W3C

- DRAFT -

Data Privacy Vocabularies and Controls Community Group Teleconference

16 Oct 2018

Agenda

Attendees

Present
Rigo, sabrina
Regrets
Chair
axel
Scribe
rigo, harsh

Contents

<rigo> trackbot, start meeting

<rigo> scribe: rigo

<harsh> scribe: harsh

Axel: Introduction, New members (Niklas).

Niklas: Masters student at WU working on Privacy. Helping with existing categorisation and taxonomies (Axel).

Axel: Everyone who is new should create a web page with some details of their profile on the wiki.

<AxelPollleres> PROPOSED: approve last meeting minutes https://www.w3.org/2018/09/18-dpvcg-minutes

<AxelPollleres> +1

Axel: discussing minutes from last meeting (the previous telecall was cancelled,) so the last meeting was 18 September.
... Any objections, questions?

Eva: No objections

RESOLUTION: approve last meeting minutes https://www.w3.org/2018/09/18-dpvcg-minutes

Axel: Going through the action items. Currently, many items open (most for myself and Bert)

https://www.w3.org/community/dpvcg/track/actions/open

<AxelPollleres> ACTION-6 continued

Axel: For Opera use-case, do we have Michael here?

<Michael not present>

<AxelPollleres> ACTION-7 continued

Axel: Bert for discussion on SPECIAL use-cases (Bert N/A today)
... Editing Action 14

Rigo: It's easier to use the bot to interact with the Actions

<rigo> it

<rigo> 's easier to use the web to edit actions

Axel: Action 17 - propose to close this action

Eva: it would be useful to know whether the template for the use-cases would be useful, feedback on changes would be useful

Axel: We can put this on the agenda for the next meeting

Eva: If anyone notices anything odd/wrong or to improve the template, we should discuss this

Axel: We are looking for categories of data, processing, etc. This should be reflected in the use-case, which it currently is not.

<rigo> https://www.w3.org/community/dpvcg/wiki/Use-Cases,_Requirements,_Vocabularies

<AxelPollleres> ... discuss templates next time, my feeling is that the categories we discussed now are better reflected in the template.

Eva: Maybe we can add a new option for looking at the required terms/concepts in the templates

Rigo: I can help with the templates

<AxelPollleres> ACTION: eva to look over the use cases template to reflect better what we agreed upon as requirements/priorities last time.

<trackbot> Created ACTION-26 - Look over the use cases template to reflect better what we agreed upon as requirements/priorities last time. [on Eva Schlehahn - due 2018-10-23].

<AxelPollleres> close ACTION-14 with reference to new action-26

<AxelPollleres> close ACTION-14

<trackbot> Closed ACTION-14.

<AxelPollleres> close ACTION-17

<trackbot> Closed ACTION-17.

Axel: Accidentally closed Action 14 instead of Action 17. Re-opening Action 14.

<AxelPollleres> ACTION-14 reopened.

Axel: Action 18 for MyData use-cases

Stefano: I went through the high-level use-cases and added them to the use-cases list

<AxelPollleres> 2 use cases added from myData added

<AxelPollleres> close ACTION-18

<trackbot> Closed ACTION-18.

Axel: Action 19 contact digi.me is continued

<AxelPollleres> ACTION-20 and ACTION-21 have been closed by Eva...

Eva: Action 20 (added to wiki) and 21 (talk to Eva regarding BDVA) were closed before call.

<Eva__ULD_> https://www.w3.org/community/dpvcg/track/actions

<AxelPollleres> ACTION: Axel to put discussion on new use cases on the agenda

<trackbot> Created ACTION-27 - Put discussion on new use cases on the agenda [on Axel Polleres - due 2018-10-23].

<Eva__ULD_> The above link shows all actions of the group, regardless of being closed or open

Axel: Action 23 Talking with Bert about refining scope/schedule of group. Proposed to postpone until F2F meeting.

Rigo: Where will it be? I will be there.

