<rigo> trackbot, start meeting
<rigo> scribe: rigo
<harsh> scribe: harsh
Axel: Introduction, New members (Niklas).
Niklas: Masters student at WU working on Privacy. Helping with existing categorisation and taxonomies (Axel).
Axel: Everyone who is new should create a web page with some details of their profile on the wiki.
<AxelPollleres> PROPOSED: approve last meeting minutes https://www.w3.org/2018/09/18-dpvcg-minutes
<AxelPollleres> +1
Axel: discussing minutes from
last meeting (the previous telecall was cancelled,) so the last
meeting was 18 September.
... Any objections, questions?
Eva: No objections
RESOLUTION: approve last meeting minutes https://www.w3.org/2018/09/18-dpvcg-minutes
Axel: Going through the action items. Currently, many items open (most for myself and Bert)
<AxelPollleres> ACTION-6 continued
Axel: For Opera use-case, do we have Michael here?
<Michael not present>
<AxelPollleres> ACTION-7 continued
Axel: Bert for discussion on
SPECIAL use-cases (Bert N/A today)
... Editing Action 14
Rigo: It's easier to use the bot to interact with the Actions
<rigo> it
<rigo> 's easier to use the web to edit actions
Axel: Action 17 - propose to close this action
Eva: it would be useful to know whether the template for the use-cases would be useful, feedback on changes would be useful
Axel: We can put this on the agenda for the next meeting
Eva: If anyone notices anything odd/wrong or to improve the template, we should discuss this
Axel: We are looking for categories of data, processing, etc. This should be reflected in the use-case, which it currently is not.
<rigo> https://www.w3.org/community/dpvcg/wiki/Use-Cases,_Requirements,_Vocabularies
<AxelPollleres> ... discuss templates next time, my feeling is that the categories we discussed now are better reflected in the template.
Eva: Maybe we can add a new option for looking at the required terms/concepts in the templates
Rigo: I can help with the templates
<AxelPollleres> ACTION: eva to look over the use cases template to reflect better what we agreed upon as requirements/priorities last time.
<trackbot> Created ACTION-26 - Look over the use cases template to reflect better what we agreed upon as requirements/priorities last time. [on Eva Schlehahn - due 2018-10-23].
<AxelPollleres> close ACTION-14 with reference to new action-26
<AxelPollleres> close ACTION-14
<trackbot> Closed ACTION-14.
<AxelPollleres> close ACTION-17
<trackbot> Closed ACTION-17.
Axel: Accidentally closed Action 14 instead of Action 17. Re-opening Action 14.
<AxelPollleres> ACTION-14 reopened.
Axel: Action 18 for MyData use-cases
Stefano: I went through the high-level use-cases and added them to the use-cases list
<AxelPollleres> 2 use cases added from myData added
<AxelPollleres> close ACTION-18
<trackbot> Closed ACTION-18.
Axel: Action 19 contact digi.me is continued
<AxelPollleres> ACTION-20 and ACTION-21 have been closed by Eva...
Eva: Action 20 (added to wiki) and 21 (talk to Eva regarding BDVA) were closed before call.
<Eva__ULD_> https://www.w3.org/community/dpvcg/track/actions
<AxelPollleres> ACTION: Axel to put discussion on new use cases on the agenda
<trackbot> Created ACTION-27 - Put discussion on new use cases on the agenda [on Axel Polleres - due 2018-10-23].
<Eva__ULD_> The above link shows all actions of the group, regardless of being closed or open
Axel: Action 23 Talking with Bert about refining scope/schedule of group. Proposed to postpone until F2F meeting.
Rigo: Where will it be? I will be there.
Axel: Propose to keep the action open and talk about it at F2F in London
<AxelPollleres> Axel: talk about a timeline and milestones in London.
Axel: Action 24 This is a mixture of the new action for Eva. This could be left open, to specify that all use-cases reflect the requirements, regarding concepts.
https://www.w3.org/community/dpvcg/wiki/Taxonomy
<AxelPollleres> close ACTION-25
<trackbot> Closed ACTION-25.
Axel: Definitions from terms appear to have been instantiated
These are from the email (from Niklas) containing defintions from GDPR
Axel: Question - how far these definitions are sufficient for us? Are the definitions from GDPR sufficient? There was some discussion on the definition of consent in the mails.
Eva: How close should stick to the GDPR definitions? We should be careful if we deviate from the GDPR too much. Terms such as from USA, that sound similar, have different scopes in terms of legal definitions.
<AxelPollleres> consent = agreement with a [data controller] to specific [processing] of specific [data categories] for specific [purpose]
Rigo: We have to think this for
the goal we want to achieve. It's of no use if we re-define a
legal definition. The legal definitions are what the courts
will use. Such as what informed consent means. And if our
definition doesn't contain that, then we need to transform the
court decision to re-use the term. The taxonomy itself should
use the data-controller.
