07:14:21 RRSAgent has joined #dataprivacy18 07:14:21 logging to https://www.w3.org/2018/04/17-dataprivacy18-irc 07:15:10 trackbot, start telcon 07:15:10 Sorry, but no Tracker is associated with this channel. 07:16:47 trackbot, start meeting 07:16:47 Sorry, but no Tracker is associated with this channel. 07:17:57 Bert has joined #dataprivacy18 07:18:23 RRSAgent, pointer? 07:18:23 See https://www.w3.org/2018/04/17-dataprivacy18-irc#T07-18-23 07:20:02 AxelPollleres has joined #dataprivacy18 07:20:37 topic: Opening remarks 07:21:48 Sabrina: Welcome on behalf of WU. 07:22:19 scribe: Bert 07:22:48 agenda: https://www.w3.org/2018/vocabws/#schedule 07:23:03 Rigo: Some history on myself, the SPECIAL project and the workshop. 07:23:51 ... trying to identify gaps for follow up initiatives 07:23:55 ... Workshop is looking for your feedback. 07:24:42 ... Workshop chairs: Stefan Decker and Vassilios Peristeras. 07:25:04 ... Both old hands at Linked Data and at privacy. 07:25:32 ... Interested in agreeing on vocabulary. 07:25:47 ... core privacy vocabulary 07:26:15 skirrane has joined #dataprivacy18 07:26:19 Stefan: it's not just about what happened in the last couple of weeks 07:27:03 ... I would love to see some W3C activities on privacy vocabularies 07:27:28 Stefan: I work since a long time on Linked Data. Privacy more recently. Subject is topical (Facebook, Cambridge Analytica...) 07:27:39 ... ethical behavior dealing with data needs to be discussed too 07:27:51 ... There are ethical questions as well as technical. 07:28:33 Vassilios: I come from systems, interoperability, public administration. 07:28:34 skirrane has joined #dataprivacy18 07:28:49 ... I'm here also to learn about privacy. 07:29:37 ... more time for discussion, less for presentations 07:29:52 ... About the ws programme: four sessions. Discussions important, so please leave time for those. 07:30:53 ... First session on existing initiatives. 07:31:29 ... Second on industry, third on government. 07:31:48 ... Sabrina will explain the networking event. 07:31:50 ... tmrw we have the research track 07:32:08 ... Tomorrow about research, and more time for discussion. 07:32:52 ... Panel discussions are not to let panel talk among themselves, but to talk with you. 07:33:53 ... Conclusions tomorrow before lunch, because some people need to leave early, but informal discussions continue after. 07:36:28 MarkL has joined #dataprivacy18 07:36:33 hello -- 07:36:56 Yi_Yin has joined #dataprivacy18 07:37:08 Rigo: We use IRC for taking notes (as typical for a W3C workshop) 07:37:15 VMireles has joined #dataprivacy18 07:37:20 rrsagent, make log public 07:37:26 rrsagent, draft minutes 07:37:26 I have made the request to generate https://www.w3.org/2018/04/17-dataprivacy18-minutes.html simonstey 07:37:44 Eva_Schlehahn__ULD_ has joined #dataprivacy18 07:37:44 Round of introductions. 07:41:12 rigo has joined #dataprivacy18 07:45:18 dom has joined #dataprivacy18 07:48:01 cs has joined #dataprivacy18 07:48:54 Andreas has joined #dataprivacy18 07:49:01 Topic: Relevant vocabularies and initiatives (1st Session) 07:49:04 subtopic: COELITION (Joss Langford) 07:49:25 quick remote intro: Axel Polleres (listening in via VoIP) , WU & currently visiting at Stanford (which is why I couldn't make it), looking forward to the workshop, my primary interest: interoperability for data portability and transparency. 07:49:31 pebran has joined #dataprivacy18 07:50:02 Use the whiteboard, the post-it notes, or IRC, to note topics for discussions later. 07:50:42 Joss_Langford: From OASIS COELITION group. 07:50:55 Coelition presentation, strong industry focus 07:50:57 ... Which is the SIG for the OASIS standard. 07:51:19 ... Help industry in responsible use of personal data. 07:51:38 ... Speaking here with my OASIS hat. 07:52:18 Do I understand correctly that basically anyone can make notes here? 07:52:19 ... IOT is about what we _do_, ratehr than what we _say_. 07:52:40 ... /me Yes, everyody can make notes. 07:53:03 Are the slides somewhere online? 07:53:12 StefanD has joined #dataprivacy18 07:53:35 not yet AxelPollleres 07:54:30 Joss_Langford: syntactic vs. semantic layer 07:54:38 Joss_Langford: COEL syntactic level and semantic layer. 07:54:58 ... Semantics came for large part from Unilever. 07:55:20 Can you please link the position statements to the Webpage? that'd help 07:55:54 Harald-ULD has joined #dataprivacy18 07:55:59 https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=coel 07:56:07 ... We found around a 100 behaviours per day for a person. We have 5000 currently defined. 07:56:25 https://coelition.org/ 07:56:52 ida has joined #dataprivacy18 07:57:15 Eva_Schlehahn: I'm a legal person, confused about the "data source" you talk about. 07:57:26 Joss_Langford: I explained it poorly... 07:57:35 subtopic: ODRL Usage Control (Pullmann, Mader, Eitel) 07:57:55 MichaelM has joined #dataprivacy18 07:58:10 ida has joined #dataprivacy18 07:59:13 scribe: Bert, simonstey 07:59:38 Jaroslav_Pullmann: introducing Industrial Data Space 08:00:08 topic: ODRL Usage Control (Pullmann, Mader, Eitel 10min) 08:00:17 ... it's built around the notion of a connector, where data is published/consumed 08:00:42 ... continuous evaluation of the context 08:02:04 Bob has joined #dataprivacy18 08:02:07 ... data isn't stored centralized in the cloud but remains with the data provider all the time 08:02:30 scribenick: Bert, simonstey 08:03:25 Jaroslav_Pullmann: policies are negotiated between data provider and data consumer directly 08:03:48 OASIS COEL TC page: https://www.oasis-open.org/committees/coel/ 08:03:56 ... what makes a policy enforceable? 08:04:14 MarkL_ has joined #dataprivacy18 08:04:31 ... Coverage vs. Enforcement 08:04:34 OASIS COEL spec: http://docs.oasis-open.org/coel/COEL/v1.0/cs01/COEL-v1.0-cs01.pdf 08:04:38 BenjaminHeitmann has joined #dataprivacy18 08:04:59 ... Specification level policies vs implementation level policies 08:05:12 OASIS COEL taxonomy: http://docs.oasis-open.org/coel/COEL/v1.0/cs01/model/coel.json 08:05:26 ... SLP doesn't include any implementation specific information 08:05:33 BenjaminHeitmann has joined #dataprivacy18 08:06:43 OASIS COEL taxonomy interactive visualisation: https://coelition.org/business/resources/visualising-life/ 08:07:03 ... looking at ODRL; investigating whether it can be used for our purposes 08:07:16 ... especially wrt. to enforceability 08:08:02 q+ to ask about what level of granularity Jaroslav_Pullmann expects to be needed minimally for interoperability, particularly in terms of personal data handling/privacy? 