Axel: Propose to keep the action open and talk about it at F2F in London

<AxelPollleres> Axel: talk about a timeline and milestones in London.

Axel: Action 24 This is a mixture of the new action for Eva. This could be left open, to specify that all use-cases reflect the requirements, regarding concepts.

https://www.w3.org/community/dpvcg/wiki/Taxonomy

<AxelPollleres> close ACTION-25

<trackbot> Closed ACTION-25.

Axel: Definitions from terms appear to have been instantiated

These are from the email (from Niklas) containing defintions from GDPR

definitions

Axel: Question - how far these definitions are sufficient for us? Are the definitions from GDPR sufficient? There was some discussion on the definition of consent in the mails.

Eva: How close should stick to the GDPR definitions? We should be careful if we deviate from the GDPR too much. Terms such as from USA, that sound similar, have different scopes in terms of legal definitions.

<AxelPollleres> consent = agreement with a [data controller] to specific [processing] of specific [data categories] for specific [purpose]

Rigo: We have to think this for the goal we want to achieve. It's of no use if we re-define a legal definition. The legal definitions are what the courts will use. Such as what informed consent means. And if our definition doesn't contain that, then we need to transform the court decision to re-use the term. The taxonomy itself should use the data-controller.
... For taxonomy, we have to term Data Controller, and then we can dissect or find out if the term is made out of several additional requirements. For me, it is a second step. Because then, in law, you can dive into infinite refining of definitions. If we try to drill down, we can do that endlessly, and we end up in loops.

Eva: I agree with Rigo, we need to be clear with what the taxonomy is supposed to do

Axel: My point is that, for e.g. consent needs refinement. The current definition is only a definition.

Rigo: If we want to make this useful, we need to make machine testable points. E.g. if we have consent, and it has click okay button. Legal definitions do not have machine interpretations.

Eva: Technology can help in this, but cannot help for cases such as user has not responded

<AxelPollleres> consent = agreement through an [affirmative action] at a specific [time] with a [data controller] to specific [processing] and [storage] of specific [data categories] for specific [purpose] and [duration]

Rigo: It should help us for data handling and not in explaining what consent is. Taxonomy should reduce legal compexcity.

Eva: You could add a label for valid/invalid consent. IF someone gives consent, and later it is decided to be invalid by courts, technology can label it as such

<stefano> +q

Niklas: The concept of validity and invalidity is already present in the definition

Stefano: If the discussion is on the definition of consent, or we are also discussing what should be in the consent. The components of consent would also be useful.
... If the consent does not have purpose etc. then it would not be very useful

<AxelPollleres> rigo: if we fully define what consent is, we will hit the wall

Rigo: If we define what consent is, we will hit the wall at some point in time, because it will get very complex, and it does not serve the purpose of the algorithms that will use the taxonomy.

<AxelPollleres> ... but we would need the components in a taxonomy

Rigo: I would like to see the related concepts/things about consent in the taxonomy
... In linked data, with the open world assumption, the NOT operator does not work very well.

Question to technicians: if something is close to the requirements, but does not trigger the consent (yes) variable, we can have the unset operator.

Maybe we need something like invalid consent and have statements on that.

Rigo: We shouldn't formulate things that should be in, related to, consent but have them in the taxonomy
... For other approaches after/similar to GDPR, they can reuse this work

<AxelPollleres> </chairhat>

<rigo> Rigo: because they consider it good enough

Axel: We have taxonomy as a container

<rigo> Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

<AxelPollleres> consent = agreement through an [affirmative action] at a specific [time] with a [data controller] to specific [processing] and [storage] of specific [data categories] for specific [purpose] and [duration]

<AxelPollleres> [4:28pm]

Axel: Consent is just an object which has the attributes (see text above)
... We did not discuss which kind of actions are associated with consent, but we should include those. Such as clicking a button, for how consent is given.
... We want to define taxonomies for this.