... For taxonomy, we have to term Data Controller, and then we
can dissect or find out if the term is made out of several
additional requirements. For me, it is a second step. Because
then, in law, you can dive into infinite refining of
definitions. If we try to drill down, we can do that endlessly,
and we end up in loops.
Eva: I agree with Rigo, we need to be clear with what the taxonomy is supposed to do
Axel: My point is that, for e.g. consent needs refinement. The current definition is only a definition.
Rigo: If we want to make this useful, we need to make machine testable points. E.g. if we have consent, and it has click okay button. Legal definitions do not have machine interpretations.
Eva: Technology can help in this, but cannot help for cases such as user has not responded
<AxelPollleres> consent = agreement through an [affirmative action] at a specific [time] with a [data controller] to specific [processing] and [storage] of specific [data categories] for specific [purpose] and [duration]
Rigo: It should help us for data handling and not in explaining what consent is. Taxonomy should reduce legal compexcity.
Eva: You could add a label for valid/invalid consent. IF someone gives consent, and later it is decided to be invalid by courts, technology can label it as such
<stefano> +q
Niklas: The concept of validity and invalidity is already present in the definition
Stefano: If the discussion is on
the definition of consent, or we are also discussing what
should be in the consent. The components of consent would also
be useful.
... If the consent does not have purpose etc. then it would not
be very useful
<AxelPollleres> rigo: if we fully define what consent is, we will hit the wall
Rigo: If we define what consent is, we will hit the wall at some point in time, because it will get very complex, and it does not serve the purpose of the algorithms that will use the taxonomy.
<AxelPollleres> ... but we would need the components in a taxonomy
Rigo: I would like to see the
related concepts/things about consent in the taxonomy
... In linked data, with the open world assumption, the NOT
operator does not work very well.
Question to technicians: if something is close to the requirements, but does not trigger the consent (yes) variable, we can have the unset operator.
Maybe we need something like invalid consent and have statements on that.
Rigo: We shouldn't formulate
things that should be in, related to, consent but have them in
the taxonomy
... For other approaches after/similar to GDPR, they can reuse
this work
<AxelPollleres> </chairhat>
<rigo> Rigo: because they consider it good enough
Axel: We have taxonomy as a container
<rigo> Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
<AxelPollleres> consent = agreement through an [affirmative action] at a specific [time] with a [data controller] to specific [processing] and [storage] of specific [data categories] for specific [purpose] and [duration]
<AxelPollleres> [4:28pm]
Axel: Consent is just an object
which has the attributes (see text above)
... We did not discuss which kind of actions are associated
with consent, but we should include those. Such as clicking a
button, for how consent is given.
... We want to define taxonomies for this.
<AxelPollleres> <chairhat>
Eva: We are thinking in the same
direction. Stefano said he wants to see what things consent
entails. Axel has mentioned elements of consent.
... We should also label statuses of consent - pending, given,
denied
<rigo> eva wants properties of consent
<rigo> valid, invalid, given, pending
Eva: My slides at DPVCG workshop
in Vienna had suggestions on this. This could be an action
point for what are the elements for consent we need to define
for the taxonomy.
... We can learn from each other (different domains) to express
this
Axel: Formulate this as an issue instead of an Action. (Rigo agrees)
<AxelPollleres> ISSUE: What are the elements of consent? starting from "onsent = agreement through an [affirmative action] at a specific [time] with a [data controller] to specific [processing] and [storage] of specific [data categories] for specific [purpose] and [duration]"
<trackbot> Created ISSUE-4 - What are the elements of consent? starting from "onsent = agreement through an [affirmative action] at a specific [time] with a [data controller] to specific [processing] and [storage] of specific [data categories] for specific [purpose] and [duration]". Please complete additional details at <https://www.w3.org/community/dpvcg/track/issues/4/edit>.
Niklas: The data structure should also be present in the general structure
Axel: Data subject, not data subject
( Axel tries regex replace )
Proposal: have comptenency questions for properties/answer related to consent, and the answer would be what we would describe in taxonomy
<AxelPollleres> ACTION: harsh to propose competence questions on what consent comprises
<trackbot> Created ACTION-28 - Propose competence questions on what consent comprises [on Harshvardhan Pandit - due 2018-10-23].
Rigo: These can be formulated as
points or questions, and we can transform them between each
other using machines/automation
... This discussion exemplifies other things, we have
conditions before 'A' is met, and the systematic of the GDPR
says, we need a processor, and data subject, and we need the
'condition' that makes processing legal - which is what consent
is under.
<AxelPollleres> ACTION: axel to put review of issues list and starting time on the agenda template (note to self)
<trackbot> Created ACTION-29 - Put review of issues list and starting time on the agenda template (note to self) [on Axel Polleres - due 2018-10-23].
Rigo: We need an annotation -
legal (question mark) for legal processing, and we can have
legal reasons such as necessity, security, and we can import
all public law, such as contract law, which goes under consent,
There is legitimate interest.
