15:03:23 <RRSAgent> RRSAgent has joined #dpvcg
15:03:23 <RRSAgent> logging to https://www.w3.org/2019/01/22-dpvcg-irc
15:03:25 <trackbot> RRSAgent, make logs public
15:03:25 <Zakim> Zakim has joined #dpvcg
15:03:27 <trackbot> Meeting: Data Privacy Vocabularies and Controls Community Group Teleconference
15:03:27 <trackbot> Date: 22 January 2019
15:03:47 <agendabot> agendabot has joined #dpvcg
15:05:30 <harsh> Eva we can hear you on the call.
15:06:02 <Eva_and_Bud> ok you can still hear us but we cannot hear you, working on it, sigh
15:07:08 <harsh> Agenda for today: https://lists.w3.org/Archives/Public/public-dpvcg/2019Jan/0008.html
15:07:20 <Bert> agenda: https://www.w3.org/mid/36891304.CWuKmcZnDW@nyx
15:07:21 <agendabot> clear agenda
15:07:21 <agendabot> agenda+ Roll call, select scribe, agenda
15:07:21 <agendabot> agenda+ Approval of last telcon's minutes:
15:07:21 <agendabot> agenda+ Action items
15:07:21 <agendabot> agenda+ Issues
15:07:23 <agendabot> agenda+ Status of vocabularies/taxonomies
15:07:26 <agendabot> agenda+ AOB
15:08:00 <Bert> present+
15:08:01 <Javier> Javier has joined #dpvcg
15:08:29 <harsh> scribe: harsh
15:09:53 <harsh> Bert: any concerns about previous minutes of meeting? (no replies)
15:10:04 <Bert> previous meeting: https://www.w3.org/2019/01/08-dpvcg-minutes.html
15:10:07 <harsh> Bert: Axel proposed (via email) to move the next meeting by -/+ 1 hour. We'll talk about that at the end of the meeting.
15:10:32 <Bert> -> https://www.w3.org/community/dpvcg/track/actions/open actions
15:10:42 <harsh> Bert: looking for any actions we can close
15:10:52 <Bert> action-13?
15:10:52 <trackbot> action-13 -- Stefano Bocconi to Propose use case(s) for the decode project -- due 2018-08-14 -- CLOSED
15:10:52 <trackbot> https://www.w3.org/community/dpvcg/track/actions/13
15:10:55 <Bert> action-33?
15:10:55 <trackbot> action-33 -- Harshvardhan Pandit to Summarize elements of consent from the mails and align with mark lizar on "concent receipt" definition (e.g. on delegation) -- due 2018-11-13 -- OPEN
15:10:55 <trackbot> https://www.w3.org/community/dpvcg/track/actions/33
15:11:57 <Bert> action-42?
15:11:57 <trackbot> action-42 -- Eva Schlehahn to Look into requirements of data protection assessment, and whether it would make sense to formalize that in terms of what we standardize -- due 2018-12-10 -- OPEN
15:11:57 <trackbot> https://www.w3.org/community/dpvcg/track/actions/42
15:12:11 <harsh> harsh: regarding consent, we (me and Mark) are talking about a minimum version of consent receipt which can incorporate DPVCG vocabularies
15:12:50 <harsh> Eva: I'm looking(-ed) at the opinion of Article 29 WP, for cases such as impact assessment which can assist us in understanding which data can be considered sensitive
15:13:44 <Mark_Lizar> Mark_Lizar has joined #dpvcg
15:14:02 <simonstey> simonstey has joined #dpvcg
15:14:18 <Mark_Lizar> Hello
15:14:59 <harsh> Eva: it is difficult to assess whether data is sensitive because they are context sensitive and this makes it difficult to capture it in a vocabulary
15:15:01 <simonstey> present+
15:15:47 <harsh> Eva: I would consider this action point as done since the information cannot be categorised based on the opinion
15:17:15 <Bert> close action-42
15:17:15 <trackbot> Closed action-42.
15:17:26 <harsh> harsh: would it be helpful to list the criteria / concepts about the assessment and have them as the ontology?