08:08:17 ... establish a community of practice, we are missing the actual users of a standard policy language 08:09:16 ... does the model cover "purpose" as a concept? 08:10:36 rigo has joined #dataprivacy18 08:10:47 torgeir has joined #dataprivacy18 08:11:23 Industrial Data Space Information Model: https://github.com/IndustrialDataSpace/InformationModel/tree/develop 08:11:42 AxelPollleres: does your model cover "purpose"? 08:11:57 More information about the information model (see section 3.4): https://www.fraunhofer.de/content/dam/zv/de/Forschungsfelder/industrial-data-space/Industrial-Data-Space_Reference-Architecture-Model-2017.pdf 08:11:58 Jaroslav_Pullmann: we currently use ODRL for modeling the policies 08:12:20 ... the evaluation of the policies is part of querying 08:12:38 ... we still don't have the negotiation of policies 08:13:14 ... policies being dynamically negotiated between parties, rather than them being statically attached to the assets 08:14:30 rigo: this raises another question; how do you actually attach the policy to the asset? 08:15:06 ok :) 08:15:38 subtopic: Remote Obligation Enforcement (Lux, Brost, Schütte) 08:16:30 how to connect different connectors. Yukon is not sufficient here 08:16:50 Michael Lux talking 08:17:25 Michael_Lux: what's the actually meaning of "delete"? what's the technical concept behind it? 08:17:42 ... or "listing to the audio file for 3 times" 08:17:54 ... what's 3 times? 08:18:57 ... in our context, we don't have a UID for each asset 08:19:20 Rigo asks wehther a taxonomy already exists 08:19:28 ... as we would generate policies on the fly 08:19:37 Michael_Lux: We have some questions/suggestions for enhancing ODRL in IoT context. 08:19:56 Induce is much more powerful than Yukon 08:20:42 subtopic: Kantara CISWG (Mark Lizar) 08:22:17 Yukon= LUCON. More information about ind2uce in general: https://ind2uce.de/ for developers and detailed technical information: http://dev.ind2uce.de/ 08:23:04 Lizar talks about consent receipts 08:24:03 skirrane has joined #dataprivacy18 08:24:24 MarkL_: objective is to develop a common record of privacy that is consent centric 08:25:48 ... there a common requirements regarding privacy around the internet 08:27:08 ... what identifies privacy transparency? 08:27:12 Follow-up on Michael-Lux for the notes: Attaching the policy directly to the data instead of linking it via a UID makes UID unnecessary. Harald: This can may be a major benefit for the data protection principle of "unlikability" and "purpose binding". Where UIDs are unnecessary its preferable to avoid them. However, we may end up with UID if we need a backchannel to data subjects to enable functionalities such as withdrawal of consent or righ[CUT] 08:27:27 ... we are mapping consent recipes to GDPR terms 08:28:21 ... research shows that ~90% of the companies have very non-transparent privacy policies (?) 08:30:09 ... there's a gap between the technical POV and being meaningful to people 08:30:51 MarkL: I'm personally interested in enhancing our Consent Receipt to make it understandable to people. 08:32:01 maximus has joined #dataprivacy18 08:32:18 Stefan_Decker: thinking about the google cookie notifications; everyone clicks them away without reading them 08:32:30 Stefan: Reminds me of EU cookie policy. Everybody clicks the banner away. Isn't your solution similar? 08:33:29 Now Markus Sabadello speaking about decentralised identifiers 08:33:39 subtopic: Decentralised Identifiers (Markus Sabadello) 08:34:44 MarkL: The banner is definitely not the appropriate machanism. 08:35:30 rrsagent, draft minutes 08:35:30 I have made the request to generate https://www.w3.org/2018/04/17-dataprivacy18-minutes.html simonstey 08:36:20 Rigo puts up Facebook's full-page advert in a local newspaper, which says in big letters (in German), "the EU regulations bring you more data protection". 08:37:05 scribe: simonstey 08:37:11 rrsagent, draft minutes 08:37:11 I have made the request to generate https://www.w3.org/2018/04/17-dataprivacy18-minutes.html simonstey 08:37:14 It's perfect for agood laugh in between 08:38:12 Markus_Sabadello: who are we, when we go online? 08:38:15 vassilios has joined #dataprivacy18 08:38:54 Markus_Sabadello: Emerging paradigm is "self-sovereign identity" 08:39:00 ... today, a digital identity is something that's given to us 08:39:11 ... we try to move away from that 08:39:15 In Germany, we have the concept of informational self-determination 08:40:01 ... Put self in the center, rather than your Facebook identity or Amazon identity. 08:40:05 ... we are developing a concept called DID (decentralized identifiers) 08:41:02 ... they are cryptographically verifiable 08:41:20 ... My company's approach is via a Decentralized IDentifier, a URL like "did:xxxxx" 08:41:49 ... prefix determines where the DID is "registered" 08:42:01 did:method:hash 08:42:18 ... Various types of did-URIs, called "methods". 08:42:18 ... a DID can be resolved to a DID document (JSON-LD) 08:42:54 ... those DID documents are public information 08:43:27 dbell has joined #dataprivacy18 08:43:41 ... https://uniresolver.io allows to resolve DIDs 08:44:19 ... We have an implementation of a universal resolver for did-URIs, and building various other things on top, including distributed PKI. 08:44:40 cs has joined #dataprivacy18 08:45:06 ... currently working on decentralizing several concepts such as PKI, KMS 08:46:59 ... PKI can in turn be used for something like verifiable claims, which makes it interesting for companies, e.g., 08:47:58 put DID on blockchain to have verifiable statements of one ID about the other ID 08:48:56 Markus, I know we had this discussion already, but I still don't get why DIDs are better then URIs... it is just about the governance structure... if you have a subset of URIs that follow a more rigid goernance than general URIs, that'd not need be incompatible with URIs 08:49:07 Rudy_Jacob: There seem to be different, incompatible initiatives in different countries. How will the market evolve? 08:49:52 Markus_Sabadello: Yes, indeed. Not an expert on standardization, but think a few dominant ones will will. 08:50:39 I see the point though, that verifiable claims or something similar could be used to carry personal data in a verifiable manner. 08:50:47 Harald: [missed question] 08:50:53 q+ 08:51:19 Harald: can this be also used for a verifiable revocation of consent? 