- From: Mark Lizar <mark@openconsent.com>
- Date: Thu, 16 May 2024 18:09:05 +0000
- To: Harshvardhan Pandit <me@harshp.com>
- CC: "Harshvardhan J. Pandit (W3C Calendar)" <noreply+calendar@w3.org>, "public-dpvcg@w3.org" <public-dpvcg@w3.org>
- Message-ID: <6BD461C0-7959-49AA-BAD6-C914CDCF69ED@openconsent.com>
Hi Harsh,
With great respect to you and your work, and as a sociologist / anthropologist with a law degree and an MSC in Social Research methods, I have focused research on surveillance and consent for over two decades in security and digital identity industry, I disagree with you, and the way you interpret the law.
1. A record of notice aka a receipt is proof of valid digital consent for the individual
2. An organisation requesting ‘’consent’ is a request for permission to extend the already present consent. Consent comes from the individuals actions not an organisation request. - this is how consent works in reality and this is clearly not defined either way in the GDPRc - this is your opinion Harsh.
Kind Regards,
Mark
On May 16, 2024, at 2:23 AM, Harshvardhan Pandit <me@harshp.com> wrote:
Hi. Thanks for the explanation.
I disagree with the premise that a consent record is a record of notice - it is a record of whether consent has been obtained by the organisation and provided by individual. The process by which the organisation must ask and get the consent is separate from the individual's process by which they make a decision. Hence the two processes of obtaining consent, and providing consent. This is also how the law describes it AFAIK.
The concept obtain consent is required when an authority asks how an organisation is collecting or obtaijing consent. The use of provide consent is required when an authority asks how an individual is expressing their decision.
If consent is being requested by the organisation then then the notice would be provided by the organisation - which would be part of Obtain consent. If the consent is being provided by the individual without any request from the organisation i.e. they initiate the consent themselves - then they may already have the notice or have made a decision without one being given by the organisation. This is how it works for data altruism. So DPV enables both use cases.
Obtain permission as the concept would not be appropriate as we are modelling consent and not permissions.
On Thu, 16 May 2024, at 06:14, Mark Lizar wrote:
Simply put,
Consent is provisioned from the individual — it’s from a person - the semantics must reflect this. While the standard might say consent record, in reality it is a record of notice, which provides proof of knowledge that give the legal evidence of consent. So ‘obtain consent<https://github.com/w3c/dpv/issues/115#issuecomment-1793416931>’ is not correct semantic as this would be obtain permission,
The trouble with enterprise type of legal perspective is that the semantics are all interpreted from the institutional perspective in DPV, while consent in law is acutally human legal perspective. This means consent comes from people, it’s not a something is too someone - e.g. obtained from them. It could be ‘provided’ or it could be captured, indicated through action, but only if is informed in accordance with Chapter 1 Transparency Modalities in GDPR.
Does this help?
Mark
On May 15, 2024, at 10:05 AM, Harshvardhan Pandit <me@harshp.com> wrote:
Hi Mark.
I have the same understanding - and I am not disagreeing with you - but I don't understand what you're asking here (sorry). What do you - specifically - want to add or change or remove from DPV? DPVCG does not make requirements for how things work - we provide a specification for representation of information for requirements that come from e.g. law or standards.
On 15/05/2024 14:54, Mark Lizar wrote:
Hi Harsh,
Consent is human and legally defined, and this is how it is defined in law. Both must be considered. Systems manage permissions, human manage consent, and consent is implied through the purpose of an action. Most importantly, consent can only be provided if there is sufficient transparency, it is not something that happens independent of notice. For consent to be valid, the identity of the controller must first be provided, or else consent cannot be provided.
- Mark
On 15 May 2024, at 09:26, Harshvardhan Pandit <me@harshp.com> wrote:
Hi Mark.
We are modelling consent as defined in laws and legal terminology. From the perspective of the individual, they 'provide' consent. From the perspective of the organisation, they 'obtain' (or collect) consent. I don't think we are conflating consent and permissions.
On 15/05/2024 14:22, Mark Lizar wrote:
Hi All,
There is a huge issue in that Consent and Permission are very confused.
Systems obtain permission, permission is given, all of which can happen with out the consent or consensus of the individual. The semantics are incredibly important, as the dark patterns in the identity management is a significant problem.