15:17:58 <harsh> Eva: I can share the points of assessment (from my research) with the mailing list and we can discuss if it is useful to use them
15:18:10 <harsh> Mark: is this the difference between high risk and risk?
15:18:18 <Bert> action: Eva to send mail to list with the criteria for data protection assessment from EDPB
15:18:19 <trackbot> Created ACTION-59 - Send mail to list with the criteria for data protection assessment from edpb [on Eva Schlehahn - due 2019-01-29].
15:19:06 <harsh> Eva: In the opinion (A29 WP) they have described if such a high risk exists or can exist and controllers are expected to carry out the assessment to see if this is possible
15:19:40 <harsh> Mark: In Canada, there was a call for comments, and resulted in update to privacy laws, where risk must be provided for meaningul consent. So this is a similar activity on risk.
15:20:18 <harsh> Eva: Let's discuss these criteria on the mailing list (after I share them), as they are highly context dependant which are evolving constantly.
15:22:16 <harsh> Mark: (regarding consent) Kantara is working with/for a working group for ISO 29184 for consent/privacy notices, and this work is going in an annex in that report. The idea is to create a minimal viable consent report which can be extended by different organisations.
15:22:32 <harsh> Mark: so there can be an extension submitted by this work group and reviewed in that context.
15:24:15 <Bert> action-48?
15:24:15 <trackbot> action-48 -- Harshvardhan Pandit to Look into classifications of organisations that could serve as a basis for clsssifying data controllers -- due 2018-12-11 -- OPEN
15:24:15 <trackbot> https://www.w3.org/community/dpvcg/track/actions/48
15:25:49 <harsh> shared email for categories of organisations https://lists.w3.org/Archives/Public/public-dpvcg/2018Dec/0021.html
15:27:14 <harsh> Mark: There are SIC codes (different ones for North America, EU, UN (UK?). So we can use that as a company classification. And a company can have a service which can be different from the company classification. In GDPR, it refers to categories from SIC codes.
15:27:45 <harsh> Eva: what might be relevant is that there could be different purposes or could mix into each other (for big corps)
15:28:20 <harsh> Mark: the primary purpose or the core purpose has been brought up a few times - too much flexibility can increase confusion
15:30:04 <harsh> harsh: should we summarise this as using SIC (or compatible) codes to define categories of organisations?
15:30:17 <harsh> Mark: GDPR specifically mentions terms/categories defined by trade bodies
15:33:48 <harsh> Eva: it is useful to revisit the question of "why" we need categories of controllers
15:34:15 <harsh> harsh: GDPR code of conduct mentions categories
15:34:28 <harsh> Bert: so it may be that there are far lesser categories than SIC codes specify
15:35:05 <harsh> Bert: we can close this action and have another look at where this categories are useful?
15:36:57 <Bert> close action-48
15:36:57 <trackbot> Closed action-48.
15:37:51 <Bert> issue: where are categories of data controllers used, where are they useful? (cf. recital 98, 99, 100)
15:37:52 <trackbot> Created ISSUE-9 - Where are categories of data controllers used, where are they useful? (cf. recital 98, 99, 100).  Please complete additional details at <https://www.w3.org/community/dpvcg/track/issues/9/edit>.
15:37:52 <harsh> Mark: R98, R99, R100 are relevant for categories of controllers
15:38:15 <Bert> action-57?
15:38:15 <trackbot> action-57 -- Harshvardhan Pandit to Start definitionsions of the high-level purposes at https://www.w3.org/community/dpvcg/wiki/purposes_for_handling_personal_data#high-level_categories_.28to-be-discussed.29 and map them to purposes collected from use cases -- due 2018-12-18 -- OPEN
15:38:16 <trackbot> https://www.w3.org/community/dpvcg/track/actions/57
15:38:22 <harsh> page in wiki: https://www.w3.org/community/dpvcg/wiki/Purposes_for_handling_Personal_Data
15:39:18 <harsh> harsh: I have added brief descriptions to the wiki page (link above)
15:39:53 <Bert> action-58?
