DPVCCG F2F Meeting -- 04 Dec 2018

Axel: Summary of yesterday - we talked a lot about personal data and purposes, and collected/assigned some actions.

<Axel> Axel summarises the work from yesterday, mainly data and purposes

Fajar: created a table-based layout for purposes for action at https://www.w3.org/community/dpvcg/wiki/Purposes_for_handling_Personal_Data

<Axel> Harsh:What is top-level? A class without a parent?

<Axel> Fajar: In principle that's it, but we have to see case by case

<Axel> Axel: what is usage?

<Axel> Fajar: If it is used in a use case

<Axel> Axel: It could be good to have one example of each

<AxelPolleres> each purpose should have at least one example use case (from the existing ones or otherwise describe one possible scneario, ideally based on a real service)

<scribe> scribe: Javier

Axel: next point would be kinds of processing, if we follow the agenda

Harsh: We could start with means of legitimation for personal data processing

<rigo> simonstey: webexroom is open: https://mit.webex.com/meet/rigo

Means of legitimation for personal data processing

<harsh> mail by Eva on legal basis https://lists.w3.org/Archives/Public/public-dpvcg/2018Nov/0030.html

<harsh> another https://lists.w3.org/Archives/Public/public-dpvcg/2018Nov/0020.html

<AxelPolleres> eva: presenting her diagram from https://lists.w3.org/Archives/Public/public-dpvcg/2018Nov/0030.html

Eva: First step is to check if personal data is involved

otherwise, GDPR is not applicable (end of workflow)

else, maybe it is not sure if personal data is involved... In such a case, the GDPR is not applicable in the presented cases (see picture)

Axel: what about national police laws?

Rigo: national parlament has to make a law according to the guidelines.. national laws apply

<AxelPolleres> Police and Justice also provide access rights to data subjects, but these are regulated in the implementaiton of Directive 2016/680 and in national laws

Eva: if no exemption apply, then GDPR applies and there is a need to determine legal ground

If special categories apply (e.g. sensitive data according to Art.9) then one has to take special considerations

scribe: With no special category, then the default legal ground applies (consent art 6. par 1(a)... etc.)
... Task carried out in public interest (but no police), e.g. registration of a car

Axel: Is this collection or also processing, or sharing?

rigo: It is all, collection, processing and sharing

<harsh> Axel: is there an example of a processing/purpose in public interest that is not based on legal grounds?

<harsh> Eva: We have an example in the TR use-case regarding money laundering.

<harsh> Eva: Anti-money laundering rules require background checks, but they only give legal grounds to the financial institutions and not the affiliated parties.

TR is not under this legal ground

scribe: need to be fixed

Rigo: TR is a full encompassing data collector from multiple sources. They can check the anti-money laundry and they provide the result to the bank. And the laws encourage to do so, because they can do these checks, they are capable of it.It is a part of the system, but it is not covered by these legal grounds

<harsh> Eva: The current money laundering rules/law are not compatible with the fundamental GDPR rights, and could be stuck down by the EU courts

Eva: Processing is everything from the first collection of data, and you have to determine the legitime interest for each category the company has

Rigo: Even processing not listed there... is covered

Eva: Back to the figure... legitimate interest is a rather open concept

Rigo: It is open on purpose, e.g to cover targeted advertisement
... It can also apply to a third party, applies to everything
... It takes the approach of: everything is prohibited except these cases... and the exceptions are described openly to cover all "tricky" cases

<AxelPolleres> eva: legistimate interest is 3 steps: 1. is it legitimate interest of the data controller (e.g. business), 2. are there interests of data subjects that could be contrary, 3. is the contrary interest of a greater weight than the company one. —> need to be documented.

Rigo: In any case, the subject can fire a "Do not Track" token, and this case instead of legitime interest one should check Art 21, p.5-- at any moment the user can oppose

<AxelPolleres> eva: for example, extensive profiling is not allowed

Rigo: The regulation is clear that they don't like profiles not under the control of the data subject
... see Cambridge Analytica case

Eva: data protection law at such protects society

Dave: autonomy is interesting, because they have to weight that concept with e.g. targeted advertisement

Rigo: There is a study saying that targeted advertisement can result in 4% more sales, at the cost of 500% price increase

Eva: Back to the figure, last point is freedom of expression (e.g. journalism)

<AxelPolleres> Rigo: taking pictures in public is partially exempt in Germany by freedom of “arts” law… explaining...

