Axel: Summary of yesterday - we talked a lot about personal data and purposes, and collected/assigned some actions.
<Axel> Axel summarises the work from yesterday, mainly data and purposes
Fajar: created a table-based layout for purposes for action at https://www.w3.org/community/dpvcg/wiki/Purposes_for_handling_Personal_Data
<Axel> Harsh:What is top-level? A class without a parent?
<Axel> Fajar: In principle that's it, but we have to see case by case
<Axel> Axel: what is usage?
<Axel> Fajar: If it is used in a use case
<Axel> Axel: It could be good to have one example of each
<AxelPolleres> each purpose should have at least one example use case (from the existing ones or otherwise describe one possible scneario, ideally based on a real service)
<scribe> scribe: Javier
Axel: next point would be kinds of processing, if we follow the agenda
Harsh: We could start with means of legitimation for personal data processing
<rigo> simonstey: webexroom is open: https://mit.webex.com/meet/rigo
<harsh> mail by Eva on legal basis https://lists.w3.org/Archives/Public/public-dpvcg/2018Nov/0030.html
<harsh> another https://lists.w3.org/Archives/Public/public-dpvcg/2018Nov/0020.html
<AxelPolleres> eva: presenting her diagram from https://lists.w3.org/Archives/Public/public-dpvcg/2018Nov/0030.html
Eva: First step is to check if personal data is involved
otherwise, GDPR is not applicable (end of workflow)
else, maybe it is not sure if personal data is involved... In such a case, the GDPR is not applicable in the presented cases (see picture)
Axel: what about national police laws?
Rigo: national parlament has to make a law according to the guidelines.. national laws apply
<AxelPolleres> Police and Justice also provide access rights to data subjects, but these are regulated in the implementaiton of Directive 2016/680 and in national laws
Eva: if no exemption apply, then GDPR applies and there is a need to determine legal ground
If special categories apply (e.g. sensitive data according to Art.9) then one has to take special considerations
scribe: With no special category,
then the default legal ground applies (consent art 6. par
1(a)... etc.)
... Task carried out in public interest (but no police), e.g.
registration of a car
Axel: Is this collection or also processing, or sharing?
rigo: It is all, collection, processing and sharing
<harsh> Axel: is there an example of a processing/purpose in public interest that is not based on legal grounds?
<harsh> Eva: We have an example in the TR use-case regarding money laundering.
<harsh> Eva: Anti-money laundering rules require background checks, but they only give legal grounds to the financial institutions and not the affiliated parties.
TR is not under this legal ground
scribe: need to be fixed
Rigo: TR is a full encompassing data collector from multiple sources. They can check the anti-money laundry and they provide the result to the bank. And the laws encourage to do so, because they can do these checks, they are capable of it.It is a part of the system, but it is not covered by these legal grounds
<harsh> Eva: The current money laundering rules/law are not compatible with the fundamental GDPR rights, and could be stuck down by the EU courts
Eva: Processing is everything from the first collection of data, and you have to determine the legitime interest for each category the company has
Rigo: Even processing not listed there... is covered
Eva: Back to the figure... legitimate interest is a rather open concept
Rigo: It is open on purpose, e.g
to cover targeted advertisement
... It can also apply to a third party, applies to
everything
... It takes the approach of: everything is prohibited except
these cases... and the exceptions are described openly to cover
all "tricky" cases
<AxelPolleres> eva: legistimate interest is 3 steps: 1. is it legitimate interest of the data controller (e.g. business), 2. are there interests of data subjects that could be contrary, 3. is the contrary interest of a greater weight than the company one. —> need to be documented.
Rigo: In any case, the subject can fire a "Do not Track" token, and this case instead of legitime interest one should check Art 21, p.5-- at any moment the user can oppose
<AxelPolleres> eva: for example, extensive profiling is not allowed
Rigo: The regulation is clear
that they don't like profiles not under the control of the data
subject
... see Cambridge Analytica case
Eva: data protection law at such protects society
Dave: autonomy is interesting, because they have to weight that concept with e.g. targeted advertisement
Rigo: There is a study saying that targeted advertisement can result in 4% more sales, at the cost of 500% price increase
Eva: Back to the figure, last point is freedom of expression (e.g. journalism)
<AxelPolleres> Rigo: taking pictures in public is partially exempt in Germany by freedom of “arts” law… explaining...