<AxelPollleres> <chairhat>

Eva: We are thinking in the same direction. Stefano said he wants to see what things consent entails. Axel has mentioned elements of consent.
... We should also label statuses of consent - pending, given, denied

<rigo> eva wants properties of consent

<rigo> valid, invalid, given, pending

Eva: My slides at DPVCG workshop in Vienna had suggestions on this. This could be an action point for what are the elements for consent we need to define for the taxonomy.
... We can learn from each other (different domains) to express this

Axel: Formulate this as an issue instead of an Action. (Rigo agrees)

<AxelPollleres> ISSUE: What are the elements of consent? starting from "onsent = agreement through an [affirmative action] at a specific [time] with a [data controller] to specific [processing] and [storage] of specific [data categories] for specific [purpose] and [duration]"

<trackbot> Created ISSUE-4 - What are the elements of consent? starting from "onsent = agreement through an [affirmative action] at a specific [time] with a [data controller] to specific [processing] and [storage] of specific [data categories] for specific [purpose] and [duration]". Please complete additional details at <https://www.w3.org/community/dpvcg/track/issues/4/edit>.

Niklas: The data structure should also be present in the general structure

Axel: Data subject, not data subject

( Axel tries regex replace )

Proposal: have comptenency questions for properties/answer related to consent, and the answer would be what we would describe in taxonomy

<AxelPollleres> ACTION: harsh to propose competence questions on what consent comprises

<trackbot> Created ACTION-28 - Propose competence questions on what consent comprises [on Harshvardhan Pandit - due 2018-10-23].

Rigo: These can be formulated as points or questions, and we can transform them between each other using machines/automation
... This discussion exemplifies other things, we have conditions before 'A' is met, and the systematic of the GDPR says, we need a processor, and data subject, and we need the 'condition' that makes processing legal - which is what consent is under.

<AxelPollleres> ACTION: axel to put review of issues list and starting time on the agenda template (note to self)

<trackbot> Created ACTION-29 - Put review of issues list and starting time on the agenda template (note to self) [on Axel Polleres - due 2018-10-23].

Rigo: We need an annotation - legal (question mark) for legal processing, and we can have legal reasons such as necessity, security, and we can import all public law, such as contract law, which goes under consent, There is legitimate interest.
... What we are doing now with consent, we have do with the others
... And the taxonomy will go down in to sub-terms. And these would things that constitute informed-ness in consent.
... What we can do here with consent would be a template for how we treat the other consents
... Data Controller, Data Subject, Legal Processing are the top terms. (Eva agrees)

Axel: What is Legal Processing

Rigo: It is the opposite of illegal processing

Axel: We need processing categories, and then we decide if there are consent based or not?

Rigo: No, there are more basis for legal processing

<AxelPollleres> ... certain processing can be permitted or prohibited by definition.

<AxelPollleres> So we need overall constraints.

Eva: This is why defining consent as a permission can be tricky. Because in GDPR there are more permissions than consent.
... Consent is one of several permissions.

<AxelPollleres> eva: Some entity may be permitted by law for certain processing.

<AxelPollleres> eva: lynx is also doing a taxonomy

Eva: LYNX has data controller as the accounting manager of the company. This does not meet the GDPR requirements.

<AxelPollleres> ... their glossary seems to be not compliant with GDPR

Legal basis for processing mentioned in GDPR: Contract with Data Subject, Exempted by National Law, Employment Law, Given Consent, Historic, Statistical, or Scientific Purposes, Legal claims, Legal obligation, Legitimate Interest, Made public by Data Subject, Medical, Diagnostic, or Treatement, Not for Profit Org. Public Interest, Purpose of New Processing, Vital Interest

Rigo: (response to Eva) They mean the person who is responsible

Eva: It can be different based on organisation

Rigo: A Data Controller is a natural/legal person

+q

Axel: We should try to do this in a sparse manner. Niklas' article to analyse terms and conditions shows that they are not understandable. Not sure whether we need to cover those.

