- From: Mark Lizar <mark@openconsent.com>
- Date: Thu, 16 May 2024 15:27:25 +0000
- To: Iain Henderson <iain@jlinc.com>
- CC: Harshvardhan Pandit <me@harshp.com>, "Harshvardhan J. Pandit (W3C Calendar)" <noreply+calendar@w3.org>, "public-dpvcg@w3.org" <public-dpvcg@w3.org>, "wg-ancr@kantarainitiative.org" <wg-ancr@kantarainitiative.org>
- Message-ID: <D86B9015-5AD2-4A88-812B-7BEB51C8127E@openconsent.com>
Hi Iain,
Thats great idea. We are and have been working on this for years, and have the consent receipt v2, with consent token specification.
Essentially, the piece I would really enjoy working out / discussing with this group is finishing purpose specification for the 6 legal justifications, as the purposes defined somewhat by this. In addition, 3 to 4 years ago, I presented the types of consent, mapped to legal justification and the rights to this group. But at this time it was not considered by DPV.
Whats even more interesting now is that we have the approach of Consent by Design, which is effectively about digital transparency for security and privacy interoperability (or digital privacy for short) which requires a receipt and record, just like in banking.
In consent by design - all the notice, notification and disclosures are specified semantically to be from the consent, a protocol we are calling AuthC - which is authentication from consent. It doesnt matter what the legal justification is, the transparency modality and semantics are always human centric and from the capture of real consent. In this regard, its is the notice and the action of the individual ands the context that defines the purpose. In this way consent is captured, as long as it complies with transparency modalities. To which we have identified 23 transparency notice, notification and disclosure requirements in the GPDR which are required depending on the legal justification. The Kantara Transparency Performance Scheme<https://kantara.atlassian.net/wiki/x/O4P5EQ> is what is used to assess whether or not the consent is legally valid.
The way it works is really simple. The PII Controller record <https://kantara.atlassian.net/wiki/spaces/WA/pages/312378386/ANCR+0PN-TFP+-+PII+Controller+Notice+Credential.doc> (not consent record) is linked to any notice or sign with the Signalling icon, (AKA the consent gateway for privacy as expected) the notice and the semantics are specified using ISO/IEC 29100 and the DPV, the PII Principle clicks on the I accept button, and the controller credential is used to generate a notice record and consent/notice receipt, which provides legal proof of notice, aka proof of knowledge.
The reason we call it a consent receipt is that this receipt can then be used to direct consent for a secondary purpose, regardless of the legal justification, independent of the provider. This has immense benefits in multiple ways especially for data governance, it is the Law in Quebec Canada.
Just like receipts working currency banking, works the same for knowledge banking.
It’s getting really fun now, after addressing some these really puzzling challenges that have stumped us in the past.
Happy to contribute this to and support this work I. DPV
Best,
Mark
On May 16, 2024, at 2:46 AM, Iain Henderson <iain@jlinc.com> wrote:
Hi Mark, I see where you are coming from and agree. This issue has been noted previously, and I have taken the action to come up with a proposed ‘human’ extension for DPV that introduces that lens that is oriented for a reader / user of DPV (or an agent acting on their behalf) to have a framing of specific that works for them.
Happy to have you contribute that if you think that works?
Cheers
Iain
On 16 May 2024, at 06:14, Mark Lizar <mark@openconsent.com> wrote:
Simply put,
Consent is provisioned from the individual — it’s from a person - the semantics must reflect this. While the standard might say consent record, in reality it is a record of notice, which provides proof of knowledge that give the legal evidence of consent. So ‘obtain consent<https://github.com/w3c/dpv/issues/115#issuecomment-1793416931>’ is not correct semantic as this would be obtain permission,
The trouble with enterprise type of legal perspective is that the semantics are all interpreted from the institutional perspective in DPV, while consent in law is acutally human legal perspective. This means consent comes from people, it’s not a something is too someone - e.g. obtained from them. It could be ‘provided’ or it could be captured, indicated through action, but only if is informed in accordance with Chapter 1 Transparency Modalities in GDPR.