15:39:53 <trackbot> action-58 -- Eva Schlehahn to Look at iab europe consent framework -- due 2019-01-15 -- OPEN
15:39:53 <trackbot> https://www.w3.org/community/dpvcg/track/actions/58
15:41:22 <harsh> Eva: there are only 5 purposes which are generic, and there's no information on how they envision changes to the policy or consent (withdraw, updates, changes), or if data subject wants to have something rectified
15:41:52 <Bert> agenda+ next telcon (Axel asks for one-time time change)
15:42:24 <harsh> Eva: I don't understand vendor as a concept, and some of the terms are generic . I'm sceptical of its use to the community.
15:43:07 <Javier> sorry we can also discuss action-55
15:43:14 <harsh> Eva: what would be useful is where the vendors are located, how they share data - these are all missing.
15:43:30 <harsh> harsh: vendors in this sense refers to anyone who wants to sell ads and thereby collect consent
15:43:56 <Bert> close action-58
15:43:56 <trackbot> Closed action-58.
15:44:13 <Bert> action-55?
15:44:14 <trackbot> action-55 -- Javier D. Fernández to Look into how to align special duration vocab with “deletion-ideas” from eva’s slide (e.g. include no-retention, deleted-by, etc.) in our vocabulary -- due 2018-12-11 -- OPEN
15:44:14 <trackbot> https://www.w3.org/community/dpvcg/track/actions/55
15:44:36 <Javier> - no-retention: no storage beyond using once
15:44:38 <Bert> close action-55
15:44:38 <trackbot> Closed action-55.
15:44:40 <Javier> - stated purpose: until purpose has been fulfilled
15:44:46 <Javier> - legal-requirement: storage period defined by a law requiring it
15:45:14 <Javier> - business practices: requires a deletion concept of controller
15:45:29 <Javier> - Indefinitely: e.g. for really anonymized data, public archives...
15:45:37 <Javier> - delete-by_ or delete-x-date_month_after <event>
15:46:19 <harsh> javier: for action-55, I spoke with Eva for our SPECIAL use-cases and these are the options for retention.
15:46:40 <harsh> Javier: (to Eva) do you have any specific events for the last point?
15:46:57 <harsh> Eva: this was for example for controllers that have legal obligations to keep the data after a certain time e.g. billing dat
15:47:26 <harsh> Javier: if it is a time then its fine, but if it's event-based then can we know what these events are?
15:47:48 <harsh> Eva: these are context-dependant, e.g. purpose fulfilling in a contract
15:49:25 <harsh> Eva: I can look at the use-cases to see if it matches with the deletion rules ideas
15:50:01 <harsh> Mark: (to Eva) are these the exceptions to the specified purpose (as in retention for one purpose but deletion for some other purpose)
15:50:30 <harsh> Eva: there can be differentiation between usage data and billing data, then these datasets can be handled according to different storing periods
15:50:38 <Bert> action: eva to look at use cases in the wiki to see if one matches the deletion rules ideas Eva posted (especially deletion depending on an event or purpose rather than a fixed period)
15:50:38 <trackbot> Created ACTION-60 - Look at use cases in the wiki to see if one matches the deletion rules ideas eva posted (especially deletion depending on an event or purpose rather than a fixed period) [on Eva Schlehahn - due 2019-01-29].
15:52:47 <harsh> harsh: in this case, the law overrides the GDPR rather than the GDPR having an exception?
15:53:07 <harsh> Javier: we have a term legal / law (?) that can be a URI to a law
15:53:35 <harsh> Bert: about the next call, there was an request from Axel if we can have the call +/-1 hour
15:55:24 <harsh> proposed: next telco on 12th (rather than 5th) February and holding it at 2 rather than 4
15:55:35 <harsh> no objections
15:55:45 <harsh> Next call confirmed on 12th Feb 14:00
15:56:40 <Bert> action: bert to schedule webex for 12 Feb 14:00
15:56:40 <trackbot> 'bert' is an ambiguous username. Please try a different identifier, such as family name or username (e.g., bbos, bertv).
15:57:42 <Bert> action: bbos to schedule webex for 12 Feb 14:00
15:57:43 <trackbot> Created ACTION-61 - Schedule webex for 12 feb 14:00 [on Bert Bos - due 2019-01-29].
15:59:08 <harsh> harsh has left #dpvcg
16:06:35 <Bert> Bert has joined #dpvcg