Rigo: Don't do this. They are hard.

Axel: They have very complicated, nested expressions ranging from very broad to very specific. Not sure whether we want to cover such T&C.

Rigo: It is very very difficult to design a tree from the branches. It's much easier to design from the roots. (Axel agrees)
... Imagine this like a mindmap, where the relation is clear to a human but not to a machine. The challenge to technicians is to know what are the things that trigger whether a processing is permitted. This is a modelling challenge

<AxelPollleres> "rigo: where can we use conditions, where permissions, where obligations?" sounds to me like mapping to ODRL

Rigo: What are the points that combined define consent as a legal basis? What do we have as permissions / logic operators ?

Eva: Ideas about labelling things beyond permissions

<Javier> "The challenge to technicians is to know what are the things that trigger whether a processing is permitted" ... reminds me of Business process modelling

Rigo: We can label it as ODRL, as in GDPR we have the paradigm where everything is prohibited until we have a permission

Axel: Due to time, postpone the discussion to mailing list / next meeting

<AxelPollleres> continue Definitions discusion on the mailinglist.

<rigo> then everything turns into a permission, which may be difficult for the machines

5) Plan next meeting(s) and revisit timeline, particularly: F2F in Nov or Dec (around EBDVF or ICT18, both in Vienna)

Axel: F2F in Vienna. Option 1: Meet around or during EDF (European Data Value Forum) in November or ICT in December.

<AxelPollleres> eva: will be at both

Eva: I will be at both

<stefano> I will not very likely

Axel: Let us have a Vote.

<AxelPollleres> Option A: 12-14 Nov

<stefano> Where is ICT 2018?

<AxelPollleres> Option B: 15 November

<rigo> Vienna

<AxelPollleres> Option C: 5 December

<Sabrina> 15 Nov does not suit due to lectures

<AxelPollleres> Option D: 3 December

<Sabrina> Axel is lecturing also

+1 Option C & Option D

<AxelPollleres> D,C

<Eva__ULD_> I favor options A, C or D

We should also formally ask for preferences over the mailing list

<AxelPollleres> Niklas: A,B,C,D

<Sabrina> +1 Option C

<stefano> I cannot make it

<Javier> B, C, D

Option C and Option D has most votes (6 votes)

<Sabrina> We aready have an agenda

<Sabrina> it depends on that

Next call on 6th November in Three weeks

<AxelPollleres> ACTION: Axel to send a doodle poll over the list for F2F

<trackbot> Created ACTION-30 - Send a doodle poll over the list for f2f [on Axel Polleres - due 2018-10-23].

(query by Axel)

<Eva__ULD_> no objections

Axel: Proposal - slot in SPECIAL meeting for update to the group, otherwise the regular call will be on 6th November.

( end of meeting )

<AxelPollleres> next regular DPVCG call 6 Nov, maybe an extra short call on 30October, but not yet confirmed.

Summary of Action Items

[NEW] ACTION: Axel to put discussion on new use cases on the agenda
[NEW] ACTION: axel to put review of issues list and starting time on the agenda template (note to self)
[NEW] ACTION: Axel to send a doodle poll over the list for F2F
[NEW] ACTION: eva to look over the use cases template to reflect better what we agreed upon as requirements/priorities last time.
[NEW] ACTION: harsh to propose competence questions on what consent comprises
 

Summary of Resolutions

  1. approve last meeting minutes https://www.w3.org/2018/09/18-dpvcg-minutes
[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2018/10/16 15:03:55 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/structure/subject/
Present: Rigo sabrina

WARNING: Fewer than 3 people found for Present list!

Found Scribe: rigo
Found Scribe: harsh
Inferring ScribeNick: harsh
Scribes: rigo, harsh
Agenda: https://lists.w3.org/Archives/Public/public-dpvcg/2018Oct/0015.html
Found Date: 16 Oct 2018
People with action items: axel eva harsh

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.


WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]