Does this help?
Mark
On May 15, 2024, at 10:05 AM, Harshvardhan Pandit <me@harshp.com> wrote:
Hi Mark.
I have the same understanding - and I am not disagreeing with you - but I don't understand what you're asking here (sorry). What do you - specifically - want to add or change or remove from DPV? DPVCG does not make requirements for how things work - we provide a specification for representation of information for requirements that come from e.g. law or standards.
On 15/05/2024 14:54, Mark Lizar wrote:
Hi Harsh,
Consent is human and legally defined, and this is how it is defined in law. Both must be considered. Systems manage permissions, human manage consent, and consent is implied through the purpose of an action. Most importantly, consent can only be provided if there is sufficient transparency, it is not something that happens independent of notice. For consent to be valid, the identity of the controller must first be provided, or else consent cannot be provided.
- Mark
On 15 May 2024, at 09:26, Harshvardhan Pandit <me@harshp.com> wrote:
Hi Mark.
We are modelling consent as defined in laws and legal terminology. From the perspective of the individual, they 'provide' consent. From the perspective of the organisation, they 'obtain' (or collect) consent. I don't think we are conflating consent and permissions.
On 15/05/2024 14:22, Mark Lizar wrote:
Hi All,
There is a huge issue in that Consent and Permission are very confused.
Systems obtain permission, permission is given, all of which can happen with out the consent or consensus of the individual. The semantics are incredibly important, as the dark patterns in the identity management is a significant problem.
Best,
Mark
On 15 May 2024, at 09:05, Mark Lizar <mark@openconsent.com> wrote:
Hi Harsh,
Consent is provided not obtained,
On 14 May 2024, at 16:10, Harshvardhan J. Pandit (W3C Calendar) <noreply+calendar@w3.org> wrote:
View this event in your browser <https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/<https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/>>
DPVCG Meeting Call 15 May 2024 ^Upcoming ^Confirmed
15 May 2024, 14:00 -15:00 Europe/Dublin
Event is recurring weekly on Wednesday, starting from 2024-04-24, until 2024-12-19
Data Privacy Vocabularies and Controls Community Group <https://www.w3.org/groups/cg/dpvcg/calendar/<https://www.w3.org/groups/cg/dpvcg/calendar/>>
This is the weekly DPVCG meeting call
Agenda
Agenda <https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/<https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/>>
Previous minutes:https://w3id.org/dpv/meetings/meeting-2024-05-08<https://w3id.org/dpv/meetings/meeting-2024-05-08><https://w3id.org/dpv/meetings/meeting-2024-05-08<https://w3id.org/dpv/meetings/meeting-2024-05-08>>
This meeting will be chaired by Beatriz with apologies from Harsh
To confirm issue can be closed: (the text will be updated after concepts are finalised)
* justifications:https://github.com/w3c/dpv/issues/83<https://github.com/w3c/dpv/issues/83>
<https://github.com/w3c/dpv/issues/83<https://github.com/w3c/dpv/issues/83>> see live:
https://harshp.com/dpv/justifications/<https://harshp.com/dpv/justifications/>
<https://harshp.com/dpv/justifications/<https://harshp.com/dpv/justifications/>>
* statuses for involved, intention, entity informed:
https://github.com/w3c/dpv/issues/116<https://github.com/w3c/dpv/issues/116>
<https://github.com/w3c/dpv/issues/116<https://github.com/w3c/dpv/issues/116>> see live:
* human involvement and automatino:
https://github.com/w3c/dpv/issues/108<https://github.com/w3c/dpv/issues/108>
<https://github.com/w3c/dpv/issues/108<https://github.com/w3c/dpv/issues/108>> see live:
https://harshp.com/dpv/dpv/#vocab-context-status<https://harshp.com/dpv/dpv/#vocab-context-status>