Rigo: Remember the 3 issues:
linking policies to instance data, making policy statements,
and having personal data attributes sorted out such that they
are part of the linking
... anything that does not fit in the picture is not legal
<AxelPolleres> Requirement… we need to flag personal data as “sensetitiveArticle”
Eva: Back to picture, if the category of the data is special (e.g. sensitive), then there are different legal grounds (e.g. legitimate interest is not applicable there)
<simonstey> http://www.privacy-regulation.eu/en/article-9-processing-of-special-categories-of-personal-data-GDPR.htm
Eva: The full list of these special legal grounds need to be collected
<AxelPolleres> eva: Legal grounds … under article 9 are a lsit on their own, but overlaps
<AxelPolleres> … e.g. article 6 also allows implicit consent, article 9 only explicit consent
if you have an article 9 consent, anything else works too
<AxelPolleres> rigo: article 9 legal grounds are stronger than article 6 grounds
Fajar: So it's the same as saying article 9 has higher conditions
<simonstey> https://easygdpr.eu/gdpr-article/6/ vs https://easygdpr.eu/gdpr-article/9/
Axel: Some time ago we had what the features of consent could be. Can we expand this to all types?
Rigo and Eva: yes
Axel: The company has to specify based on which they operate (don't need to categorize), just the buckets
Harsh: The idea is to have the top level, and just go into the details if needed
Axel: I think for the processing we have to do the same
Rigo: In the purpose, the important is why?
Axel: The idea is: I used this data based on this legal ground for this purpose and processed it like that
Rigo: if you write a policy, you give the category of the collected data, and the category of the purpose. In a special context, you do have the instance data (semantic data lake) and you can point to it directly
Axel: But we need the legal background, this part is missing
eva: Yes, we need to consider it
legal ground is the union of the boxes in Eva's picture, and when you define the policy you have to define your legal ground, and this would allow inference...
what are the element of consent and which can be specifified in a machine readable way
<simonstey> https://www.w3.org/TR/odrl-vocab/#term-consentingParty
scribe: some cases are open for interpretation, but some not
<simonstey> https://www.w3.org/TR/odrl-vocab/#term-obtainConsent
Rigo: We need to have buckets/boxes to help people defining the policies
Eva: smart move is to try to place yourself in one of the boxes
Fajar: I think SPECIAL has the way to specify the consent, but there is not legal ground represented, right?
Rigo: There could be another box of the MCM
Eva: we are not dealing with legal ground in our SPECIAL use cases
Axel: which components would have the leg. interest?
Rigo: I see a bucket list, that can be expanded
Harsh: But Axel mentions the justification of why you fit into a specific bucket
Fajar: Is L.I a purpose?
<simonstey> https://easygdpr.eu/gdpr-recital/recital-47/ clarifies on the weighing of interests to determine if consent is required
Rigo: no no, it is not, it's the legal ground of your purpose
Bud: I was also fighting with
terms and went through the GDPR definitions, doing NLP of the
terms
... some apply to processing, I tried to collect and
categorize
... I came out that the purpose is a primary thing, the first
thing, and from then you structure the rest
... Maybe there is an overlap, but I would put first the
purpose and hanging from there the data that you need, etc.
<AxelPolleres> Bud: purpos should always be the first thing… because data used, processing and legal ground will need to be justified by the purpose
coffee break
<AxelPolleres> axel: we should distinguish between processing that generates personal data and processing that does not generate personal data (e.. eggregation/anonymisation
<AxelPolleres> )
<AxelPolleres> Simonstey: does right of erasure also affect the aggregated data, i.e. can I insist on erasing my data from the aggreagation.
<AxelPolleres> rigo: that would probably make our statistic system collapse.
<AxelPolleres> Axel: same applies for the right to rectification, I’d say, no?
scribe: If the purpose is to aggregate data, then we can assume there is no personal data
<AxelPolleres> Eva: this is currently being discussed on the level of DPAs
Rigo: We need an aggregation justification, modelling wise
Axel: If you collect data for a later aggregation... you have to ask for permission, right?
Rigo: In case of heatmaps, e.g. GDPR is not applicable
Axel: is anonymization a process?
Rigo: Yes, on the fly, only
retaning the personal data... is this personal data? No, you
don't have a right, GDPR does not apply
... you can only avoid if you don't give the data first
... if you aggregate data in the fly, without storing then it
is not personal data
<AxelPolleres> Rigo: processing personal data on-the-fly without retaining it, i.e. with arriving in non-personal, anonmymized/aggregated data is ok.
Axel: but it is impossible to process without storing somehow...