Rigo: Remember the 3 issues: linking policies to instance data, making policy statements, and having personal data attributes sorted out such that they are part of the linking
... anything that does not fit in the picture is not legal

<AxelPolleres> Requirement… we need to flag personal data as “sensetitiveArticle”

Eva: Back to picture, if the category of the data is special (e.g. sensitive), then there are different legal grounds (e.g. legitimate interest is not applicable there)

<simonstey> http://www.privacy-regulation.eu/en/article-9-processing-of-special-categories-of-personal-data-GDPR.htm

Eva: The full list of these special legal grounds need to be collected

<AxelPolleres> eva: Legal grounds … under article 9 are a lsit on their own, but overlaps

<AxelPolleres> … e.g. article 6 also allows implicit consent, article 9 only explicit consent

if you have an article 9 consent, anything else works too

<AxelPolleres> rigo: article 9 legal grounds are stronger than article 6 grounds

Fajar: So it's the same as saying article 9 has higher conditions

<simonstey> https://easygdpr.eu/gdpr-article/6/ vs https://easygdpr.eu/gdpr-article/9/

Axel: Some time ago we had what the features of consent could be. Can we expand this to all types?

Rigo and Eva: yes

Axel: The company has to specify based on which they operate (don't need to categorize), just the buckets

Harsh: The idea is to have the top level, and just go into the details if needed

Axel: I think for the processing we have to do the same

Rigo: In the purpose, the important is why?

Axel: The idea is: I used this data based on this legal ground for this purpose and processed it like that

Rigo: if you write a policy, you give the category of the collected data, and the category of the purpose. In a special context, you do have the instance data (semantic data lake) and you can point to it directly

Axel: But we need the legal background, this part is missing

eva: Yes, we need to consider it

legal ground is the union of the boxes in Eva's picture, and when you define the policy you have to define your legal ground, and this would allow inference...

what are the element of consent and which can be specifified in a machine readable way

<simonstey> https://www.w3.org/TR/odrl-vocab/#term-consentingParty

scribe: some cases are open for interpretation, but some not

<simonstey> https://www.w3.org/TR/odrl-vocab/#term-obtainConsent

Rigo: We need to have buckets/boxes to help people defining the policies

Eva: smart move is to try to place yourself in one of the boxes

Fajar: I think SPECIAL has the way to specify the consent, but there is not legal ground represented, right?

Rigo: There could be another box of the MCM

Eva: we are not dealing with legal ground in our SPECIAL use cases

Axel: which components would have the leg. interest?

Rigo: I see a bucket list, that can be expanded

Harsh: But Axel mentions the justification of why you fit into a specific bucket

Fajar: Is L.I a purpose?

<simonstey> https://easygdpr.eu/gdpr-recital/recital-47/ clarifies on the weighing of interests to determine if consent is required

Rigo: no no, it is not, it's the legal ground of your purpose

Bud: I was also fighting with terms and went through the GDPR definitions, doing NLP of the terms
... some apply to processing, I tried to collect and categorize
... I came out that the purpose is a primary thing, the first thing, and from then you structure the rest
... Maybe there is an overlap, but I would put first the purpose and hanging from there the data that you need, etc.

<AxelPolleres> Bud: purpos should always be the first thing… because data used, processing and legal ground will need to be justified by the purpose

coffee break

<AxelPolleres> axel: we should distinguish between processing that generates personal data and processing that does not generate personal data (e.. eggregation/anonymisation

<AxelPolleres> )

<AxelPolleres> Simonstey: does right of erasure also affect the aggregated data, i.e. can I insist on erasing my data from the aggreagation.

<AxelPolleres> rigo: that would probably make our statistic system collapse.

<AxelPolleres> Axel: same applies for the right to rectification, I’d say, no?

scribe: If the purpose is to aggregate data, then we can assume there is no personal data

<AxelPolleres> Eva: this is currently being discussed on the level of DPAs

Rigo: We need an aggregation justification, modelling wise

Axel: If you collect data for a later aggregation... you have to ask for permission, right?

Rigo: In case of heatmaps, e.g. GDPR is not applicable

Axel: is anonymization a process?

Rigo: Yes, on the fly, only retaning the personal data... is this personal data? No, you don't have a right, GDPR does not apply
... you can only avoid if you don't give the data first
... if you aggregate data in the fly, without storing then it is not personal data

<AxelPolleres> Rigo: processing personal data on-the-fly without retaining it, i.e. with arriving in non-personal, anonmymized/aggregated data is ok.