<https://harshp.com/dpv/dpv/#vocab-context-status<https://harshp.com/dpv/dpv/#vocab-context-status>>
* Tech extension - dropped prefix 'Technology' from actors:
https://github.com/w3c/dpv/issues/142<https://github.com/w3c/dpv/issues/142>
<https://github.com/w3c/dpv/issues/142<https://github.com/w3c/dpv/issues/142>>
* Tech extension - added cloud concepts, status, docs, removed
categories:https://github.com/w3c/dpv/issues/47<https://github.com/w3c/dpv/issues/47>
<https://github.com/w3c/dpv/issues/47<https://github.com/w3c/dpv/issues/47>>
* AI Act add Prospective Provider:
https://github.com/w3c/dpv/issues/146<https://github.com/w3c/dpv/issues/146>
<https://github.com/w3c/dpv/issues/146<https://github.com/w3c/dpv/issues/146>>
* added GDPR principles, see live:
https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles<https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles>
<https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles<https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles>> (fyi,
confirm its okay)
To discuss:
* measures for consent obtain, withdraw etc.:
https://github.com/w3c/dpv/issues/115<https://github.com/w3c/dpv/issues/115>
<https://github.com/w3c/dpv/issues/115<https://github.com/w3c/dpv/issues/115>> - added controls for
consent, see live:
https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls<https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls>
<https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls<https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls>>
* Express 'goal' or 'purpose' of technology -
https://github.com/w3c/dpv/issues/85<https://github.com/w3c/dpv/issues/85>
<https://github.com/w3c/dpv/issues/85<https://github.com/w3c/dpv/issues/85>>, see
https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html<https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html><https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html<https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html>> proposing tech:hasIntendedUse
Reminder:
* DPV v2 release schedulehttps://github.com/w3c/dpv/milestone/4<https://github.com/w3c/dpv/milestone/4>
<https://github.com/w3c/dpv/milestone/4<https://github.com/w3c/dpv/milestone/4>>
Help wanted:
* update README.md and docs -https://github.com/w3c/dpv/issues/144<https://github.com/w3c/dpv/issues/144>
<https://github.com/w3c/dpv/issues/144<https://github.com/w3c/dpv/issues/144>>
* add profile metadata to dpv rdf -
https://github.com/w3c/dpv/issues/141<https://github.com/w3c/dpv/issues/141>
<https://github.com/w3c/dpv/issues/141<https://github.com/w3c/dpv/issues/141>>
* review contents (when ready) -
https://github.com/w3c/dpv/issues/127<https://github.com/w3c/dpv/issues/127>
<https://github.com/w3c/dpv/issues/127<https://github.com/w3c/dpv/issues/127>>
AOB
Joining Instructions
Join the meeting <https://dcu-ie.zoom.us/j/92216714069?pwd=NUIrZWFmWDF0bExhU3V2ak43L3lrUT09 <https://dcu-ie.zoom.us/j/92216714069?pwd=NUIrZWFmWDF0bExhU3V2ak43L3lrUT09>>
Participants
Groups
* Data Privacy Vocabularies and Controls Community Group
<https://www.w3.org/groups/cg/dpvcg/<https://www.w3.org/groups/cg/dpvcg/>> (View Calendar
<https://www.w3.org/groups/cg/dpvcg/calendar/<https://www.w3.org/groups/cg/dpvcg/calendar/>>)
Report feedback and issues on GitHub <https://github.com/w3c/calendar<https://github.com/w3c/calendar>>.
To stop receiving these emails please update your calendar preferences <https://www.w3.org/users/myprofile/calendar/preferences/<https://www.w3.org/users/myprofile/calendar/preferences/>>.
<event.ics>
--
---
Harshvardhan J. Pandit, Ph.D
Assistant Professor
ADAPT Centre, Dublin City University
https://harshp.com/<https://harshp.com/>
--
---
Harshvardhan J. Pandit, Ph.D
Assistant Professor
ADAPT Centre, Dublin City University
https://harshp.com/
Received on Thursday, 16 May 2024 15:27:35 UTC