[WG-InfoSharing] The FCC is preparing the strongest privacy rules ever bit.ly/1pq8rpN

Mark Lizar - OCG m.lizar at openconsentgroup.com
Wed Mar 16 06:57:08 CDT 2016


Hi John, 

First of all, I want to make it clear, that I think these points of view and this thread critically necessary in order to make a successful approach at a standard in consent.   You bring up a great points, which I am sure is on the minds of many.  It is really important for the health of this effort to work through the why and how of potential standard to see if what we are doing is viable.  For anyone interested in this work I strongly support raising questions and informing us about what expectations you have of this specification.  

Great Questions like: 

How is the MVCR going to help us if its for explicit consent? 
Will the MVCR be relevant to the wider field of consent?    
Why will or wont the MVCR be adopted if and when it reaches a v1? 

It seems there are a few bits of understanding entangled here which are and have been difficult to unpack. Ultimately, its really important to understand: 
a) what kind of standard is possible for consent ?
b) what is required from a consent standard ?
c) what  use cases will this specification address?   


(Read on for my thoughts in response to these questions) 

To start with, explicit consent is defined in law, Fair Information Practices and privacy principles.  It are these instruments which provide the basis for both ISO 29100 and the MVCR.  In this regard, explicit consent is something that can be quantified and measure and is not up for arbitrary interpretation in the MVCR. 

In addition,  Explicit Consent is required for all sensitive information processing and sharing, everywhere where privacy principles and FIPP’s are used. Which includes APEC.   Whats more, beyond the legal requirements, explicit and informed consent is a social construct at the core of society. (even in Africa and South America), which is what this work aims to innovate.   In fact, if you truly want to understand consent, we should take a good look, and even reference,  social and anthropological roots of consent.  Roots that truly shed light on what 'Real Consent' is about and why there are laws and principles in the first place.  i

That being said, I agree with you John, explicit consent has its place, it has many exceptions, it is transitive,  and it definitely has limitations which we should aim to capture in this work. As this work has evolved and the use cases have been discussed it has become clear that even though explicit consent can be measure by conformance to legal regulation,  in the specification, we can choose to package the MVCR into operational layers of conformance to meet a broader set of requirements. 

As the consent receipt is truly an innovative approach to change the architecture of closed consent through the providing of standardised consent records, map to regulation, provisioned at the point of consent, there is no reason that we cannot also specify an MVCR lite version.  We can work to package the MVCR  requirements that are truly the most minimum to create a consent record, to just open consent and expose the very core innovation in this approach. 

We can also collectively look at this and evaluate wether or not an MVCR lite version can be highly adopted for all types of consent, within the operational framework of explicit machine readable consent records and even go further to an advanced MVCR conformance layer that includes  very explicit 3rd party information sharing. 

In this regard,  I am definitely not advocating explicit consent for the use of IP addresses, but I am advocating that explicit consent format can act as very much needed baseline (or anchor) to standardise and build open consent upon. 

In this regard, I think we all agree.   But, can we agree that we can have a single specification that scales from just opening consent, to explicit consent, to an even higher standard of explicit consent and explicit sharing for the strongest privacy rules?     I believe we should evaluate wether or not the MVCR can provide a framework for all types of consent records without prescribing and particular type of consent or a particular context in the core spec. 


- Mark


> On 15 Mar 2016, at 00:22, John Wunderlich <john at wunderlich.ca> wrote:
> 
> Explicit consent will probably not be required in large parts of Asia, South America or Africa - or not at least in the near future.
> 
> There will be technical issues with a blanket explicit requirement for PII - example being that if IP address is PII, it is included in browser header and traffic information - which suggests that one interpretation of explicit consent would cause problems for DNS servers.
> 
> I agree that we need an endpoint that enables scaling of the strongest privacy rules, but if it REQUIRES the strongest privacy rules it will fail to be adopted generally, IMHO.
> 
> 
> 
> Sincerely,
> John Wunderlich
> @PrivacyCDN
> 
> Call: +1 (647) 669-4749
> eMail: john at wunderlich.ca <mailto:john at wunderlich.ca>
> 
> On 14 March 2016 at 17:07, Mark Lizar - OCG <m.lizar at openconsentgroup.com <mailto:m.lizar at openconsentgroup.com>> wrote:
> 
> Explicit consent will be the requirement.  As well as explicit information sharing agreements. 
> 
> I agree it might scare lawyers now. But, I think thats a good thing.  Of course, we can make an MVCR lite version aka an Open Notice or Open Consent Receipt for all legacy use cases.   But, the important thing is scaling to the “strongest privacy rules ever” (IMHO)
>  
> 
> Mark
> 
> 
> _______________________________________________
> WG-InfoSharing mailing list
> WG-InfoSharing at kantarainitiative.org <mailto:WG-InfoSharing at kantarainitiative.org>
> http://kantarainitiative.org/mailman/listinfo/wg-infosharing <http://kantarainitiative.org/mailman/listinfo/wg-infosharing>
> 
> 
> 
> 
> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
> _______________________________________________
> WG-InfoSharing mailing list
> WG-InfoSharing at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-infosharing

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-infosharing/attachments/20160316/f2c38bdf/attachment-0001.html>


More information about the WG-InfoSharing mailing list