[WG-ISI] This weeks WG meeting

Mark Lizar mark at openconsent.com
Thu Oct 1 12:31:46 UTC 2020


Iain,

This is an important topic to discuss as this misunderstanding is divisive for this work  and really needs clarity.

On May 4th the EDPB released an update<https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf> to  Consent to clarify the mis-using/understanding of  the legal justification - Consent.

 E.g.  The right data right to portability is applicable for legal justification of consent  (Article 20).  But with Consent, there is no right to object, which people would likely have with any information sharing agreement (Article 21).    These can have similar effects but are different rights and permissions when applied in context.

The Consent Types Labels are for Records of Processing which refers to (Article 30- Records of Processing) ..   Not the Article 4(11) definition of consent which is to signify (signal) an agreement to processing


On 1 Oct 2020, at 07:43, Mark Lizar <mark at openconsent.com<mailto:mark at openconsent.com>> wrote:

Hi Iain,

I understand what you are saying.  The Consent Type is  for ANY type of data processing and is called a consent type because it is human to infrastructure,  eg No-Consent and Explicit consent are both Consent Types for data procession that people can understand have different type of rights and obligations.

Mixing consent types for humans  with explicit legal consent or cookie consent (for a contract of adhesion) is a common problem.    Perhaps its time to move past the confusion of mixing up legal definition of consent with the human understanding go consent?

Mark

PS  you might like this  https://github.com/microsoft/Open-Use-of-Data-Agreement<https://github.com/microsoft/Open-Use-of-Data-Agreement>

On 1 Oct 2020, at 02:56, Iain Henderson <iain at jlinclabs.com<mailto:iain at jlinclabs.com>> wrote:

OK thanks, lot’s in there; but my specific point would be that ‘consent type’ is no longer the right name for that field; that ceased to be the case when GDPR came in and effectively made the word ‘consent’ have two meanings - one the traditional verb (I consent), the other a descriptor of the nature of a basis for processing a particular piece of personal data (with six options).

I believe the better framing in this post GDPR model would be the field name = ‘permission type’, and there then being the 6 legal basis options (consent, legitimate interest etc). If it then became useful to have further drill downs from legal basis = consent then that could be handled as that drill down.

Iain

On 1 Oct 2020, at 00:33, Mark Lizar <mark at openconsent.com<mailto:mark at openconsent.com>> wrote:

Hi Iain,

The consent type field in the receipt is what we are still working on, its used to  map the legal basis + rights + obligations and derogation to a notice profile in order to generate legally usable receipts.

The consent type is effectively the evolution of work in this group from standard label to consent receipt for human centric - master data controls.     Now its also the way to use the ISO Framework for transboarder interoperability.  This is huge !!

For PDUR - there are lot of useful things that could be profiled and the receipt interop proposal from last year was that PDUR be used for contract types  and the contract legal basis e.g. personal data contract receipt profile.  Which is a way to do privacy to contract interop and overnight ToS now that the laws have come into effect.

Its been a long time, but the purpose of the receipt work was to build a tool for interop so that VRM terms and permissions can be use.   The method of approach for the receipt has alway been human interop with tech, with human to infrastructure law (aka privacy law).    To this end, this has been incredibly successful and can now be leverage to address a lot of challenges this field of work has faced.

In fact, isn’t it the purpose of this community groups to work on interop ?

The profile categories for the Notice & Consent Receipt are legal justification based.   Now there is a gap is in the business infrastructure and contract layer to operationalise data rights and terms.  E.g. how do orgs/lawyers deal with rights that conflict with terms of use?

For a hackathon next week I am working on the legal basis matrix for interop with contracts - this I hope will generate a contract legal profile for receipts that contract lawyers can use with their Terms of Use.   The consent receipt being the human interop component, which needs to be extended with data permission profiles in accordance with legal justification.

Mark

PS  The IAB is a big example of why we all should be working from the same hymn sheet rather than divided.   There is a lot of support from that in the Ed-Tech compliance and children’s advertising space ..   in fact next week there is a workshop /hackathon with Stanford and aNG to address the ToS contract with privacy rights ( over riding ToS) so that permissions frameworks can b inserted like Me2B and Jlinc.   E.g.  provide the space to apply or negotiate terms (finally) back to the reason we started in the first place.  The CR as apart of ISO make this all possible now.


On 29 Sep 2020, at 09:48, Iain Henderson <iain at jlinclabs.com<mailto:iain at jlinclabs.com>> wrote:

Ok thanks. It would be good to also get some thought in the report about the issue I flagged around legal basis for processing.

For anyone not paying attention to the IAB framework 2.0 now live in EU; there is a land grab going on as I speak that will see the data on hundreds of millions of people become accessible to adtech providers through manipulation of legal basis from consent to legitimate interest. That’s a big deal that either the framework needs to have a view on; or consciously not have a view on/ leave that to profile builders.

Iain

On 29 Sep 2020, at 14:25, John Wunderlich <john at wunderlich.ca<mailto:john at wunderlich.ca>> wrote:


Hi;

I will be unable to attend this week's meeting. I suggest that we skip this meeting to allow Andrew time to review the suggested changes from Mary and Lisa and to draft the report he has been talking about and come back refreshed on October 8th.



John Wunderlich, BA, MBA
@PrivacyCDN<https://twitter.com/PrivacyCDN>

[https://docs.google.com/uc?export=download&id=1TmSu1vuBc7cDu9EMbVsoSur0mtxeXgDx&revid=0B-W7F5c-RcqENHJmdk1tSTNCQWtMR3JuVU5qWDhWRHpGVTBvPQ]

Privacy Tools

JLINC Labs<https://www.jlinc.com/>: Tech for Permissoned Data<https://www.jlinc.com/technology>
Kantara Initiative<https://kantarainitiative.org/>: Consent Receipt Specification<https://kantarainitiative.org/confluence/display/infosharing/Consent+Receipt+Specification>
MyData Global<https://www.mydata.org/>: MyData Declaration<https://www.mydata.org/declaration>

"The sad truth is that most evil is done by people who never make up their minds to be good or evil.” ― Hannah Arendt<https://www.goodreads.com/author/show/12806.Hannah_Arendt>, The Life of the Mind<https://www.goodreads.com/work/quotes/122534>


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
_______________________________________________
Wg-isi mailing list
Wg-isi at kantarainitiative.org<mailto:Wg-isi at kantarainitiative.org>
https://kantarainitiative.org/mailman/listinfo/wg-isi
_______________________________________________
Wg-isi mailing list
Wg-isi at kantarainitiative.org<mailto:Wg-isi at kantarainitiative.org>
https://kantarainitiative.org/mailman/listinfo/wg-isi



_______________________________________________
Wg-isi mailing list
Wg-isi at kantarainitiative.org<mailto:Wg-isi at kantarainitiative.org>
https://kantarainitiative.org/mailman/listinfo/wg-isi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-isi/attachments/20201001/b19142b2/attachment-0001.html>


More information about the Wg-isi mailing list