Rigo: yes, it is ephemeral
<AxelPolleres> Axel: conclusion: let’s just distinguish between processing that retains/generates personal data (e.g. enrichment/classification/generating personalised recommendations) and processing that doesn’t (e.g. aggregation/anonymisation)
Bud presents the summary figure of his study
scribe: but more details will be provided during a telco
<AxelPolleres> ACTION: Bud to prepare a presentation for next DPVCG telco next week.
<trackbot> Error finding 'Bud'. You can review and register nicknames at <https://www.w3.org/community/dpvcg/track/users>.
scribe: next week
<AxelPolleres> ACTION: Axel to prepare an agenda for next week.
<trackbot> Created ACTION-45 - Prepare an agenda for next week. [on Axel Polleres - due 2018-12-11].
<AxelPolleres> ACTION: Rigo to post-process minutesof f2f and check wherther all actions have been recorded
<trackbot> Created ACTION-46 - Post-process minutesof f2f and check wherther all actions have been recorded [on Rigo Wenning - due 2018-12-11].
<AxelPolleres> ACTION: Bud to prepare a presentation for “elements of processing” next DPVCG telco next week.
<trackbot> Error finding 'Bud'. You can review and register nicknames at <https://www.w3.org/community/dpvcg/track/users>.
<rigo> ACTION: Axel to invite, set Agenda for a DPVCG teleconference on 11 December
<trackbot> Created ACTION-47 - Invite, set agenda for a dpvcg teleconference on 11 december [on Axel Polleres - due 2018-12-11].
Harsh: We haven't talked of controllers, subjects... and storage and security
Piero: P3P has legal entity, kind of vcard data...
<AxelPolleres> Rigo: we can use vcard to describe entities.
<AxelPolleres> Axel: but I mean categories of data controllers… do we need them?
Fajar: It could be nice to have a top level category
<AxelPolleres> … e.g. NGOs, NPOs, private, public, etc.
<AxelPolleres> ACTION: Harsh to look into classifications of organisations that could serve as a basis for clsssifying data controllers
<trackbot> Created ACTION-48 - Look into classifications of organisations that could serve as a basis for clsssifying data controllers [on Harshvardhan Pandit - due 2018-12-11].
Eva: In the agenda there are data subjects... do you mean different categories of data subjects?
Axel: Only a list of stakeholders involved
Eva: I tried to list the rights of the data subjects
Harsh: As a taxonomy, it could have a value
<AxelPolleres> Eva: in the context of talking about data subjects, we should talk about data subject rights.
<AxelPolleres> … eva showing an image (can someone add the link please?)
Eva: some of the rigths can be
specified automatically
... e.g. notification in case of data breach
Fajar: Is it like the addition of the leg. interest in MCM?
Eva: is complementary
<harsh> Fajar: Are rights the counterpart of legal interest as in the MCM?
<simonstey> https://www.mhc.ie/uploads/Data_Protection_Update_-_New_Registartion_Requirements_by_Robert_McDonagh_07.pdf lists some example categories of data controllers
<harsh> harsh: thanks simon
Rigo: you need to consider first the rights of the controller, otherwise maybe the process does not start
<harsh> rigo: Rights give a power balance for data subjects and controllers
<harsh> Fajar: this allows the data subject to exercise their right and the controller to justify their processng using legal basis and then it can be inferred which is more applicable or comparable
Fajar: it coudl be nice to have a
vocabulary to express request/reject according to rights
... Interesting for Expedite
Axel: It is interesting but it extends the scope of the group
Rigo: It would be treated somehow in SPECIAL for our dashboard
<AxelPolleres> ISSUE: Shall we extend the scope of the group to machinge-readable requests to execute rights accroding to Eva’s classification of rights
<trackbot> Created ISSUE-5 - Shall we extend the scope of the group to machinge-readable requests to execute rights accroding to eva’s classification of rights. Please complete additional details at <https://www.w3.org/community/dpvcg/track/issues/5/edit>.