... What we are doing now with consent, we have do with the
others
... And the taxonomy will go down in to sub-terms. And these
would things that constitute informed-ness in consent.
... What we can do here with consent would be a template for
how we treat the other consents
... Data Controller, Data Subject, Legal Processing are the top
terms. (Eva agrees)
Axel: What is Legal Processing
Rigo: It is the opposite of illegal processing
Axel: We need processing categories, and then we decide if there are consent based or not?
Rigo: No, there are more basis for legal processing
<AxelPollleres> ... certain processing can be permitted or prohibited by definition.
<AxelPollleres> So we need overall constraints.
Eva: This is why defining consent
as a permission can be tricky. Because in GDPR there are more
permissions than consent.
... Consent is one of several permissions.
<AxelPollleres> eva: Some entity may be permitted by law for certain processing.
<AxelPollleres> eva: lynx is also doing a taxonomy
Eva: LYNX has data controller as the accounting manager of the company. This does not meet the GDPR requirements.
<AxelPollleres> ... their glossary seems to be not compliant with GDPR
Legal basis for processing mentioned in GDPR: Contract with Data Subject, Exempted by National Law, Employment Law, Given Consent, Historic, Statistical, or Scientific Purposes, Legal claims, Legal obligation, Legitimate Interest, Made public by Data Subject, Medical, Diagnostic, or Treatement, Not for Profit Org. Public Interest, Purpose of New Processing, Vital Interest
Rigo: (response to Eva) They mean the person who is responsible
Eva: It can be different based on organisation
Rigo: A Data Controller is a natural/legal person
+q
Axel: We should try to do this in a sparse manner. Niklas' article to analyse terms and conditions shows that they are not understandable. Not sure whether we need to cover those.
Rigo: Don't do this. They are hard.
Axel: They have very complicated, nested expressions ranging from very broad to very specific. Not sure whether we want to cover such T&C.
Rigo: It is very very difficult
to design a tree from the branches. It's much easier to design
from the roots. (Axel agrees)
... Imagine this like a mindmap, where the relation is clear to
a human but not to a machine. The challenge to technicians is
to know what are the things that trigger whether a processing
is permitted. This is a modelling challenge
<AxelPollleres> "rigo: where can we use conditions, where permissions, where obligations?" sounds to me like mapping to ODRL
Rigo: What are the points that combined define consent as a legal basis? What do we have as permissions / logic operators ?
Eva: Ideas about labelling things beyond permissions
<Javier> "The challenge to technicians is to know what are the things that trigger whether a processing is permitted" ... reminds me of Business process modelling
Rigo: We can label it as ODRL, as in GDPR we have the paradigm where everything is prohibited until we have a permission
Axel: Due to time, postpone the discussion to mailing list / next meeting
<AxelPollleres> continue Definitions discusion on the mailinglist.
<rigo> then everything turns into a permission, which may be difficult for the machines
Axel: F2F in Vienna. Option 1: Meet around or during EDF (European Data Value Forum) in November or ICT in December.
<AxelPollleres> eva: will be at both
Eva: I will be at both
<stefano> I will not very likely
Axel: Let us have a Vote.
<AxelPollleres> Option A: 12-14 Nov
<stefano> Where is ICT 2018?
<AxelPollleres> Option B: 15 November
<rigo> Vienna
<AxelPollleres> Option C: 5 December
<Sabrina> 15 Nov does not suit due to lectures
<AxelPollleres> Option D: 3 December
<Sabrina> Axel is lecturing also
+1 Option C & Option D
<AxelPollleres> D,C
<Eva__ULD_> I favor options A, C or D
We should also formally ask for preferences over the mailing list
<AxelPollleres> Niklas: A,B,C,D
<Sabrina> +1 Option C
<stefano> I cannot make it
<Javier> B, C, D
Option C and Option D has most votes (6 votes)
<Sabrina> We aready have an agenda
<Sabrina> it depends on that
Next call on 6th November in Three weeks
<AxelPollleres> ACTION: Axel to send a doodle poll over the list for F2F
<trackbot> Created ACTION-30 - Send a doodle poll over the list for f2f [on Axel Polleres - due 2018-10-23].
(query by Axel)
<Eva__ULD_> no objections
Axel: Proposal - slot in SPECIAL meeting for update to the group, otherwise the regular call will be on 6th November.
( end of meeting )
<AxelPollleres> next regular DPVCG call 6 Nov, maybe an extra short call on 30October, but not yet confirmed.
This is scribe.perl Revision: 1.154 of Date: 2018/09/25 16:35:56 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/structure/subject/ Present: Rigo sabrina WARNING: Fewer than 3 people found for Present list! Found Scribe: rigo Found Scribe: harsh Inferring ScribeNick: harsh Scribes: rigo, harsh Agenda: https://lists.w3.org/Archives/Public/public-dpvcg/2018Oct/0015.html Found Date: 16 Oct 2018 People with action items: axel eva harsh WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option. WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]