08:51:25 Markus_Sabadello: These did-URIs are valid URIs, can use them anywhere where a URI is expected, thus also in Linked Data. 08:52:24 StefanDecker: persistent identifiers are an open problem, Bob Kahn, created DOI, there is also ORCHID 08:52:24 Stefan: Identifiers is an open space people are exploring: DOIs, ORCID, etc. 08:52:48 how do you position yourself compared to handle system 08:53:14 Markus_Sabadello: These handle systems aren't decentralized, you need to register with some authority. 08:53:19 ID is here comparable to a keypair 08:53:49 Stefan: So what's your strategy to convince the world to use yours? 08:54:11 Markus_Sabadello: We're not really at that point yet :-) 08:54:33 ... We have a vision. We hope people share it. 08:54:55 rrsagent, draft minutes 08:54:55 I have made the request to generate https://www.w3.org/2018/04/17-dataprivacy18-minutes.html simonstey 08:55:25 is there a queue so, or not? 08:55:39 q? 08:55:53 ah. 08:58:43 simonstey has changed the topic to: W3C Workshop on Privacy and Linked Data (Day 1) 08:58:56 rrsagent, draft minutes 08:58:56 I have made the request to generate https://www.w3.org/2018/04/17-dataprivacy18-minutes.html simonstey 08:59:13 skirrane has joined #dataprivacy18 08:59:34 Markus_Sabadello: [In response to a question from Mark Lizar] Managing your own identity has the risk you lose it. Nobody has a backup. 09:00:25 or what happens if someone tampers with the identity? how to roll back this? 09:00:27 q? 09:00:36 :-) 09:00:48 skirrane has joined #dataprivacy18 09:00:52 ... Your self-managed digital identity is meant to be complementary to state-issued identities, not contradictory. 09:02:16 [coffee break] 09:02:55 rrsagent, draft minutes 09:02:55 I have made the request to generate https://www.w3.org/2018/04/17-dataprivacy18-minutes.html simonstey 09:04:45 s/Rudy_Jacob/Freddy_de_Meersman/ 09:05:06 put in my questeion/remark here again: (1) could SSI be made compatible with URIs? there is a Web infrastruxcture which supports HTTP URIs out there, I think it would make sense to be compatible with that (2) verifiable claims can also play an important role in the puzzle, e.g. for those claims protecing personal data not needing to be shipped around directly, but jsut be confirmed 09:31:26 Meeting: Workshop "Data Privacy Controls and Vocabularies" 09:31:57 Chair: Stefan Decker, Vassilios Peristeras 09:32:38 RRSAgent, make minutes v2 09:32:38 I have made the request to generate https://www.w3.org/2018/04/17-dataprivacy18-minutes.html Bert 09:37:12 simonstey has joined #dataprivacy18 09:37:33 Vassilios: Question about compatibility of self-sovereign identity and official identity. 09:37:46 There is a paper 09:38:03 Self-sovereign identity is the title 09:38:13 on-going work on this 09:38:29 Markus_Sabadello shows a paper on the subject. 09:38:35 integrating with eIDAS, qualified self-sovereign idenity. Using qualified signatures 09:38:56 Eva_Schlehahn: How to verify identity? 09:39:20 VMireles has joined #dataprivacy18 09:39:33 Markus_Sabadello: I keep the identity and the verification separate. I can make as many identities as I want, without need for verification. 09:41:02 ... But if verification is needed, we can use something like Verifiable Claims, to let a third party state its verification. 09:41:23 MarkL has joined #dataprivacy18 09:41:23 AxelPollleres: why do we need a different protocol/concept than http/URI? 09:42:05 AxelPollleres: USing http instead of did would make it compatile with existing Web. 09:42:05 is all of this really about demonstrating compliance - is distributed identity ultimately a governance issue ? 09:42:18 Markus_Sabadello: http URIs don't satisfy the requirements of self-sovereignity 09:42:44 Markus_Sabadello: did-URIs are not incompatible. 09:43:09 Andreas has joined #dataprivacy18 09:43:28 ... It's just another URI in RDF. 09:43:38 ... it would be an interesting exercise to do some testing on that front 09:43:59 topic: Usage Control & GDPR (Sabrina Kirrane) 09:44:20 MichaelM has joined #dataprivacy18 09:44:28 Sabrina: Representing SPECIAL project. 09:44:31 laurent_oz has joined #dataprivacy18 09:45:01 ... we are trying to support the regulators (enforcing the GDPR) 09:45:25 ... supporting the companies to (semi-)automatically check the permissions that come with data 09:45:50 ... Trying to support, via (semi-)automatic means, the companies, the users and the regulators. 09:46:19 ... we need to be able to model legal policies (like the GDPR) but also contracts/usage policies 09:46:34 ... Requires repesenting the legal policies; all relevant ones, not just GDPR. 09:47:12 ... laws and regulations are subjective (and they are that for a reason) 09:47:32 ... But we're really far away from full automation. Laws are ambiguous, on purpose. 09:48:06 ... Approach via logs: inspecting logs to check for compliance, after the fact. 09:48:15 ... companies don't want to check the law afterwards 09:48:25 ... But also need to check before the fact. 09:49:26 ... there are many different policy languages out there 09:49:27 ... In addition, everything needs to be scalable. E.g., partner Thomson Reuters has _lots_ of data. 09:49:35 I agree with Markus of course that other URI schemes are fine, but I mean that http(s) URIS have a ton of tools and softwarea already available, what I meant is more that an idea like DID could possible also be realized with "normal HTTP URIS, say (without understanding the technicalities here in all detail, admittedly), assume DID wouldn't use did:XYZ but http://did.org/XYZ with the same dezentralized governance structure behind, what w[CUT] 09:49:35 the diffference? 09:49:37 ... we are using OWL 2 EL 09:50:28 ... There are technologies coming out of research, there is ODRL, and we're working on our own. Ours is very influenced by our project's legal partners. 09:52:02 ... there's usually a subsumption relation between terms 09:52:05 vassilios has joined #dataprivacy18 09:52:26 ... we want to see, whether the processing adheres to the usage policy 09:52:31 ... I went through GDPR line-by-line, looking for rules and terms. Creating a vocubulary, several taxonomies, that companies can use. 09:53:48 ... We already make a list of existing vocabularies, e.g., for identifying people, people's health data (use-case about fitness), geo-location, etc. 09:54:04 ... Many of these come from W3C. 09:54:32 BenjaminHeitmann has joined #dataprivacy18 09:54:39 ... we based a lot of our concepts on P3P 09:54:54 schunter has joined #dataprivacy18 09:55:06 ... One submisison to this workshop mentioned P3P. We should discuss that later. We enhanced P3P. 09:56:11 ... Provenance vocab also useful. 09:56:54 ... SPECIAL Policy Language is one of the deliverables. 