshp.com/



--
---
Harshvardhan J. Pandit, Ph.D
Assistant Professor
ADAPT Centre, Dublin City University
https://harshp.com/ <https://harshp.com/>

--
---
Harshvardhan J. Pandit, Ph.D
Assistant Professor
ADAPT Centre, Dublin City University
https://harshp.com/

Received on Tuesday, 5 September 2023 22:13:26 UTC