<simonstey> https://easygdpr.eu/gdpr-article/40/ -> "Associations and other bodies representing categories of controller s or processor s may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:"
Axel: But we won't have a vocabulary for this
<AxelPolleres> https://lists.w3.org/Archives/Public/public-dpvcg/2018Nov/att-0030/Data_subjects_rights_V1.png
<AxelPolleres> Bud: thoughts about a taxonomy of data subjects
Bud: Adults/Children
... maybe other people who needs protection
<AxelPolleres> … we should think about children, protection-worthy people, dependents
Bud: also I provide the data personally / or collected without my knowledge
<AxelPolleres> … collection directly, or collection through another data subject
Eva: personal data is always a natural person.... not always the case e.g. companies can refer to privacy laws
Rigo: In Italy, companies were
covered by data protection laws
... GDPR always apply to citizens in EU soil
... and also EU citizens outside of Europe
Dave: so maybe having a category of people who don't apply to
<simonstey> "The Italian DPA, referring to the relevant WP29 guidelines, has provided some guidance on the categories of data controllers that more likely fall under the obligation to appoint a DPO (e.g. financial institutions, insurance companies, financial information systems, credit collection companies, surveillance companies, etc)."
<simonstey> https://www.twobirds.com/en/in-focus/general-data-protection-regulation/gdpr-tracker/italy
<AxelPolleres> i.e., shall we define data subjects that GDPR does and doesn’t apply to?
<simonstey> https://www.hipaajournal.com/gdpr-exemptions-who-is-exempt-from-gdpr/
Harsh: Should we include this distinction of location in the model?
Rigo: We have it in any case, but it is low priority now
<simonstey> https://www.gdpr.associates/gdpr-exemptions/
Eva: We have the storage and location.... and we can just use country codes
<rigo> eva suggests using country codes
<simonstey> https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
<rigo> in this case the decision of equivalence is avoided in the taxonomy
Eva: and the coverage of EU can change in time, but if you use country codes then you can always have external info to check the EU boundaries at any point
<AxelPolleres> ISSUE: should our taxonomy include a distinction/modeling of data subjects to whom GDPR applies (EU citizens and/or locatedIn EU)
<trackbot> Created ISSUE-6 - Should our taxonomy include a distinction/modeling of data subjects to whom gdpr applies (eu citizens and/or locatedin eu). Please complete additional details at <https://www.w3.org/community/dpvcg/track/issues/6/edit>.
<AxelPolleres> Axel: in the context of ISSUE-6 is “non-applicable citizens only” a “legal ground”?
Eva: being ¨non-applicable citizens only” non-european citizens outside of EU
<simonstey> http://dbpedia.org/ontology/iso31661Code
<rigo> ACTION: Eva to put MS Visio picture of usage policy on the wiki
<trackbot> Created ACTION-49 - Put ms visio picture of usage policy on the wiki [on Eva Schlehahn - due 2018-12-11].
<rigo> ACTION: Bud to suggest a new hierarchy of the usage policy diagram and integrate into the presentation of Tuesday 11
<trackbot> Error finding 'Bud'. You can review and register nicknames at <https://www.w3.org/community/dpvcg/track/users>.
<AxelPolleres> Axel: Do we need in our vocabulary to discuss/model e.g. which Purpose REQUIRES which Data ?
<AxelPolleres> i.e. inter-component relationships within the conceptual model of a policy
<rigo> ACTION: Bud to suggest a new hierarchy of the usage policy diagram and integrate into the presentation of Tuesday 11
<trackbot> Created ACTION-50 - Suggest a new hierarchy of the usage policy diagram and integrate into the presentation of tuesday 11 [on Bud P. Bruegger - due 2018-12-11].
<rigo> ACTION: Bud to prepare a presentation for next DPVCG telco on 11 December
<trackbot> Created ACTION-51 - Prepare a presentation for next dpvcg telco on 11 december [on Bud P. Bruegger - due 2018-12-11].
Axel: could we define the purpose and for it which data we need for this purpose?
Eva: on the one hand it could be very useful and easy to use... but controllers would hate it, as they want as more data as possible
<AxelPolleres> Eva: DPA would appreaciate the definition of which data is required for each purpose, but for the data controllers this would not be difficult.
<AxelPolleres> David: it’s a matter of whether we define concormance criteria
Bud: The tool cannot decide if the data is not needed for a purpose
Eva: let's look at our use case,
and see if we can find data categories for each purpose such
that it is reusable
... purpose-data relations to be reusable and general
enough
... not sure if this is possible
<AxelPolleres> Axel: we could model. e.g. in OWL, that all data required is from cetain categories.
<AxelPolleres> … as optional axioms
<rigo> harsh: create informational document, and create the OWL as one way to do it
<simonstey> action-3
<trackbot> action-3 -- Bert Bos to Clarify which github space we can use W3C's github space or if we need something else -- due 2018-08-13 -- CLOSED
<trackbot> https://www.w3.org/community/dpvcg/track/actions/3
<simonstey> +q
<rigo> ACTION: rigo to ask Bert about w3c github repository action from August and create a github under W3C for dpvcg
<trackbot> Created ACTION-52 - Ask bert about w3c github repository action from august and create a github under w3c for dpvcg [on Rigo Wenning - due 2018-12-11].