09:57:14 ... Standardization deliverable 6.3 (https://www.specialprivacy.eu/images/documents/SPECIAL_D6.3_M9_V1.0.pdf) 09:58:16 I have mentioned a couple of times also the Core Vocabularies developed by the European Commission: https://joinup.ec.europa.eu/page/core-vocabularies 09:58:33 Sabrina: rather than approaching it from a technical perspective, we went through the structure of the GDPR 09:58:46 ... identifying the structure 09:58:55 ... what do we need? 09:59:23 Sabrina: [answering question fron Monica Palmirani] I'm not a lawyer myself, so I engaged law students to analyze the text, and especially to find the implict references. 09:59:24 ... we had 2 people with legal background going through it 09:59:39 ... We need the legal community to check the work. 10:00:01 these are looking also at explicit and implicit references and linlages between different legal provisions on the GDPR 10:00:29 Sabrina: We will have not one, but several interpretations 10:02:13 Monica_Palmirani: Interested in the legal reasoning, in addition to terms and rules. 10:02:34 Sabrina: I'll be at a Dagstuhl seminar about that. 10:03:46 Martin_Kurze: Shouldn't the vocabulary be larger than just representing the GDPR? 10:04:10 Sabrina: Indeed, need general approach. But we cannot look at everything at once. 10:04:46 Question about business cases. 10:04:48 VMireles: so this language is also able to represent the business logic of your applications? 10:05:27 Sabrina: Javier will talk later about that, when he talks about analysing log events. 10:06:33 gerardkuys has joined #dataprivacy18 10:07:22 Sabrina: {Answering a question] We use OWL to benefit from existing reasoners. We don't have formal semantics for ODRL yet. 10:07:34 Jaroslav_Pullman: what's the motivation behind coming up with your own language, esp. compared to ODRL? 10:08:36 ... so you are focusing more on compliance than enforcement? 10:08:52 Sabrina: yes [and explained why] 10:09:29 VMireles: what's about adaptability? 10:10:10 BPXS has joined #Dataprivacy18 10:11:06 Topic: An ODRL profile for GDPR (Ensar Hadziselimovic) 10:11:16 skirrane has joined #dataprivacy18 10:11:41 skirrane has joined #dataprivacy18 10:12:26 Ensar_Hadziselimovic: I'm here on behald of my colleague how's not able to join today 10:13:18 ... GDPR has 3 parties, data processors/controllers/subjects 10:13:37 ... so we looked into SWT for modeling GDPR's workflow 10:13:38 s/behald/behalf/ 10:13:53 s/how's/who's/ 10:14:43 ... what we are proposing is building a profile for ODRL 10:14:56 ... extending it by e.g. a concept of "editing" 10:15:10 ... this profile is just in its infancy 10:15:20 mapped GDPR text into ODRL Profile 10:15:23 it is online 10:15:57 goal is to have smart contracts between controllers 10:16:26 https://old.datahub.io/dataset/gdprtext 10:16:34 ... also thinking about enforcement, blockchain, etc 10:18:01 Martin_Kurze: Sabrina just said modeling is difficult and you say we just did it in ODRL :-) How did you do it? 10:18:22 Ensar: ODRL seemed appropriate. 10:21:11 Rigo: We're trying to understand what the legislator wanted. Another issue is ePrivacy, which is on its way. If we model ePrivacy, a reasoner could tell us what happens if we vary some parameter. 10:21:40 Ensar: Yes, we are interesting in that, too. We have a group studying that. 10:21:58 skirrane has joined #dataprivacy18 10:22:58 People who have topics for discussions tomorrow should put a post-it on the wall next to the podium. 10:23:56 Topic: Panel Discussions 10:24:15 Stefan_Decker: what are the interdependencies between the things presented today? 10:24:31 intormation models: minimal (GDPR) vs. general policies 10:25:06 ValliT has joined #dataprivacy18 10:25:14 Sabrina: one of the goals we actually have is to see data sharing (which usually happens between companies) 10:25:34 ... something what markus presented (DID) might be very valuable in that context 10:25:44 VMireles has joined #dataprivacy18 10:26:12 Stefan_Decker: what are requirements for such identity systems? 10:26:47 ... wouldn't you assume some form of registry where you store (?) information about identities? 10:29:16 Jaroslav_Pullman: resources might be generated 10:31:26 Mark_Lizar: We also have identities for companies. Allows detailed policies. Need same level of granularity. Distinguish data that can can be transparent or not. 10:32:01 Markus_Sabadello: ... multiple user identities. 10:32:54 @1: How do you model time? Some things may be retained for years, others only for minutes. 10:33:45 Mark_Lizar: Do you expect companies to delete data? Legal requirements to separate data. 10:34:34 Sabrina: The lawyers I talked to expect things to be deleted in full, including from all backups. 10:34:43 ... which is nonsense 10:34:57 ... But this is something we need to discuss and define better. 10:35:24 ... Use data subsets with different policies. 10:36:06 Joss_Langford: Deletion can be "splitting", or rendering it non-personal. 10:36:23 Sabrina: which in turns means to deal with things like integrity 10:36:35 Mark_Lizar: Powerful concept of breaking identifier from the data. 10:37:07 Eva_Schlehahn: There are requirements from different domains: legal, technical, industry... 10:37:38 ... What kind of rules? How do we get a overview of them? 10:38:15 Mark_Lizar: We track the knows requirements. 10:38:24 s/knows/notice/ 10:38:29 ... especially obligations 10:39:30 ... Data protection, processing, internal processing is important, too. But we're looking at notices and what makes user trust. 10:40:26 rrsagent, draft minutes 10:40:26 I have made the request to generate https://www.w3.org/2018/04/17-dataprivacy18-minutes.html simonstey 10:46:05 ida has joined #dataprivacy18 10:46:53 Q: what are your thoughts on an entity having multiple identities which are independent from each other? 10:49:35 [Lunch Break] 10:50:04 Stefan: We wanted to shorten the lunch by 10 minutes for more discussions. But we've already used 20 minutes. So time for lunch! :-) 10:58:29 I am off for today, and will try to rejoin tomowwor afternoon 12:00:24 pebran has joined #dataprivacy18 12:07:51 simonstey has joined #dataprivacy18 12:08:40 skirrane has joined #dataprivacy18 12:09:18 topic: Privacy challenges in the Opera Browser (Michael Markevich) 12:10:04 ida has joined #dataprivacy18 12:10:14 VMireles has joined #dataprivacy18 12:10:28 Michael_Markevich: opera has ~300 mio users 12:11:10 ... we try to not identify users 12:12:16 Eva_Schlehahn_ULD has joined #dataprivacy18 12:12:47 ... collect a lot of personal data 12:13:51 ... users are way more tempted to use service, rather than being concerned about privacy 12:14:11 ensar has joined #dataprivacy18 12:15:01 ... some users are adjusting privacy settings deliberately 12:15:17 ... which seems to be tied also to specific markets 12:15:41 ... in europe, germany and austria are the most privacy concerned countries 12:15:59 ... opera is present in ~95 markets around the world 12:16:07 Andreas has joined #dataprivacy18 12:16:10 Harald-ULD has joined #dataprivacy18 12:19:52 [explains how data collection is carried out & enriched with consent information] 12:22:26 Matthias Schunter - Question: Which role do you see that browsers will pay in the field of data protection compliance? 