Best,
Mark
On 15 May 2024, at 09:05, Mark Lizar <mark@openconsent.com> wrote:
Hi Harsh,
Consent is provided not obtained,
On 14 May 2024, at 16:10, Harshvardhan J. Pandit (W3C Calendar) <noreply+calendar@w3.org> wrote:
View this event in your browser <https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/<https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/>>
DPVCG Meeting Call 15 May 2024 ^Upcoming ^Confirmed
15 May 2024, 14:00 -15:00 Europe/Dublin
Event is recurring weekly on Wednesday, starting from 2024-04-24, until 2024-12-19
Data Privacy Vocabularies and Controls Community Group <https://www.w3.org/groups/cg/dpvcg/calendar/<https://www.w3.org/groups/cg/dpvcg/calendar/>>
This is the weekly DPVCG meeting call
Agenda
Agenda <https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/<https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/>>
Previous minutes:https://w3id.org/dpv/meetings/meeting-2024-05-08<https://w3id.org/dpv/meetings/meeting-2024-05-08><https://w3id.org/dpv/meetings/meeting-2024-05-08<https://w3id.org/dpv/meetings/meeting-2024-05-08>>
This meeting will be chaired by Beatriz with apologies from Harsh
To confirm issue can be closed: (the text will be updated after concepts are finalised)
* justifications:https://github.com/w3c/dpv/issues/83<https://github.com/w3c/dpv/issues/83>
<https://github.com/w3c/dpv/issues/83<https://github.com/w3c/dpv/issues/83>> see live:
https://harshp.com/dpv/justifications/<https://harshp.com/dpv/justifications/>
<https://harshp.com/dpv/justifications/<https://harshp.com/dpv/justifications/>>
* statuses for involved, intention, entity informed:
https://github.com/w3c/dpv/issues/116<https://github.com/w3c/dpv/issues/116>
<https://github.com/w3c/dpv/issues/116<https://github.com/w3c/dpv/issues/116>> see live:
* human involvement and automatino:
https://github.com/w3c/dpv/issues/108<https://github.com/w3c/dpv/issues/108>
<https://github.com/w3c/dpv/issues/108<https://github.com/w3c/dpv/issues/108>> see live:
https://harshp.com/dpv/dpv/#vocab-context-status<https://harshp.com/dpv/dpv/#vocab-context-status>
<https://harshp.com/dpv/dpv/#vocab-context-status<https://harshp.com/dpv/dpv/#vocab-context-status>>
* Tech extension - dropped prefix 'Technology' from actors:
https://github.com/w3c/dpv/issues/142<https://github.com/w3c/dpv/issues/142>
<https://github.com/w3c/dpv/issues/142<https://github.com/w3c/dpv/issues/142>>
* Tech extension - added cloud concepts, status, docs, removed
categories:https://github.com/w3c/dpv/issues/47<https://github.com/w3c/dpv/issues/47>
<https://github.com/w3c/dpv/issues/47<https://github.com/w3c/dpv/issues/47>>
* AI Act add Prospective Provider:
https://github.com/w3c/dpv/issues/146<https://github.com/w3c/dpv/issues/146>
<https://github.com/w3c/dpv/issues/146<https://github.com/w3c/dpv/issues/146>>
* added GDPR principles, see live:
https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles<https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles>
<https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles<https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles>> (fyi,
confirm its okay)
To discuss:
* measures for consent obtain, withdraw etc.:
https://github.com/w3c/dpv/issues/115<https://github.com/w3c/dpv/issues/115>
<https://github.com/w3c/dpv/issues/115<https://github.com/w3c/dpv/issues/115>> - added controls for
consent, see live:
https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls<https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls>
<https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls<https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls>>
* Express 'goal' or 'purpose' of technology -
https://github.com/w3c/dpv/issues/85<https://github.com/w3c/dpv/issues/85>
<https://github.com/w3c/dpv/issues/85<https://github.com/w3c/dpv/issues/85>>, see
https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html<https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html><https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html<https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html>> proposing tech:hasIntendedUse
Reminder:
* DPV v2 release schedulehttps://github.com/w3c/dpv/milestone/4<https://github.com/w3c/dpv/milestone/4>
<https://github.com/w3c/dpv/milestone/4<https://github.com/w3c/dpv/milestone/4>>
Help wanted:
* update README.md and docs -https://github.com/w3c/dpv/issues/144<https://github.com/w3c/dpv/issues/144>
<https://github.com/w3c/dpv/issues/144<https://github.com/w3c/dpv/issues/144>>
* add profile metadata to dpv rdf -
https://github.com/w3c/dpv/issues/141<https://github.com/w3c/dpv/issues/141>
<https://github.com/w3c/dpv/issues/141<https://github.com/w3c/dpv/issues/141>>
* review contents (when ready) -
https://github.com/w3c/dpv/issues/127<https://github.com/w3c/dpv/issues/127>
<https://github.com/w3c/dpv/issues/127<https://github.com/w3c/dpv/issues/127>>
AOB
Joining Instructions
Join the meeting <https://dcu-ie.zoom.us/j/92216714069?pwd=NUIrZWFmWDF0bExhU3V2ak43L3lrUT09 <https://dcu-ie.zoom.us/j/92216714069?pwd=NUIrZWFmWDF0bExhU3V2ak43L3lrUT09>>
Participants
Groups
* Data Privacy Vocabularies and Controls Community Group
<https://www.w3.org/groups/cg/dpvcg/<https://www.w3.org/groups/cg/dpvcg/>> (View Calendar
<https://www.w3.org/groups/cg/dpvcg/calendar/<https://www.w3.org/groups/cg/dpvcg/calendar/>>)
Report feedback and issues on GitHub <https://github.com/w3c/calendar<https://github.com/w3c/calendar>>.
To stop receiving these emails please update your calendar preferences <https://www.w3.org/users/myprofile/calendar/preferences/<https://www.w3.org/users/myprofile/calendar/preferences/>>.
<event.ics>
--
---
Harshvardhan J. Pandit, Ph.D
Assistant Professor
ADAPT Centre, Dublin City University
https://harshp.com/<https://harshp.com/>
--
---
Harshvardhan J. Pandit, Ph.D
Assistant Professor
ADAPT Centre, Dublin City University
https://harshp.com/
Received on Thursday, 16 May 2024 18:09:14 UTC