Re: Taxonomy of Rights Impacts from Harshvardhan Pandit on 2024-08-30 (public-dpvcg@w3.org from August 2024)

From: Harshvardhan Pandit <me@harshp.com>
Date: Fri, 30 Aug 2024 07:11:27 +0100
To: "Gabriel Hogan" <gabriel.hogan8@mail.dcu.ie>
Cc: "Georg Philip Krog" <georg@signatu.com>, "Data Privacy Vocabularies and Controls Community Group" <public-dpvcg@w3.org>, Tytti Rintamäki <tytti.rintamaki@adaptcentre.ie>
Message-Id: <30487048-2e10-4b67-8c72-ced321342c7d@app.fastmail.com>
Thanks Gabriel.
I don't think we are detached from legal context completely as that is unavoidable since the goal is to model impacts on legally recognised rights.

Instead, my argument is that instead of mimicking the full legal discourse of how rights are affected - which is lengthy, diverse, and complex - we should aim for a simpler taxonomy to model how the right may be impacted. 

We have active and passive rights as the two general categories of rights. For these, how can an activity affect them is what the taxonomy should model. Whether the active or passive right is derived from law or contract or has temporal characteristics is something that we can think of later if there is a demand to do this in DPV. The goal for the current exercise is to support obligations such as DPIA and AI ACT FRIA - which I think can be done better/at scale with the simplified taxonomy.

Regards,
Harsh

On Thu, 29 Aug 2024, at 11:07, Gabriel Hogan wrote:
> Hi Harsh,
> I understand the intent to separate the model from the legal constructs but I'm not sure that this can be avoided entirely.
> I'm not from a legal background so I would defer to the more knowledgeable contributors. But my understanding rights are context based and not absolute, i.e. they are conditional. I might have a civil 'legal' right that would not have the same affect/impact as the 'right' established under sanction. These 'rights' are also temporal, i.e. the nature and meaning of these can change over time.
> I think to model this properly a legal input will be required.
> 
> Regards,
> Gabriel
> 
> 
> 
> On Tue, 27 Aug 2024 at 20:25, Harshvardhan J. Pandit <me@harshp.com> wrote:
>> Hi Georg.
>> Thank you for the distinction.
>> Yes, the intent is to model how the right is affected/impacted, so that 
>> it can be used in risk/impact assessments to identify the consequences 
>> of a process on specific rights. The goal is to keep it simple enough 
>> that it is feasible for organisations and individuals to do this 
>> activity without getting into the complexities of a full legal 
>> investigation or discourse regarding rights.
>> 
>> Regards,
>> Harsh
>> 
>> On 27/08/2024 19:11, Georg Philip Krog wrote:
>> > Hi Harsh
>> > 
>> > Thank you for sharing.
>> > 
>> > There are many types of rights (correlative to an obligation, not correlative to an obligation, etc), and they can be enforcable or not enforcable, and a breach of a right can give liability or no liability.
>> > 
>> > Do you want to express how a right can be affected regardless of the above?
>> > 
>> > Best regards
>> > Georg
>> > 
>> >> 27.08.2024 kl. 19:00 skrev Harshvardhan J. Pandit <me@harshp.com>:
>> >>
>> >> Hi.
>> >> Below is my proposed rights taxonomy. I'm not a legal expert, so this is based on identifying the different ways in which rights are discussed and looking up materials discussing rights. The goal of the taxonomy is to assist in identifying what the 'impact' of a process would be on a particular right or rights e.g. if a technology fails, which of these are likely to happen, and if they happen then how will the associated right be affected.
>> >>
>> >> - `RightDenied' - denial that a right exists or applies e.g. argue
>> >>   that GDPR Art.20 data portability does not apply at all to data
>> >>   inferred by a Controller. The denial of the right refers to the
>> >>   argument that a right does not apply at all for a particular case.
>> >> - `RightLimited' - limit the scope of a right e.g. argue that GDPR
>> >>   Art.20 does not apply to data inferred by a Controller. The
>> >>   limitation refers to the applicability and scope of the right, and
>> >>   not in the ability to exercise that right. Limitation is therefore
>> >>   fulfilment of the right and its obligations - but for a scope other
>> >>   than what was intended or expected.
>> >> - `RightUnfulfilled' - unfulfilment of a right exercise e.g. not all
>> >>   data provided for GDPR Art.20. Here unfulfilment refers to
>> >>   non-completion of the right's obligations and processes.
>> >> - `RightViolated' - breach of a right in terms of its obligations,
>> >>   typically in a deliberate fashion e.g. the controller intentionally
>> >>   does not support Art.20 implementation for a specific data category
>> >>   to avoid providing the data. Violation of a right is a bar for
>> >>   actionable actions by an authority. Other impacts on right may be
>> >>   found to construe a violation of the right, but that is not
>> >>   necessarily always the case i.e. not all impacts are violations of a
>> >>   right.
>> >> - `RightEroded' - weakening of the right e.g. the right to privacy is
>> >>   gradually eroded by normalising surveillance advertising on the
>> >>   web. Erosion of rights typically only applies to passive rights
>> >>   which always apply, since for active rights the exercise of that
>> >>   right is what enables it. An active right can be eroded over time it
>> >>   is limited consistently and increasingly such that the scope of the
>> >>   right is reduced over time.
>> >> - `RightObstructed' - obstruction of the right or its exercise
>> >>   e.g. administrative procedures make it difficult to exercise the
>> >>   Art.20 and require excessive form filling and other cumbersome
>> >>   activities like identity verification. In obstruction, the right is
>> >>   not denied, limited, or unfulfilled - but the requirements to enable
>> >>   exercise of the rights are increased to the point of discouraging or
>> >>   obstructing the exercise of that right.
>> >>
>> >> - Other terms considered, which were then simplified in the above
>> >>   taxonomy. The simplification is to reduce the number of concepts
>> >>   required to describe the impact for each right i.e. creating 6
>> >>   impacts for each right instead of the 15 or so below.
>> >>   * Infringement: delay or limit a right, which could be partial
>> >>     infringement to refer to delaying or limiting part of a right, or
>> >>     complete infringement which would mean delaying or limiting the
>> >>     entire right
>> >>   * Violation: direct/intentional or indirect
>> >>   * Erosion: gradual or systemic
>> >>   * Denial: explicit/directly or implicit
>> >>   * Obstruction: administrative/procedural or systematic
>> >>     (e.g. technology)
>> >>
>> >> Regards,
>> >> -- 
>> >> ---
>> >> Harshvardhan J. Pandit, Ph.D
>> >> Assistant Professor
>> >> ADAPT Centre, Dublin City University
>> >> https://harshp.com/
>> >>
>> 
>> -- 
>> ---
>> Harshvardhan J. Pandit, Ph.D
>> Assistant Professor
>> ADAPT Centre, Dublin City University
>> https://harshp.com/
> 
> *Séanadh Ríomhphoist/*
> 
> *Email Disclaimer*
> 
> Tá an ríomhphost seo agus aon chomhad a sheoltar leis faoi rún agus is lena úsáid ag an seolaí agus sin amháin é. Is féidir tuilleadh a léamh anseo. <https://www.dcu.ie/iss/seanadh-riomhphoist.shtml>  <https://www4.dcu.ie/iss/seanadh-riomhphoist.shtml>
> 
> *This e-mail and any files transmitted with it are confidential and are intended solely for use by the addressee. Read more here. <https://www.dcu.ie/iss/email-disclaimer.shtml> *
>
Received on Friday, 30 August 2024 06:11:52 UTC