12:22:48 sc has joined #dataprivacy18 12:23:53 Answer: Depends on the browser. Opera depends on Google (useing their engine). Major effort could be in building a real transparent way to obtain consent and to provide transparency about which data is actually shared by users with webpages. 12:25:37 ... Data protection is driven by legal persons. Opera could contibute on the privacy-aspects with the end-user perspective as browser are their access point to many services. 12:26:31 Bob has joined #dataprivacy18 12:27:58 Q: ePrivacyR-draft aims to have browsers as tool for interaction business-usesrs on privacy preferences. Any initatives on Operas side so far already? A: Not yet. 12:28:11 RRSAgent, make minutes v2 12:28:11 I have made the request to generate https://www.w3.org/2018/04/17-dataprivacy18-minutes.html Bert 12:29:49 gerardkuys has joined #dataprivacy18 12:32:57 Matthias Schunter presenting on tracking protection. 12:35:01 skirrane has joined #dataprivacy18 12:42:08 Javier has joined #dataprivacy18 12:42:53 Second half of presentation on tracking prevention by Martin Kurze: Do not track (DNT) is only about a bit (1/0 message) about the user preference. Having only one bit was the initial mistake in standardisation. Preferences need to be able to express more than only a yes and no decision. As a mobile communication provider Telecom also considers location tracking as tracking and took this into consideration. Location information is insofar mu[CUT] 12:57:34 Rigo: DNT has a tracking status resource. Can I use that to store [missed]? 12:57:41 Matthias_Schunter: Sure. 12:58:15 Rigo: Tricky legal matter: third party and "legitimate interest". 12:59:37 skirrane has joined #dataprivacy18 12:59:49 adv has joined #dataprivacy18 13:00:09 I think companies will learn over time that it's not a good idea to base too much on 'legitimate interest' - justification and documentation of compliance requires just too much effort and if users become aware the backlash will be evil 13:00:32 Topic: Modeling, recording, communicating and interoperability of consent (Georg Philip Krog 10min) 13:01:23 Formalise privacy policies so that they can be machine readable 13:01:32 vassilios has joined #dataprivacy18 13:01:47 Create trust in the network protocols to enable 3rd parties to share data 13:02:27 Slide what is required to automate lawful processing of data in a network 13:03:25 Georg_Philip_Krog: We're a company from Norway that develops software to manage & disclose end-user's consent. 13:04:49 ... Several 3rd parties. Which data needs to be disclosed to which? What is the 1st party's processing and what is its purpose? 13:05:13 ... How detailed does the legal basis need to be? 13:05:17 ... How detailed does the legal basis need be specified? 13:05:33 Scenario: User data is sent to "company blue" shared with 3rd parties (yellow) who then share with further shared parties (red). User wants to know what happens to her data. What is the minimum information that must be presented to the users? - "company"-Identity, all purposes of processing, legal basis .... 13:06:09 remark: controller also need to decide for a specific legal basis because this is also what determines data subject's rights 13:06:27 ... Some countries need the processing duration period to be specified 13:06:47 ... how do we prove that consent is voluntary 13:07:02 Specifying consent - difficulty here: Is it sufficient to specify consent only or is more required whenever other combinations of consent and other legal ground of Art 6 (1) (b-f) are applicable? 13:07:12 ... How do you build the record for the consent data and in what format? 13:07:19 RRSAgent, make minutes v2 13:07:19 I have made the request to generate https://www.w3.org/2018/04/17-dataprivacy18-minutes.html Bert 13:08:12 scribenick: Bert, skirrane, Harald-ULD 13:09:31 Necessary to name receiving data controllers (yellow companies), where yellow is a data processor at least the purposes of having this processor need to be named. 13:11:46 Georg_Philip_Krog: [Slide shows data subject (gray), company (blue), some 3rd parties (yellow), and several addition 3rd parties (red) that get data from the yellow ones] 13:41:58 VMireles has joined #dataprivacy18 13:42:57 skirrane has joined #dataprivacy18 13:44:45 (Jason Novak hasn't arrived. Topic skipped. Short break. 13:44:47 skirrane has joined #dataprivacy18 13:44:56 Topic: interoperability issues for mobile operators (Freddy de Meersmann 10min) 13:46:01 Freddy_de_Meersmann briefly presents Proximus. 13:46:12 ... Freddy provides an overview of Proximus and their collaborations with Eurostats and MIT 13:46:42 they focus on exploring opportunities in the field of location based services 13:46:55 Freddy_de_Meersmann: Telecom operator, and active in location information services. Innovation. 13:47:19 ida has joined #dataprivacy18 13:47:38 ... 3-4 years ago they were asked by Eurostat if they were willing to provide data to compute population density statistics 13:48:04 laurent_oz has joined #dataprivacy18 13:48:41 Shows video about Eurostat and Proximus collaboration on mobile data. 13:49:00 13:49:01 https://drive.google.com/file/d/1leZzWmqwdqzKM3VJ6qThhIdvEyKfR6ok/view?usp=sharing 13:49:08 ... video presented link above 13:49:46 Video explains Eurostat's role (statistics for EU) and how it gets data from national bodies. 13:51:31 Eurostat also looks at quality and cost of collected data, and scientific models. 13:52:20 Requires IT skills, esp. in big data. 13:53:32 skipping to min 16:00 of the video - staged strategy gaining more operators for the system 13:53:36 Another fragment of the video talks about a staged strategy created together with Proximus, but eventually open to other network operatores. 13:54:58 The data flow in the first stage of this project is from collected data, to standardized data (done by network operator), to aggregate data. 13:56:09 Rudy: This data collection has to be secure. 