Re: What additional optional information is ESSENTIAL in Europe to document a informed that has been given? from Shane M Wiley on 2017-03-28 (public-tracking@w3.org from March 2017)

From: Shane M Wiley <wileys@yahoo-inc.com>
Date: Tue, 28 Mar 2017 20:48:39 +0000 (UTC)
To: Walter van Holst <walter@vanholst.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <505281957.5001453.1490734119531@mail.yahoo.com>

Walter,
Having lived through P3P there is no "simple way out" as the simpler the model the more rigid it becomes and harms industry that much more when attempting to squeeze into a very tiny box of options.  The more complex the metadata standard becomes the more it can approach real-world scenarios but then it becomes more difficult to develop and less of a utility to machine reading.  
User Agents have the ability to offer data subjects that option to remove previously provided consent under the current standard.  There is nothing in the GDPR or ePR that suggests that User Agents need machine readable elements to provide some greater level of automated processing.
- Shane Shane Wiley
VP, Privacy Policy
Yahoo

      From: Walter van Holst <walter@vanholst.com>
 To: public-tracking@w3.org 
 Sent: Tuesday, March 28, 2017 1:43 PM
 Subject: Re: What additional optional information is ESSENTIAL in Europe to document a informed that has been given?

On 2017-03-28 22:06, Shane M Wiley wrote:
> Rob,
> 
> Thank you for that perspective but again nothing here mandates that
> the browser play a role outside of recording the consent as determined
> by the controller and allowing users a "equally easy" manner in which
> to remove that consent.  I'm still not convinced that there is a need
> for machine readable elements in the TSO to enable user agent
> capabilities beyond those needs.

I would agree with your legal counsel that a grammatical reading of the 
GDPR does not provide for such an positive obligation regarding 
providing consent.

However, the GDPR has in article 21(5) a positive obligation regarding 
the ease of withdrawal of consent, which is a special case on top of the 
general provision on withdrawal of consent in article 7(3) GDPR.

I have been told by Jan-Philippe Albrecht's staff that the amendment 
that gave rise to article 21(5) GDPR was specifically proposed with the 
W3C DNT WG in mind. This alone should give your legal counsel pause. And 
once he or she is at it, this alone is a strong basis for a 
non-grammatical interpretation of the GDPR that there is a similar 
obligation for giving consent, but that the legislator assumed that data 
controller's would feel an sufficiently enlightened self-interest that 
they would create such easy avenues for doing so anyway.

In light of the consent requirements of art 7 GDPR, it would make no 
sense whatsoever to not allow for meta-data that would allow for 
machine-readability. I would strongly support Rob's suggestion for an 
optional array for this purpose.

And no, I definitely don't want this to become another P3P. Let's keep 
things as simple as possible, but not simpler than that.

Regards,

  Walter

Received on Tuesday, 28 March 2017 20:49:13 UTC