Position Paper ULD for W3C workshop ‘Data Privacy Controls and Vocabularies’

By Eva Schlehahn and Harald Zwingelberg, ULD

 

Unabhängiges Landeszentrum für Datenschutz (ULD, Engl. Independent Centre for Privacy Protection) is the Data Protection Authority of Schleswig-Holstein, the northernmost Federal State of Germany. Its office is located in Kiel, Germany. The Privacy Commissioner of Schleswig-Holstein, Marit Hansen, is head of ULD. ULD is responsible for both freedom of information as well as data protection at private and public sector entities seated in Schleswig-Holstein. Besides the supervision of data protection compliance, ULD engages in research activities within European and nationally funded projects. Therein, it provides expertise on the legal requirements of European data protection law, and how to transfer these as basis for the determination of tangible technical and organisational measures. ULD is also consortium member of the H2020 project SPECIAL.

For the purpose of the W3C workshop ‘Data Privacy Controls and Vocabularies’, this position paper provides the following input:

By May 2018, the legal requirements of the General Data Protection (GDPR) are applicable for the protection of personal data in Europe. To establish a specification that allows controllers to electronically express the permissions and restrictions for given personal data, it is necessary that such vocabulary is capable to express what the GDPR requires in terms of transparency. It should further be capable to represent cornerstones from the GDPR throughout the data’s lifecycle (which means from the moment of collection, during storage and processing and until its deletion.). Important meta-information linked to the personal data processed must be available and ideally, automatically enforceable.  Such a specification must be able to convey the following information:

·         Category of personal data

o   Categories of personal data are processed and if special categories of personal according to Art. 9 GDPR are processed.

o   Special categories of personal data include:

§  racial or ethnic origin,

§  political opinions,

§  religious or philosophical beliefs,

§  trade union membership, 

§  genetic data, 

§  biometric data for the purpose of uniquely identifying a natural person,

§  data concerning health,

§  data concerning a natural person's sex life or sexual orientation

o   Further categories may be defined, e.g. master record data, location and movement data, call records, communication metadata, logfile data.

·         Purpose limitation    

o   For which specific, explicit and legitimate purposes is the personal data collected, stored and processed?

·         Legal ground

o   On which legal ground is the processing based?

o   If the legal ground is the data subject’s consent, it should be able to express: a link to the specific consent given (e.g. the privacy policy and its version), additional information on the status of the consent

§  given – if yes, specific whether explicit or implicit

§  pending / withheld

§  withdrawn

§  referring to the personal data of a minor

§  referring to the personal data of a disabled person in need of specific accessibility provisions to manage consent

·         The identity of the controller

o   The entity or multiple entities (joint) controller(s) determining purpose and means of the processing.

·         The identity of involved processors

·         Cross-border data transfers and involved countries

o   Are data transferred to another country to be stored and/or processed there? If yes, differentiate between:

§  Data transfer within the European Union 

§  Data transfer to a third country and basis for compliance with Art. 44 et seq. GDPR (adequacy decision, appropriate safeguards, binding corporate rules) and where possible a link documenting the latter, e.g. to the Commission’s adequacy decision or the BCR.

§  Other third country

·         Specific rules on how to handle the personal data, for example:

o   User/access activity allowed, like read-only, write, rectify, disclose, deletion

o   Anonymize / pseudonymize / encrypt

o   Time for deletion [delete by…], [delete x month after <event>], etc.

o   Notify [define notification rules e.g. towards data subject, eventually with predefined action time]

We see room for further research and exploration to which extent data vocabularies can help with expressing rules on the handling of personal information in accordance with the GDPR. We see the workshop as an ideal field for discussion on this topic and will provide our legal view on the interpretation of the GDPR where necessary.

So, ULD sees a number of issues that may be discussed in the context of data vocabularies and semantics, for example:

·         Error handling: What about modelling errors or inconsistencies? How does a system react to these?

·         How to avoid insufficient classification models and perspective-issues?

·         Adaptability of the vocabulary: Is it possible to extend the vocabulary – e.g. add further categories of data or purposes. This may be necessary in case of evolving or changing laws or the application in foreign jurisdictions.

·         How to take into account specific circumstances and eventually, inherent risks of the individual processing operation?

·         How to take into account issues relating to the quality and reliability of personal information, especially in the context of profiling and scoring? How to avoid dangers of cognitive bias and discrimination based on data? In which way can technology support transparency about inferences for the data subject?

·         In which way must configurations/changes to the vocabularies and semantics be documented?