Bud: Should Article 10 be included in Eva's figure?
Eva: not sure, Article 10 mentions data (e.g. criminal) but refers to Art. 9
<AxelPolleres> next Telco 11.12. 16:00 CET
<AxelPolleres> report about the ACTIONS agreed in the meeting.
<AxelPolleres> ACTION: HArsh, Axel, Fajar, Javier start on a base ontology, suggest a namespace, etc. and start populate the sub-taxonomies, agree on language to model it.
<trackbot> Error finding 'HArsh,'. You can review and register nicknames at <https://www.w3.org/community/dpvcg/track/users>.
<Eva> Eva: Art. 10 is not a legal ground on its own but rather specifies clarification and conditions on the processing operation
<AxelPolleres> ACTION: Axel to together with Harsh, Fajar, Javier start on a base ontology, suggest a namespace, etc. and start populate the sub-taxonomies, agree on language to model it.
<trackbot> Created ACTION-53 - Together with harsh, fajar, javier start on a base ontology, suggest a namespace, etc. and start populate the sub-taxonomies, agree on language to model it. [on Axel Polleres - due 2018-12-11].
<AxelPolleres> rigo: that’s just a detail.
<AxelPolleres> eva: suggested to us country codes (Axel: or continent odentifiers?) for modeling storage location
<AxelPolleres> axel: we need a way how to model storage duration, either as a fixed datetimestamp or as a relative duration (e.g. “for two weeks”)
<AxelPolleres> eva: on location, we need also conditions, e.g. “not COUNTRY-XYZ”, “outside-of-Europe”, “not outside-of-Europe” etc.
<AxelPolleres> ACTION: Javier to look into how to align SPECIAL duration vocab with “deletion-ideas” from eva’s slide (e.g. include no-retention, deleted-by, etc.) in our vocabulary
<trackbot> Error finding 'Javier'. You can review and register nicknames at <https://www.w3.org/community/dpvcg/track/users>.
<scribe> ACTION: Eva to send a compiled version of the slides shown (as for storage)
<trackbot> Created ACTION-54 - Send a compiled version of the slides shown (as for storage) [on Eva Schlehahn - due 2018-12-11].
<AxelPolleres> ACTION: Javier to look into how to align SPECIAL duration vocab with “deletion-ideas” from eva’s slide (e.g. include no-retention, deleted-by, etc.) in our vocabulary
<trackbot> Created ACTION-55 - Look into how to align special duration vocab with “deletion-ideas” from eva’s slide (e.g. include no-retention, deleted-by, etc.) in our vocabulary [on Javier D. Fernández - due 2018-12-11].
Axel: I would like to have a
first version of the vocabularies by january
... We need to think how to get more use cases
Rigo: once we have the first taxonomy, we can have interested companies
Axel: what is the overlap with the work of Consent Receipt?
https://kantarainitiative.org/confluence/display/infosharing/Home
Rigo: They are looking into our
taxonomy to use it in Kantara
... we should look into it
<harsh> https://developers.digi.me/consent-access consent receipt implementation
<AxelPolleres> https://kantarainitiative.org/confluence/display/infosharing/Home
<AxelPolleres> https://kantarainitiative.org/file-downloads/consent-receipt-specification-v1-1-0/
Rigo: it seems that they use arbitrary strings for purposes
Axel: we should look more into it and think how we can align with it
<harsh> purpose categories: https://kantarainitiative.org/confluence/display/infosharing/Appendix+CR+-+V.9.3+-+Example+Purpose+Categories
Axel: e.g. 12 - Legally Required Data Retention mixes purposes and legal ground
<rigo> trackbot, end meeting
end of meeting
This is scribe.perl Revision: 1.154 of Date: 2018/09/25 16:35:56 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/Dave/Bud/ Default Present: (no_one) Present: (no_one) WARNING: Fewer than 3 people found for Present list! Found Scribe: javier Found Scribe: harsh Inferring ScribeNick: harsh Found Scribe: Javier Inferring ScribeNick: Javier Scribes: javier, harsh ScribeNicks: harsh, Javier Found Date: 04 Dec 2018 People with action items: axel bud eva harsh javier rigo WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]