- From: Mark Lizar <mark@openconsent.com>
- Date: Thu, 16 May 2024 18:57:55 +0000
- To: Harshvardhan Pandit <me@harshp.com>
- CC: "Harshvardhan J. Pandit (W3C Calendar)" <noreply+calendar@w3.org>, "public-dpvcg@w3.org" <public-dpvcg@w3.org>
I think the gas here is that the Consent socially and legally I think is different then consent technically. In that yes Consent can be given socially and this can achieve consensus, technically, though it’s done via a permission . An example, Parental Consent must be obtained. - Technically, its parental permission for the child’s consent. This is well reflected for example in the insurance industry, where a parent can provide ‘consent' for a child to go to the gym un-supervised, but the gym is still legally liable, and the parent cannot legally provide permission even if the child consents. Alternatively, forcing a child to do something without the child's consent takes extra legal considerations. Technically digital identity systems portray that they obtain and manage an individuals consent, for example Open Banking in reference to the PSD2 law. But in reality, it’s a centralised repository of permissions to extend consent for the same purpose. The gap procedurally (which is why Canada does Consent so well) is that culturally here, we ask for permission to introduce a new purpose - for consent. The way consent is modelled in DPV (a technical vocabulary) is missing the point of consent being a human control in law, not a required for an institution to prove compliance, Technically, this law is actually used to block people directing secondary consent, and this is actually causing harm and death of children. For example CCTV while it might catch someone who is violent to another, it doesn’ t prevent the violence, nor can the surveillance be used (with secondary consent) in context for an individual to provide consent for that surveillance to be used to stop a violent act in progress. Consent, unlike all the other legal justifications is truly human centric. Not institutional centric. We have the next PII Controller Notice Record and Consent Receipt v2 Specification in draft and will share next month. In addition, the TPS scheme has been adopted in ISO digital twin work, and effectively is a measure for whether or not consent is valid. What is called a Transparency Performance Indicator is used to capture whether or not a controller identity is provided before processing personal data or after. If it’s after - it’s not a valid consent. I look forward to presenting the latest work this summer, - Mark > On May 16, 2024, at 2:36 PM, Harshvardhan Pandit <me@harshp.com> wrote: > > Hi Mark. > We work on consensus here. Please feel free to propose alternative definitions and concepts to what we have - but please be clear in what you are proposing because I cannot understand at all what you want to change and where. If someone else can - please help me understand here. > > I also object to your statement in the other email that your work was "not considered by DPV". I believe we have always considered all inputs and been fair in their assessment as well as open with any criticism we may have about it - and I repeat the same also is applicable in my personal capacity regarding my replies regarding your work. > > In the future, please be *explicit* and *clear* in what you are asking us to do - and I assure (with my chair hat on) - that everything proposed in considered. So please, if possible, express what you want as: > > 1) term e.g. consent > 2) definition or description > 3) source or reference stated definition of term > 4) example of the term being used > 5) where this term fits in DPV e.g. replaces existing consent, is a specific type of consent, etc. > > If sufficient people agree (and don't object to it) then we put it in DPV. > > To indicate where I got my phrasing from, the words "obtain consent" are being used in EDPB guidelines on consent: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf Example statements from pg.5: > - "The GDPR provides further clarification and specification of the requirements for *obtaining* and demonstrating valid consent. " > - "When asking for consent, a controller has the duty to assess whether it will meet all the requirements to *obtain valid