Axel: but it is impossible to process without storing somehow...

Rigo: yes, it is ephemeral

<AxelPolleres> Axel: conclusion: let’s just distinguish between processing that retains/generates personal data (e.g. enrichment/classification/generating personalised recommendations) and processing that doesn’t (e.g. aggregation/anonymisation)

processing

Bud presents the summary figure of his study

scribe: but more details will be provided during a telco

<AxelPolleres> ACTION: Bud to prepare a presentation for next DPVCG telco next week.

<trackbot> Error finding 'Bud'. You can review and register nicknames at <https://www.w3.org/community/dpvcg/track/users>.

scribe: next week

<AxelPolleres> ACTION: Axel to prepare an agenda for next week.

<trackbot> Created ACTION-45 - Prepare an agenda for next week. [on Axel Polleres - due 2018-12-11].

<AxelPolleres> ACTION: Rigo to post-process minutesof f2f and check wherther all actions have been recorded

<trackbot> Created ACTION-46 - Post-process minutesof f2f and check wherther all actions have been recorded [on Rigo Wenning - due 2018-12-11].

<AxelPolleres> ACTION: Bud to prepare a presentation for “elements of processing” next DPVCG telco next week.

<trackbot> Error finding 'Bud'. You can review and register nicknames at <https://www.w3.org/community/dpvcg/track/users>.

<rigo> ACTION: Axel to invite, set Agenda for a DPVCG teleconference on 11 December

<trackbot> Created ACTION-47 - Invite, set agenda for a dpvcg teleconference on 11 december [on Axel Polleres - due 2018-12-11].

Harsh: We haven't talked of controllers, subjects... and storage and security

categories of data controllers, recipients, etc.

Piero: P3P has legal entity, kind of vcard data...

<AxelPolleres> Rigo: we can use vcard to describe entities.

<AxelPolleres> Axel: but I mean categories of data controllers… do we need them?

Fajar: It could be nice to have a top level category

<AxelPolleres> … e.g. NGOs, NPOs, private, public, etc.

<AxelPolleres> ACTION: Harsh to look into classifications of organisations that could serve as a basis for clsssifying data controllers

<trackbot> Created ACTION-48 - Look into classifications of organisations that could serve as a basis for clsssifying data controllers [on Harshvardhan Pandit - due 2018-12-11].

Eva: In the agenda there are data subjects... do you mean different categories of data subjects?

Axel: Only a list of stakeholders involved

Eva: I tried to list the rights of the data subjects

Harsh: As a taxonomy, it could have a value

<AxelPolleres> Eva: in the context of talking about data subjects, we should talk about data subject rights.

<AxelPolleres> … eva showing an image (can someone add the link please?)

Eva: some of the rigths can be specified automatically
... e.g. notification in case of data breach

Fajar: Is it like the addition of the leg. interest in MCM?

Eva: is complementary

<harsh> Fajar: Are rights the counterpart of legal interest as in the MCM?

<simonstey> https://www.mhc.ie/uploads/Data_Protection_Update_-_New_Registartion_Requirements_by_Robert_McDonagh_07.pdf lists some example categories of data controllers

<harsh> harsh: thanks simon

Rigo: you need to consider first the rights of the controller, otherwise maybe the process does not start

<harsh> rigo: Rights give a power balance for data subjects and controllers

<harsh> Fajar: this allows the data subject to exercise their right and the controller to justify their processng using legal basis and then it can be inferred which is more applicable or comparable

Fajar: it coudl be nice to have a vocabulary to express request/reject according to rights
... Interesting for Expedite

Axel: It is interesting but it extends the scope of the group

Rigo: It would be treated somehow in SPECIAL for our dashboard

<AxelPolleres> ISSUE: Shall we extend the scope of the group to machinge-readable requests to execute rights accroding to Eva’s classification of rights

<trackbot> Created ISSUE-5 - Shall we extend the scope of the group to machinge-readable requests to execute rights accroding to eva’s classification of rights. Please complete additional details at <https://www.w3.org/community/dpvcg/track/issues/5/edit>.