13:56:54 Freddy: Churn is a big problem, therefore we want to be able to predict this in advance 13:57:43 Freddy: Proximus is biggest in Belgium, but loses money because customers are leaving. So we're modeling customers to predict their behaviour, based on events. 13:58:54 ... interested in computing macro economic models 13:59:12 ... for this we would need to engage banks, shops etc.. 13:59:16 ... Reliable data for a country or for Europe needs data from more than one operator. 13:59:27 ... plus there are obvious privacy issues 14:00:22 ... we want to do research, however we don't know how to do this in light of the GDPR 14:00:43 ... Looking carefully at privacy. E.g., statistical data of a GSM cell where only a handful people connect is not really anonymous. 14:00:57 ... this is one of the major drawbacks of the GDPR 14:01:23 Martin_Kurze: What is the business model behind for collecting the statistics? 14:02:36 Freddy_de_Meersmann: We will get paid for it by Eurostat. And we use it to learn what our data means and how we can exploit it ourselves. 14:03:59 ... There is money in being able to provide new data. E.g., number of cyclists in a location is interesting for certain billboard companies or advertisers. 14:04:57 Q: Do you imagine Proximus doing the analytics or other entites? A: This is key competency of Proximus. 14:05:25 Ben: Is this within the competence of Proximus? 14:05:40 Freddy_de_Meersmann: Yes, we consider we have this expertise. 14:06:14 @2: You'd need to tracki people across borders for some kind of data... 14:06:51 Freddy_de_Meersmann: Yes, indeed. With Eurostat, we are looking for other operators to exchange data with. 14:07:04 Freddy: The first stage was within Belgium, however stage two is Europe wide 14:07:10 ... E.g., Eurostat interested in movement in Schengen zone. 14:07:32 ... we need standards and interoperability with other telecom operators 14:07:35 ... We'd like to be able to track at least movement of groups of people. 14:08:13 Rigo: One of the limitations is that you lower the value of the data 14:08:43 laurent_oz_ has joined #dataprivacy18 14:08:53 Rigo: Aggregation and anonymisation usually lowers the value of the data, because de-anonymisztion techniques are getting stronger. 14:08:53 ... deanonymisation is so good you need layers of anonymisation which destroys utility 14:09:02 Rigo: Problem with aggregation and anonymisation is that you lower the quality of the data. On the other side de-anonymisation methods become far better, so sufficiently obfusicating data makes them far less usable. 14:09:42 ... therefore it is better to work with the data subjects and make sure that they know that the data will not be used for other pruposes 14:10:18 Mark_Lizar: Collecting events without the identity is one approach. 14:11:02 Mark Lizar: Events seem to be key here 14:11:18 Rigo: But if the event is precise enough, you can often connect it back: The guy that always buys a newspaper at 8:01 in the morning. You don't even need to know his name... 14:12:25 Topic: Building the Legal Knowledge Graph (Victor Mireles) 14:12:44 Victor Mireles presenting Building the Lagel Knowledge Graph, Lynx-Project 14:13:34 The idea of the Lynx project is to allow companies to search for relevant regulations in other countries 14:13:48 Idea: Search through different European and Member States regulations. Use case: Company wants to know which rules will apply. 14:14:04 ... we provide the services necessary to make the search as effective as possible 14:14:17 Source: Language processing of laws, regulations, case law. 14:14:49 it is explained that several legacy systems can be involved, e.g. data protection, oil & gas compliance, labor law 14:14:58 Victor_Mireles: We're partner in the Lynx project. Goal is a system that is able to search through data such as contracts, which are fed into the system in the form of annotated text. 14:16:08 ... Not our goal to formalize every piece of legislation. Rather to extract selected pieces of knowledge, and build a knowledge graph for those. 14:17:03 ... Text from courts, video, aerial photos, etc. 14:17:26 ... we are pushing for the legal industry to take our project outputs 14:17:26 ... Modernizing the legal practice. 14:18:10 ... Legal texts include government data, but also business policies. 14:18:13 ... publishing legal information in a multi-lingual way 14:18:28 ... with as much use of controlled vocabularies as possible 14:18:34 ... Controled vocabulaires allow translation. 14:19:04 RRSAgent, make minutes v2 14:19:04 I have made the request to generate https://www.w3.org/2018/04/17-dataprivacy18-minutes.html Bert 14:23:24 Monica_Palmirani: Your representations of legal texts are not complete? 14:23:54 Victor_Mireles: Indeed, but they still help legal practitioners. 14:24:14 Monica_Palmirani: Risk of bias? 14:24:53 Victor_Mireles: Yes, the risk exists. 14:26:01 Monica_Palmirani: Your selection makes certain aspects easier to access than others, which invites bias. 14:26:45 Sabrina: Avoiding bias is really difficult. 14:27:03 Sabrina: Yes, we had that experience. People trying to formalize texts put in more of what they knew well. 14:27:33 ... A question for you: What motivates your choice of subsets? 14:28:13 Subsets: 1. privacy law compliance, 2. labour law in spain for companies setting up business in Spain, 3. renewable energey regulation in Norway 14:28:14 Victor_Mireles: Our use cases, labour law in Spain and renewable energy in Norway. 14:28:37 Sabrina: How do you do the extraction? Manual? Automatic? 14:28:50 Victor_Mireles: No answer yet, hopefully in a year... 14:28:54 Q: Number of text analytics done? To be answered in the future, currently developing the tools for that. 14:30:10 Rigo: In my experience, lawyers in a library find info faster than a computer. 14:30:35 Rigo: Legal identifiers are rally uniqe. In every kind of jurisdiction we have namespaces for regulations including numbers. Question: France has 103'ooo Provisions. Wouldn't it be better to go by one by one, starting with specific laws. 14:30:54 ... An approach may be to model case by case, and try to merge them into a general tree afterwards, instead of modeling, say, the GDPR as a whole. 14:31:28 Victor_Mireles: Surface forms of laws differ a lot, especially between countries. 14:31:30 About Identifiers: They exist in theory but in practice there are serveral ways to refer to an article in Spain, which gives several identifiers for the same rule. 14:31:52 ... We do a bit as you suggest. We start from our three use cases. 14:32:24 @Bert sorry about that 14:34:16 Eva_Schlehahn: Do you have a strategy how to integrate? 