consent*. " > - "Furthermore, *obtaining consent* also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality. " > > In GDPR Art.6-1a "the data subject has *given consent* to the processing of his or her personal data" and Art.7-2 "If the data subject’s *consent is given*..." where the word "give" is used with consent. I used provide for consistency in formal terminology, but using give has the same meaning. > > In DPV, it is this precise "obtain consent" and "provide/give consent" phrases and the implied processes that the concepts represent. > > - Harsh > > On 16/05/2024 19:09, Mark Lizar wrote: >> Hi Harsh, >> With great respect to you and your work, and as a sociologist / anthropologist with a law degree and an MSC in Social Research methods, I have focused research on surveillance and consent for over two decades in security and digital identity industry, I disagree with you, and the way you interpret the law. >> 1. A record of notice aka a receipt is proof of valid digital consent for the individual >> 2. An organisation requesting ‘’consent’ is a request for permission to extend the already present consent. Consent comes from the individuals actions not an organisation request. - this is how consent works in reality and this is clearly not defined either way in the GDPRc - this is your opinion Harsh. >> Kind Regards, >> Mark >>> On May 16, 2024, at 2:23 AM, Harshvardhan Pandit <me@harshp.com> wrote: >>> >>> Hi. Thanks for the explanation. >>> >>> I disagree with the premise that a consent record is a record of notice - it is a record of whether consent has been obtained by the organisation and provided by individual. The process by which the organisation must ask and get the consent is separate from the individual's process by which they make a decision. Hence the two processes of obtaining consent, and providing consent. This is also how the law describes it AFAIK. >>> >>> The concept obtain consent is required when an authority asks how an organisation is collecting or obtaijing consent. The use of provide consent is required when an authority asks how an individual is expressing their decision. >>> >>> If consent is being requested by the organisation then then the notice would be provided by the organisation - which would be part of Obtain consent. If the consent is being provided by the individual without any request from the organisation i.e. they initiate the consent themselves - then they may already have the notice or have made a decision without one being given by the organisation. This is how it works for data altruism. So DPV enables both use cases. >>> >>> Obtain permission as the concept would not be appropriate as we are modelling consent and not permissions. >>> >>> On Thu, 16 May 2024, at 06:14, Mark Lizar wrote: >>>> Simply put, >>>> >>>> Consent is provisioned from the individual — it’s from a person - the semantics must reflect this. While the standard might say consent record, in reality it is a record of notice, which provides proof of knowledge that give the legal evidence of consent. So ‘obtain consent <https://github.com/w3c/dpv/issues/115#issuecomment-1793416931>’ is not correct semantic as this would be obtain permission, >>>> >>>> The trouble with enterprise type of legal perspective is that the semantics are all interpreted from the institutional perspective in DPV, while consent in law is acutally human legal perspective. This means consent comes from people, it’s not a something is too someone - e.g. obtained from them. It could be ‘provided’ or it could be captured, indicated through action, but only if is informed in accordance with Chapter 1 Transparency Modalities in GDPR. >>>> >>>> Does this help? >>>> >>>> Mark >>>> >>>>> On May 15, 2024, at 10:05 AM, Harshvardhan Pandit <me@harshp.com> wrote: >>>>> >>>>> Hi Mark. >>>>> I have the same understanding - and I am not disagreeing with you - but I don't understand what you're asking here (sorry). What do you - specifically - want to add or change or remove from DPV? DPVCG does not make requirements for how things work - we provide a specification for representation of information for requirements that come from e.g. law or standards. >>>>> >>>>> On 15/05/2024 14:54, Mark Lizar wrote: >>>>>> Hi Harsh, >>>>>> Consent is human and