<simonstey> https://easygdpr.eu/gdpr-article/40/ -> "Associations and other bodies representing categories of controller s or processor s may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:"

Axel: But we won't have a vocabulary for this

<AxelPolleres> https://lists.w3.org/Archives/Public/public-dpvcg/2018Nov/att-0030/Data_subjects_rights_V1.png

<AxelPolleres> Bud: thoughts about a taxonomy of data subjects

Bud: Adults/Children
... maybe other people who needs protection

<AxelPolleres> … we should think about children, protection-worthy people, dependents

Bud: also I provide the data personally / or collected without my knowledge

<AxelPolleres> … collection directly, or collection through another data subject

Eva: personal data is always a natural person.... not always the case e.g. companies can refer to privacy laws

Rigo: In Italy, companies were covered by data protection laws
... GDPR always apply to citizens in EU soil
... and also EU citizens outside of Europe

Dave: so maybe having a category of people who don't apply to

<simonstey> "The Italian DPA, referring to the relevant WP29 guidelines, has provided some guidance on the categories of data controllers that more likely fall under the obligation to appoint a DPO (e.g. financial institutions, insurance companies, financial information systems, credit collection companies, surveillance companies, etc)."

<simonstey> https://www.twobirds.com/en/in-focus/general-data-protection-regulation/gdpr-tracker/italy

<AxelPolleres> i.e., shall we define data subjects that GDPR does and doesn’t apply to?

<simonstey> https://www.hipaajournal.com/gdpr-exemptions-who-is-exempt-from-gdpr/

Harsh: Should we include this distinction of location in the model?

Rigo: We have it in any case, but it is low priority now

<simonstey> https://www.gdpr.associates/gdpr-exemptions/

Eva: We have the storage and location.... and we can just use country codes

<rigo> eva suggests using country codes

<simonstey> https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

<rigo> in this case the decision of equivalence is avoided in the taxonomy

Eva: and the coverage of EU can change in time, but if you use country codes then you can always have external info to check the EU boundaries at any point

<AxelPolleres> ISSUE: should our taxonomy include a distinction/modeling of data subjects to whom GDPR applies (EU citizens and/or locatedIn EU)

<trackbot> Created ISSUE-6 - Should our taxonomy include a distinction/modeling of data subjects to whom gdpr applies (eu citizens and/or locatedin eu). Please complete additional details at <https://www.w3.org/community/dpvcg/track/issues/6/edit>.

<AxelPolleres> Axel: in the context of ISSUE-6 is “non-applicable citizens only” a “legal ground”?

Eva: being ¨non-applicable citizens only” non-european citizens outside of EU

<simonstey> http://dbpedia.org/ontology/iso31661Code

<rigo> ACTION: Eva to put MS Visio picture of usage policy on the wiki

<trackbot> Created ACTION-49 - Put ms visio picture of usage policy on the wiki [on Eva Schlehahn - due 2018-12-11].

<rigo> ACTION: Bud to suggest a new hierarchy of the usage policy diagram and integrate into the presentation of Tuesday 11

<trackbot> Error finding 'Bud'. You can review and register nicknames at <https://www.w3.org/community/dpvcg/track/users>.

<AxelPolleres> Axel: Do we need in our vocabulary to discuss/model e.g. which Purpose REQUIRES which Data ?

<AxelPolleres> i.e. inter-component relationships within the conceptual model of a policy

<rigo> ACTION: Bud to suggest a new hierarchy of the usage policy diagram and integrate into the presentation of Tuesday 11

<trackbot> Created ACTION-50 - Suggest a new hierarchy of the usage policy diagram and integrate into the presentation of tuesday 11 [on Bud P. Bruegger - due 2018-12-11].

<rigo> ACTION: Bud to prepare a presentation for next DPVCG telco on 11 December

<trackbot> Created ACTION-51 - Prepare a presentation for next dpvcg telco on 11 december [on Bud P. Bruegger - due 2018-12-11].

Axel: could we define the purpose and for it which data we need for this purpose?

Eva: on the one hand it could be very useful and easy to use... but controllers would hate it, as they want as more data as possible

<AxelPolleres> Eva: DPA would appreaciate the definition of which data is required for each purpose, but for the data controllers this would not be difficult.

<AxelPolleres> David: it’s a matter of whether we define concormance criteria

Bud: The tool cannot decide if the data is not needed for a purpose

Eva: let's look at our use case, and see if we can find data categories for each purpose such that it is reusable
... purpose-data relations to be reusable and general enough
... not sure if this is possible

<AxelPolleres> Axel: we could model. e.g. in OWL, that all data required is from cetain categories.