14:34:17 Q Eva: Law is not static. Each court decion may take interpretation further. Do you have a plan how to deal with this? 14:35:06 Victor_Mireles: We work mostly at level of a paragraph, we rely on humans to decide if one paragraph overrides another. 14:35:19 A: Have basic paragraphs and annotate them. But real interpretation is for the humans. Technology provides you the paragraphs with appear to the coputer to address the same things. 14:37:29 @3: ... [something about time: rules that were valid yesterday but not today]... 14:38:52 Task to put on sticky paper: What are the issues you believe that could be standardized with respect to privacy. Up to three issues, if none stick up empty post. Posts are necessary for tomorrows session. 14:38:53 Vassilios: For the discussion tomorrow, we'd like you to put post-its on the left wall with three points that you think should be standardized. 14:40:22 Monika Palmirani presenting on PrOnto: Privacy Ontology for Legal Reasoning 14:40:22 Topic: The governmental side & initiatives 14:40:34 skirrane has joined #dataprivacy18 14:40:42 Topic: Integrating ontologies for privacy legal reasoning (Monica Palmirani 10min) 14:41:36 Monica_Palmirani: Presenting PrOnto project. 14:42:11 ... Existing XML format for legal documents. 14:42:40 ... Formats and ontologies change over time. 14:44:28 .... LOD to bind them together and bind to the official, published texts. 14:45:09 ... Need to track process to prove we comply. 14:45:19 ... Developed ontology. 14:46:13 ... Two teams, one in Autralia and one in Luxemburg, with legal and logical experts. 14:46:42 ... Need common vocabulary to be able to compare their results. 14:47:44 ... Coded version cannot legally replace the text, but we use it to annotate. 14:48:31 Further sources include crowdsourceing, and other sources IoT, ... 14:48:55 ... Modules for rules in different countries. 14:49:04 Monica_Palmirani: wants to include deontic concepts 14:49:41 ... PrOnto thus helps to find the basis for rules. 14:50:12 schunter has joined #dataprivacy18 14:50:15 ... Pillar of the ontology is data, processing, purposes, agents, rights/obligations 14:50:15 ... Ontology based on concepts of data, processing, rights/obligations, agents, and purposes. 14:50:30 quiet similar to SPECIAL 14:51:18 ... E.g., processing concept includes ideal workflow, plan and actual execution. 14:51:27 ... one part of the ontology dedicated to the execution (check the plan and compare it to the policy) 14:51:29 Another part of the ontology dedicated to the execution (...of the law?) - e.g. in case of data breaches. 14:51:46 ... Agent includes roles and events in time. 14:52:04 Agents: Each entity is connected with roles. Each entity is connected with rights. 14:52:09 ... Rights are an extension of LegalRuleML. 14:52:41 ... Purposes used by Processing. 14:53:22 Cloud4EU Project Scenario 14:53:33 ... The Cloud4EU project did a first part of this, focused on privacy by design. 14:54:01 ... LegalRuleML has links to original text. 14:54:33 ... We have tools, in particular a dashboard for the users. 14:55:16 ... And tool for compliance checking, that creates a report (i.e., more than just yes/no) 14:56:30 Q Eva: Wondering if there are ways to express information on the means of processing (software used, hardware used). 14:56:36 Eva_Schlehahn: Wondering about the means of processing, methods and software. 14:57:29 Monica_Palmirani: Process is sequence of defined actions. 14:57:46 A: Project is based on a model of UK. Model of actors and conditions can be extended by more steps. 14:57:49 ... Based on analysis done in UK. 14:58:33 Topic: Privacy and Data Protection in Australia (David Watts 10min) 14:59:10 Davd_Watts: My background is policy maker and lawyer, not technology. 14:59:38 ... From that perspective: 15:00:05 ... Policy for me means public policy, not protocols. 15:00:30 ... So for me the GDPR is not policy, but rather an implementation of a policy. 15:01:08 ... Another confusing term is ownership, in particular "information ownership". 15:01:32 Vmireles has joined #dataprivacy18 15:01:43 ... You cannot own information. But in tech., it means controling, being responsible for. 15:02:19 ... And I'm from Australia. GDPR doesn't apply there, as to 90% of the world. 15:02:27 GDPR applies to 6% of people - there are another 94%. 15:02:43 ... There is some extraterritorial application, but it's limited. 15:03:28 ... Clinton administration in 1993 set a policy. It was based on cooperation rather than regulation. 15:03:29 When internet was set up the policy was set up by the Clinton administration. Core-concept was cooperation 15:03:44 ... That is basically how the Internet works to this day. 15:04:12 ... Internet seems to have become a surveillande domain. 15:04:41 ... GDPR changes things a bit, but probably not a lot. 15:04:58 ida has joined #dataprivacy18 15:05:06 Internet became surveillance space. Currency are personal data, as advcertisers pay for interent services. 15:05:08 ... Internet based on monetising information, advertising. 15:05:48 ... Internet services' goal is to make users addicted, make them stay on a site. 15:06:12 gerardkuys has joined #dataprivacy18 15:06:13 ... I think "consent" as a concept has failed. 15:07:04 ... Not that consent isn't important. But implementation failed. 15:07:33 (Slide 2:) Failures of core regulatory concepts - consent, purpose, anonymity, "resonable steps", security => All these concepts were collected from the public sector not from business processes. 15:08:21 ... If the goal of a service is to sell adviertising, than surveillance seems like a valid pupose. 15:08:36 yiyin has joined #dataprivacy18 15:09:03 The question is how can this vocabulary inmplemented that it actually works? Missing this aim has threats such as endangering democracy, uncontrolled monopolies, manipulation of attitudes and opinions 15:09:08 ... Consequence is covert manipulation, resulting in threat to democracy. 15:09:38 ... So why do we _say_ privacy is important but _act_ as if it isn't? 15:10:00 ... Lack of knowledge? Addiction? 15:10:29 ... Can Linked Data support regulatory policies? 15:10:56 ... Must be in conjunction with public policy. 15:11:27 ... And needs standards. 15:11:43 ... Empowering end-users? 15:12:20 ... Can be done through technololgy, but only together with law. 15:12:53 @4: Information governance? 15:13:17 Davd_Watts: There have been many problems caused by lack of governance. 15:13:30 ... Often to do with lack of security. 15:13:45 ... Hard to get managers to understand the need for security. 15:14:05 ... They understand security in oil digging, not in information. 