legally defined, and this is how it is defined in law. Both must be considered. Systems manage permissions, human manage consent, and consent is implied through the purpose of an action. Most importantly, consent can only be provided if there is sufficient transparency, it is not something that happens independent of notice. For consent to be valid, the identity of the controller must first be provided, or else consent cannot be provided. >>>>>> - Mark >>>>>>> On 15 May 2024, at 09:26, Harshvardhan Pandit <me@harshp.com> wrote: >>>>>>> >>>>>>> Hi Mark. >>>>>>> We are modelling consent as defined in laws and legal terminology. From the perspective of the individual, they 'provide' consent. From the perspective of the organisation, they 'obtain' (or collect) consent. I don't think we are conflating consent and permissions. >>>>>>> >>>>>>> On 15/05/2024 14:22, Mark Lizar wrote: >>>>>>>> Hi All, >>>>>>>> There is a huge issue in that Consent and Permission are very confused. >>>>>>>> Systems obtain permission, permission is given, all of which can happen with out the consent or consensus of the individual. The semantics are incredibly important, as the dark patterns in the identity management is a significant problem. >>>>>>>> Best, >>>>>>>> Mark >>>>>>>>> On 15 May 2024, at 09:05, Mark Lizar <mark@openconsent.com> wrote: >>>>>>>>> >>>>>>>>> Hi Harsh, >>>>>>>>> >>>>>>>>> Consent is provided not obtained, >>>>>>>>> >>>>>>>>>> On 14 May 2024, at 16:10, Harshvardhan J. Pandit (W3C Calendar) <noreply+calendar@w3.org> wrote: >>>>>>>>>> >>>>>>>>>> View this event in your browser <https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/ <https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/><https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/ <https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> DPVCG Meeting Call 15 May 2024 ^Upcoming ^Confirmed >>>>>>>>>> >>>>>>>>>> 15 May 2024, 14:00 -15:00 Europe/Dublin >>>>>>>>>> >>>>>>>>>> Event is recurring weekly on Wednesday, starting from 2024-04-24, until 2024-12-19 >>>>>>>>>> >>>>>>>>>> Data Privacy Vocabularies and Controls Community Group <https://www.w3.org/groups/cg/dpvcg/calendar/ <https://www.w3.org/groups/cg/dpvcg/calendar/><https://www.w3.org/groups/cg/dpvcg/calendar/ <https://www.w3.org/groups/cg/dpvcg/calendar/>>> >>>>>>>>>> >>>>>>>>>> This is the weekly DPVCG meeting call >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Agenda >>>>>>>>>> >>>>>>>>>> Agenda <https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/ <https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/><https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/ <https://www.w3.org/events/meetings/0f0fbb7f-df36-4325-b39b-60e0eac5c8b7/20240515T140000/>>> >>>>>>>>>> >>>>>>>>>> Previous minutes:https://w3id.org/dpv/meetings/meeting-2024-05-08 <https://w3id.org/dpv/meetings/meeting-2024-05-08><https://w3id.org/dpv/meetings/meeting-2024-05-08 <https://w3id.org/dpv/meetings/meeting-2024-05-08>><https://w3id.org/dpv/meetings/meeting-2024-05-08 <https://w3id.org/dpv/meetings/meeting-2024-05-08><https://w3id.org/dpv/meetings/meeting-2024-05-08 <https://w3id.org/dpv/meetings/meeting-2024-05-08>>> >>>>>>>>>> >>>>>>>>>> This meeting will be chaired by Beatriz with apologies from Harsh >>>>>>>>>> >>>>>>>>>> To confirm issue can be closed: (the text will be updated after concepts are finalised) >>>>>>>>>> >>>>>>>>>> * justifications:https://github.com/w3c/dpv/issues/83 <https://github.com/w3c/dpv/issues/83><https://github.com/w3c/dpv/issues/83 <https://github.com/w3c/dpv/issues/83>> >>>>>>>>>> <https://github.com/w3c/dpv/issues/83 <https://github.com/w3c/dpv/issues/83><https://github.com/w3c/dpv/issues/83 <https://github.com/w3c/dpv/issues/83>>> see live: >>>>>>>>>> https://harshp.com/dpv/justifications/ <https://harshp.com/dpv/justifications/><https://harshp.com/dpv/justifications/ <https://harshp.com/dpv/justifications/>> >>>>>>>>>> <https://harshp.com/dpv/justifications/ <https://harshp.com/dpv/justifications/><https://harshp.com/dpv/justifications/ <https://harshp.com/dpv/justifications/>>> >>>>>>>>>> * statuses for involved, intention, entity informed: >>>>>>>>>> https://github.com/w3c/dpv/issues/116 <https://github.com/w3c/dpv/issues/116><https://github.com/w3c/dpv/issues/116 <https://github.com/w3c/dpv/issues/116>> >>>>>>>>>> <https://github.com/w3c/dpv/issues/116 <https://github.com/w3c/dpv/issues/116><https://github.com/w3c/dpv/issues/116 <https://github.com/w3c/dpv/issues/116>>> see live: >>>>>>>>>> * human involvement and automatino: >>>>>>>>>> https://github.com/w3c/dpv/issues/108 <https://github.com/w3c/dpv/issues/108><https://github.com/w3c/dpv/issues/108 <https://github.com/w3c/dpv/issues/108>> >>>>>>>>>> <https://github.com/w3c/dpv/issues/108 <https://github.com/w3c/dpv/issues/108><https://github.com/w3c/dpv/issues/108 <https://github.com/w3c/dpv/issues/108>>> see live: >>>>>>>>>> https://harshp.com/dpv/dpv/#vocab-context-status <https://harshp.com/dpv/dpv/#vocab-context-status><https://harshp.com/dpv/dpv/#vocab-context-status <https://harshp.com/dpv/dpv/#vocab-context-status>> >>>>>>>>>> <https://harshp.com/dpv/dpv/#vocab-context-status <https://harshp.com/dpv/dpv/#vocab-context-status><https://harshp.com/dpv/dpv/#vocab-context-status <https://harshp.com/dpv/dpv/#vocab-context-status>>> >>>>>>>>>> * Tech extension - dropped prefix 'Technology' from actors: >>>>>>>>>> https://github.com/w3c/dpv/issues/142 <https://github.com/w3c/dpv/issues/142><https://github.com/w3c/dpv/issues/142 <https://github.com/w3c/dpv/issues/142>> >>>>>>>>>> <https://github.com/w3c/dpv/issues/142 <https://github.com/w3c/dpv/issues/142><https://github.com/w3c/dpv/issues/142 <https://github.com/w3c/dpv/issues/142>>> >>>>>>>>>> * Tech extension - added cloud concepts, status, docs, removed >>>>>>>>>> categories:https://github.com/w3c/dpv/issues/47 <https://github.com/w3c/dpv/issues/47><https://github.com/w3c/dpv/issues/47 <https://github.com/w3c/dpv/issues/47>> >>>>>>>>>> <https://github.com/w3c/dpv/issues/47 <https://github.com/w3c/dpv/issues/47><https://github.com/w3c/dpv/issues/47 <https://github.com/w3c/dpv/issues/47>>> >>>>>>>>>> * AI Act add Prospective Provider: >>>>>>>>>> https://github.com/w3c/dpv/issues/146 <https://github.com/w3c/dpv/issues/146><https://github.com/w3c/dpv/issues/146 <https://github.com/w3c/dpv/issues/146>> >>>>>>>>>> <https://github.com/w3c/dpv/issues/146 <https://github.com/w3c/dpv/issues/146><https://github.com/w3c/dpv/issues/146 <https://github.com/w3c/dpv/issues/146>>> >>>>>>>>>> * added GDPR principles, see live: >>>>>>>>>> https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles <https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles><https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles <https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles>> >>>>>>>>>> <https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles <https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles><https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles <https://harshp.com/dpv/legal/eu/gdpr/#vocab-principles>>> (fyi, >>>>>>>>>> confirm its okay) >>>>>>>>>> >>>>>>>>>> To discuss: >>>>>>>>>> >>>>>>>>>> * measures for consent obtain, withdraw etc.: >>>>>>>>>> https://github.com/w3c/dpv/issues/115 <https://github.com/w3c/dpv/issues/115><https://github.com/w3c/dpv/issues/115 <https://github.com/w3c/dpv/issues/115>> >>>>>>>>>> <https://github.com/w3c/dpv/issues/115 <https://github.com/w3c/dpv/issues/115><https://github.com/w3c/dpv/issues/115 <https://github.com/w3c/dpv/issues/115>>> - added controls for >>>>>>>>>> consent, see live: >>>>>>>>>> https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls <https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls><https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls <https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls>> >>>>>>>>>> <https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls <https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls><https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls <https://harshp.com/dpv/dpv/#vocab-legal-basis-consent-controls>>> >>>>>>>>>> * Express 'goal' or 'purpose' of technology - >>>>>>>>>> https://github.com/w3c/dpv/issues/85 <https://github.com/w3c/dpv/issues/85><https://github.com/w3c/dpv/issues/85 <https://github.com/w3c/dpv/issues/85>> >>>>>>>>>> <https://github.com/w3c/dpv/issues/85 <https://github.com/w3c/dpv/issues/85><https://github.com/w3c/dpv/issues/85 <https://github.com/w3c/dpv/issues/85>>>, see >>>>>>>>>> https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html <https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html><https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html <https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html>><https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html <https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html><https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html <https://lists.w3.org/Archives/Public/public-dpvcg/2024May/0002.html>>> proposing tech:hasIntendedUse >>>>>>>>>> >>>>>>>>>> Reminder: >>>>>>>>>> >>>>>>>>>> * DPV v2 releaseschedulehttps://github.com/w3c/dpv/milestone/4 <schedulehttps://github.com/w3c/dpv/milestone/4><https://github.com/w3c/dpv/milestone/4 <https://github.com/w3c/dpv/milestone/4>> >>>>>>>>>> <https://github.com/w3c/dpv/milestone/4 <https://github.com/w3c/dpv/milestone/4><https://github.com/w3c/dpv/milestone/4 <https://github.com/w3c/dpv/milestone/4>>> >>>>>>>>>> Help wanted: >>>>>>>>>> >>>>>>>>>> * update README.md and docs -https://github.com/w3c/dpv/issues/144 <https://github.com/w3c/dpv/issues/144><https://github.com/w3c/dpv/issues/144 <https://github.com/w3c/dpv/issues/144>> >>>>>>>>>> <https://github.com/w3c/dpv/issues/144 <https://github.com/w3c/dpv/issues/144><https://github.com/w3c/dpv/issues/144 <https://github.com/w3c/dpv/issues/144>>> >>>>>>>>>> * add profile metadata to dpv rdf - >>>>>>>>>> https://github.com/w3c/dpv/issues/141 <https://github.com/w3c/dpv/issues/141><https://github.com/w3c/dpv/issues/141 <https://github.com/w3c/dpv/issues/141>> >>>>>>>>>> <https://github.com/w3c/dpv/issues/141 <https://github.com/w3c/dpv/issues/141><https://github.com/w3c/dpv/issues/141 <https://github.com/w3c/dpv/issues/141>>> >>>>>>>>>> * review contents (when ready) - >>>>>>>>>> https://github.com/w3c/dpv/issues/127 <https://github.com/w3c/dpv/issues/127><https://github.com/w3c/dpv/issues/127 <https://github.com/w3c/dpv/issues/127>> >>>>>>>>>> <https://github.com/w3c/dpv/issues/127 <https://github.com/w3c/dpv/issues/127><https://github.com/w3c/dpv/issues/127 <https://github.com/w3c/dpv/issues/127>>> >>>>>>>>>> AOB >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Joining Instructions >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Join the meeting <https://dcu-ie.zoom.us/j/92216714069?pwd=NUIrZWFmWDF0bExhU3V2ak43L3lrUT09 <https://dcu-ie.zoom.us/j/92216714069?pwd=NUIrZWFmWDF0bExhU3V2ak43L3lrUT09><https://dcu-ie.zoom.us/j/92216714069?pwd=NUIrZWFmWDF0bExhU3V2ak43L3lrUT09 <https://dcu-ie.zoom.us/j/92216714069?pwd=NUIrZWFmWDF0bExhU3V2ak43L3lrUT09>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Participants >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Groups >>>>>>>>>> >>>>>>>>>> * Data Privacy Vocabularies and Controls Community Group >>>>>>>>>> <https://www.w3.org/groups/cg/dpvcg/ <https://www.w3.org/groups/cg/dpvcg/><https://www.w3.org/groups/cg/dpvcg/ <https://www.w3.org/groups/cg/dpvcg/>>> (View Calendar >>>>>>>>>> <https://www.w3.org/groups/cg/dpvcg/calendar/ <https://www.w3.org/groups/cg/dpvcg/calendar/><https://www.w3.org/groups/cg/dpvcg/calendar/ <https://www.w3.org/groups/cg/dpvcg/calendar/>>>) >>>>>>>>>> Report feedback and issues on GitHub <https://github.com/w3c/calendar <https://github.com/w3c/calendar><https://github.com/w3c/calendar <https://github.com/w3c/calendar>>>. >>>>>>>>>> To stop receiving these emails please update your calendar preferences <https://www.w3.org/users/myprofile/calendar/preferences/ <https://www.w3.org/users/myprofile/calendar/preferences/><https://www.w3.org/users/myprofile/calendar/preferences/ <https://www.w3.org/users/myprofile/calendar/preferences/>>>. >>>>>>>>>> >>>>>>>>>> <event.ics> >>>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> --- >>>>>>> Harshvardhan J. Pandit, Ph.D >>>>>>> Assistant Professor >>>>>>> ADAPT Centre, Dublin City University >>>>>>> https://harshp.com/ <https://harshp.com/><https://harshp.com/ <https://harshp.com/>> >>>>> >>>>> -- >>>>> --- >>>>> Harshvardhan J. Pandit, Ph.D >>>>> Assistant Professor >>>>> ADAPT Centre, Dublin City University >>>>> https://harshp.com/ <https://harshp.com/> > > -- > --- > Harshvardhan J. Pandit, Ph.D > Assistant Professor > ADAPT Centre, Dublin City University > https://harshp.com/
Received on Thursday, 16 May 2024 18:58:03 UTC