<AxelPolleres> … as optional axioms

<rigo> harsh: create informational document, and create the OWL as one way to do it

<simonstey> action-3

<trackbot> action-3 -- Bert Bos to Clarify which github space we can use W3C's github space or if we need something else -- due 2018-08-13 -- CLOSED

<trackbot> https://www.w3.org/community/dpvcg/track/actions/3

<simonstey> +q

<rigo> ACTION: rigo to ask Bert about w3c github repository action from August and create a github under W3C for dpvcg

<trackbot> Created ACTION-52 - Ask bert about w3c github repository action from august and create a github under w3c for dpvcg [on Rigo Wenning - due 2018-12-11].

Bud: Should Article 10 be included in Eva's figure?

Eva: not sure, Article 10 mentions data (e.g. criminal) but refers to Art. 9

plan ahead

<AxelPolleres> next Telco 11.12. 16:00 CET

<AxelPolleres> report about the ACTIONS agreed in the meeting.

<AxelPolleres> ACTION: HArsh, Axel, Fajar, Javier start on a base ontology, suggest a namespace, etc. and start populate the sub-taxonomies, agree on language to model it.

<trackbot> Error finding 'HArsh,'. You can review and register nicknames at <https://www.w3.org/community/dpvcg/track/users>.

<Eva> Eva: Art. 10 is not a legal ground on its own but rather specifies clarification and conditions on the processing operation

<AxelPolleres> ACTION: Axel to together with Harsh, Fajar, Javier start on a base ontology, suggest a namespace, etc. and start populate the sub-taxonomies, agree on language to model it.

<trackbot> Created ACTION-53 - Together with harsh, fajar, javier start on a base ontology, suggest a namespace, etc. and start populate the sub-taxonomies, agree on language to model it. [on Axel Polleres - due 2018-12-11].

storage details, location duration

<AxelPolleres> rigo: that’s just a detail.

<AxelPolleres> eva: suggested to us country codes (Axel: or continent odentifiers?) for modeling storage location

<AxelPolleres> axel: we need a way how to model storage duration, either as a fixed datetimestamp or as a relative duration (e.g. “for two weeks”)

<AxelPolleres> eva: on location, we need also conditions, e.g. “not COUNTRY-XYZ”, “outside-of-Europe”, “not outside-of-Europe” etc.

<AxelPolleres> ACTION: Javier to look into how to align SPECIAL duration vocab with “deletion-ideas” from eva’s slide (e.g. include no-retention, deleted-by, etc.) in our vocabulary

<trackbot> Error finding 'Javier'. You can review and register nicknames at <https://www.w3.org/community/dpvcg/track/users>.

<scribe> ACTION: Eva to send a compiled version of the slides shown (as for storage)

<trackbot> Created ACTION-54 - Send a compiled version of the slides shown (as for storage) [on Eva Schlehahn - due 2018-12-11].

<AxelPolleres> ACTION: Javier to look into how to align SPECIAL duration vocab with “deletion-ideas” from eva’s slide (e.g. include no-retention, deleted-by, etc.) in our vocabulary

<trackbot> Created ACTION-55 - Look into how to align special duration vocab with “deletion-ideas” from eva’s slide (e.g. include no-retention, deleted-by, etc.) in our vocabulary [on Javier D. Fernández - due 2018-12-11].

Axel: I would like to have a first version of the vocabularies by january
... We need to think how to get more use cases

Rigo: once we have the first taxonomy, we can have interested companies

Axel: what is the overlap with the work of Consent Receipt?

https://kantarainitiative.org/confluence/display/infosharing/Home

Rigo: They are looking into our taxonomy to use it in Kantara
... we should look into it

<harsh> https://developers.digi.me/consent-access consent receipt implementation

<AxelPolleres> https://kantarainitiative.org/confluence/display/infosharing/Home

<AxelPolleres> https://kantarainitiative.org/file-downloads/consent-receipt-specification-v1-1-0/

Rigo: it seems that they use arbitrary strings for purposes

Axel: we should look more into it and think how we can align with it

<harsh> purpose categories: https://kantarainitiative.org/confluence/display/infosharing/Appendix+CR+-+V.9.3+-+Example+Purpose+Categories

Axel: e.g. 12 - Legally Required Data Retention mixes purposes and legal ground