15:14:23 ... Also have to deal with ethics. 15:14:59 ... What are the ethics? And what are consequences of nort following them. 15:16:08 Rigo gives example of engineer buliding a bridge that collapses. He will be fired. Not so in software. But Sabrina counters that, in one case like the other, it is often a group effort, and not clear who is responsible. 15:17:16 Somebody remarks that insurance companies will be interested in that question, when money is involved. 15:17:45 Topic: Privacy for linked open government data (Peter Bruhn Andersen 10min) 15:17:57 Peter_Bruhn_Andresen on Privacy for linked open government data 15:18:25 Peter_Bruhn_Andersen: Danmark is highly digitized. 15:18:48 Danmark is highly digitalized. all citizens have an ID. 15:18:56 ... Everybody has an ID that is used in all government databases, for all kinds of purposes. 15:19:19 ... So in theory should be easy to find out what data is stored about me. 15:20:11 ... Working on Linked Data to allow this. 15:20:59 ... But we have many thousands of databases. 15:21:21 ... They use different APIs and different access-control mechanisms. 15:22:11 ... Would like to have unified API based on Linked Data. 15:23:03 Sabrina: In preparation for this workshop, we focused on vocabulary question, but we're interested in protociols, scale, etc. as well. 15:23:14 ... They cannot always be separated. 15:23:45 Comment by Sabrina: When we started to think about this workshop we were also very interested in the platform. Given that we have open and closed data we need a platform for those, so we should also think about platforms. 15:23:56 Topic: The UK Data Archive (Darren Bell 10min) 15:24:43 Darren_Bell: From perspective of data architect. 15:24:50 Darren Bell: We talk about disclosure are opposed to Privacy 15:25:17 ... once the data has been shared it's about managed risk 15:25:41 ... Talking about private data, but in reality, when it's shared, it no longer private. 15:25:54 ... we have administrative processes however they juts don't scale 15:26:17 ... we need more more machine actionable clever approaches that can scale 15:26:33 ... Assessment of risk instead. E.g., smart electricity meters being introduced in UK. Leads to a lot of data. 15:26:44 ... we need to unlock governmental data. At the moment governments are risk averse 15:27:01 ... we need an ontology solution and also metadata 15:27:03 ... Unlock data based on meta-data ontologies. 15:27:30 Ontology descries de-anonymisation operations to define risks. 15:27:37 ... we would like an ontology that describes deanonymisation that can feed into a risk profile 15:28:13 ... aggregation there is a utility tradeoff, we need more information on this 15:28:36 ... Describe the de-anonymisation processes in order to formulate useful ontologies. 15:29:07 ... Linked Open Data doesn't have much disclosure risks, in principle. 15:29:34 ... Linkage becomes trivial, technically. But risk assessment is not. 15:30:18 Rigo: How do you measure disclosure risks? 15:30:31 ... Disclosure is usually treated as yes/no. 15:30:59 ... I proposed an entropy-based approach long ago. 15:31:13 Darren_Bell: It's indeed not binary. 15:31:40 ... I don't know how we will measure risk. But we need to go in that direction. 15:32:16 ... We don't know the answer, but I think we can find an answer. 15:33:11 ... Experts still give different evaluations of the same situation. 15:34:37 Joss Langford: Are you aware of the anonymisation decision framework out of the uk? 15:35:30 Darren_Bell: Yes, but not sufficiently mathematical yet. 15:36:11 MarkLizar has joined #dataprivacy18 15:39:32 Sabrina: Aren't policy makers too risk-averse for XXX? 15:39:37 UMA Legal -Licensing for personal data--> https://kantarainitiative.org/confluence/display/uma/UMA+Legal 15:41:38 Rigo: Standardisation can be an 80-20 solution. Defining the definitely green area and leave the rest for later. 15:41:55 Topic: GDPR transparency requirements (Schlehahn/Zwingelberg 10min) 15:43:18 We have heard different approaches about transparency and obtaining consent - talk will focus on legal text's requirements. 15:43:31 Eva_Schlehahn: My role here is to explain what the GDPR actually says about transparency. 15:44:00 ... Not just about data, also about processing. 15:45:14 Aspects to make transparent: which data for which extend? processed in which way / by which means? purposes? transfer to third parties / cuntries? 15:45:33 ... which data, how, why, by whom, for whom? 15:46:36 ... Some examples: 15:46:38 Control and understanding of their own processes is also important to organisations themsleves. 15:48:08 ... IT processes, but also other processes. Logs of who accessed the data. Versions of systems. 15:48:16 Necessary for the specification may be the "staus of a consent" in terms of given / pending / refused / withdrawn? Consent mangement should be made easy for data subjects, e.g. with mobile phone apps. 15:49:27 Could the specification also support the execution of data subjects rights such as right to access, deletion or rectification? 15:50:43 Specification should be able to express categories of data (special categories vs. 'normal' categories), typcial classes such as master record data, movement and location data, logfiles and protocol data. 15:51:21 ... GDPR defines special categories of data, such as religious beliefs, health or trade union membership. 15:53:11 ... Data about a child needs consent from an adult. 15:54:24 ... Consent is distinguished in implicit and explicit. Consent can be given, not yet given or withdrawn. 15:56:48 Monica_Palmirani: Portability of data restricted to your own original data, not what the company derived from it. 15:56:56 Q: Classed of data - during research they found that classification is useful between original data, derived data, linked data. Right of access may not be applicable to linked data or derived results. (Art 22 algorithms. 15:57:26 Eva_Schlehahn: Data always linked to purpose. 15:59:28 Harald: [in answer to a question] standardizing purposes amount to standardizing business processes. We're probably better off leaving that as a free text field. But may extend what P3P did. 15:59:38 s/amount/amounts/ 16:00:10 Purposes can also be _kind_ of purpose, which may be more managable. 16:00:31 Q: Clear suggestionf for data types but not for purposes. reason? A: too many potential purposes. 16:01:44 Monica: Art 29 WP on consent pointed to have specific purposes and to not fallback to consent as a default. 16:02:19 Rigo: W3C is about to obsolete P3P. P3P was very much influenced by [YYY]. But useful to study it.