Taxonomy of Rights Impacts from Harshvardhan J. Pandit on 2024-08-27 (public-dpvcg@w3.org from August 2024)

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Tue, 27 Aug 2024 17:59:41 +0100
To: Data Privacy Vocabularies and Controls Community Group <public-dpvcg@w3.org>
Cc: Tytti Rintamäki <tytti.rintamaki@adaptcentre.ie>
Message-ID: <bab95038-e7e3-4031-96d8-b510188c98f8@harshp.com>

Hi.
Below is my proposed rights taxonomy. I'm not a legal expert, so this is 
based on identifying the different ways in which rights are discussed 
and looking up materials discussing rights. The goal of the taxonomy is 
to assist in identifying what the 'impact' of a process would be on a 
particular right or rights e.g. if a technology fails, which of these 
are likely to happen, and if they happen then how will the associated 
right be affected.

- `RightDenied' - denial that a right exists or applies e.g. argue
   that GDPR Art.20 data portability does not apply at all to data
   inferred by a Controller. The denial of the right refers to the
   argument that a right does not apply at all for a particular case.
- `RightLimited' - limit the scope of a right e.g. argue that GDPR
   Art.20 does not apply to data inferred by a Controller. The
   limitation refers to the applicability and scope of the right, and
   not in the ability to exercise that right. Limitation is therefore
   fulfilment of the right and its obligations - but for a scope other
   than what was intended or expected.
- `RightUnfulfilled' - unfulfilment of a right exercise e.g. not all
   data provided for GDPR Art.20. Here unfulfilment refers to
   non-completion of the right's obligations and processes.
- `RightViolated' - breach of a right in terms of its obligations,
   typically in a deliberate fashion e.g. the controller intentionally
   does not support Art.20 implementation for a specific data category
   to avoid providing the data. Violation of a right is a bar for
   actionable actions by an authority. Other impacts on right may be
   found to construe a violation of the right, but that is not
   necessarily always the case i.e. not all impacts are violations of a
   right.
- `RightEroded' - weakening of the right e.g. the right to privacy is
   gradually eroded by normalising surveillance advertising on the
   web. Erosion of rights typically only applies to passive rights
   which always apply, since for active rights the exercise of that
   right is what enables it. An active right can be eroded over time it
   is limited consistently and increasingly such that the scope of the
   right is reduced over time.
- `RightObstructed' - obstruction of the right or its exercise
   e.g. administrative procedures make it difficult to exercise the
   Art.20 and require excessive form filling and other cumbersome
   activities like identity verification. In obstruction, the right is
   not denied, limited, or unfulfilled - but the requirements to enable
   exercise of the rights are increased to the point of discouraging or
   obstructing the exercise of that right.

- Other terms considered, which were then simplified in the above
   taxonomy. The simplification is to reduce the number of concepts
   required to describe the impact for each right i.e. creating 6
   impacts for each right instead of the 15 or so below.
   * Infringement: delay or limit a right, which could be partial
     infringement to refer to delaying or limiting part of a right, or
     complete infringement which would mean delaying or limiting the
     entire right
   * Violation: direct/intentional or indirect
   * Erosion: gradual or systemic
   * Denial: explicit/directly or implicit
   * Obstruction: administrative/procedural or systematic
     (e.g. technology)

Regards,
-- 
---
Harshvardhan J. Pandit, Ph.D
Assistant Professor
ADAPT Centre, Dublin City University
https://harshp.com/

Received on Tuesday, 27 August 2024 16:59:47 UTC