W3C

– DRAFT –
Data Privacy Vocabularies and Controls Community Group Teleconference

22 January 2019

Meeting minutes

Agenda for today: https://‌lists.w3.org/‌Archives/‌Public/‌public-dpvcg/‌2019Jan/‌0008.html

Bert: any concerns about previous minutes of meeting? (no replies)

Bert: Axel proposed (via email) to move the next meeting by -/+ 1 hour. We'll talk about that at the end of the meeting.

<Bert> actions

Bert: looking for any actions we can close

<Bert> action-13?

<trackbot> action-13 -- Stefano Bocconi to Propose use case(s) for the decode project -- due 2018-08-14 -- CLOSED

<trackbot> https://‌www.w3.org/‌community/‌dpvcg/‌track/‌actions/‌13

<Bert> action-33?

<trackbot> action-33 -- Harshvardhan Pandit to Summarize elements of consent from the mails and align with mark lizar on "concent receipt" definition (e.g. on delegation) -- due 2018-11-13 -- OPEN

<trackbot> https://‌www.w3.org/‌community/‌dpvcg/‌track/‌actions/‌33

<Bert> action-42?

<trackbot> action-42 -- Eva Schlehahn to Look into requirements of data protection assessment, and whether it would make sense to formalize that in terms of what we standardize -- due 2018-12-10 -- OPEN

<trackbot> https://‌www.w3.org/‌community/‌dpvcg/‌track/‌actions/‌42

harsh: regarding consent, we (me and Mark) are talking about a minimum version of consent receipt which can incorporate DPVCG vocabularies

Eva: I'm looking(-ed) at the opinion of Article 29 WP, for cases such as impact assessment which can assist us in understanding which data can be considered sensitive

Eva: it is difficult to assess whether data is sensitive because they are context sensitive and this makes it difficult to capture it in a vocabulary

Eva: I would consider this action point as done since the information cannot be categorised based on the opinion

<Bert> close action-42

<trackbot> Closed action-42.

harsh: would it be helpful to list the criteria / concepts about the assessment and have them as the ontology?

Eva: I can share the points of assessment (from my research) with the mailing list and we can discuss if it is useful to use them

Mark: is this the difference between high risk and risk?

Action: Eva to send mail to list with the criteria for data protection assessment from EDPB

<trackbot> Created ACTION-59 - Send mail to list with the criteria for data protection assessment from edpb [on Eva Schlehahn - due 2019-01-29].

Eva: In the opinion (A29 WP) they have described if such a high risk exists or can exist and controllers are expected to carry out the assessment to see if this is possible

Mark: In Canada, there was a call for comments, and resulted in update to privacy laws, where risk must be provided for meaningul consent. So this is a similar activity on risk.

Eva: Let's discuss these criteria on the mailing list (after I share them), as they are highly context dependant which are evolving constantly.

Mark: (regarding consent) Kantara is working with/for a working group for ISO 29184 for consent/privacy notices, and this work is going in an annex in that report. The idea is to create a minimal viable consent report which can be extended by different organisations.

Mark: so there can be an extension submitted by this work group and reviewed in that context.

<Bert> action-48?

<trackbot> action-48 -- Harshvardhan Pandit to Look into classifications of organisations that could serve as a basis for clsssifying data controllers -- due 2018-12-11 -- OPEN

<trackbot> https://‌www.w3.org/‌community/‌dpvcg/‌track/‌actions/‌48

shared email for categories of organisations https://‌lists.w3.org/‌Archives/‌Public/‌public-dpvcg/‌2018Dec/‌0021.html

Mark: There are SIC codes (different ones for North America, EU, UN (UK?). So we can use that as a company classification. And a company can have a service which can be different from the company classification. In GDPR, it refers to categories from SIC codes.

Eva: what might be relevant is that there could be different purposes or could mix into each other (for big corps)

Mark: the primary purpose or the core purpose has been brought up a few times - too much flexibility can increase confusion

harsh: should we summarise this as using SIC (or compatible) codes to define categories of organisations?

Mark: GDPR specifically mentions terms/categories defined by trade bodies

Eva: it is useful to revisit the question of "why" we need categories of controllers

harsh: GDPR code of conduct mentions categories

Bert: so it may be that there are far lesser categories than SIC codes specify

Bert: we can close this action and have another look at where this categories are useful?

<Bert> close action-48

<trackbot> Closed action-48.

Issue: where are categories of data controllers used, where are they useful? (cf. recital 98, 99, 100)

<trackbot> Created ISSUE-9 - Where are categories of data controllers used, where are they useful? (cf. recital 98, 99, 100). Please complete additional details at <https://‌www.w3.org/‌community/‌dpvcg/‌track/‌issues/‌9/‌edit>.

Mark: R98, R99, R100 are relevant for categories of controllers

<Bert> action-57?

<trackbot> action-57 -- Harshvardhan Pandit to Start definitionsions of the high-level purposes at https://‌www.w3.org/‌community/‌dpvcg/‌wiki/‌purposes_for_handling_personal_data#high-level_categories_.28to-be-discussed.29 and map them to purposes collected from use cases -- due 2018-12-18 -- OPEN

<trackbot> https://‌www.w3.org/‌community/‌dpvcg/‌track/‌actions/‌57

page in wiki: https://‌www.w3.org/‌community/‌dpvcg/‌wiki/‌Purposes_for_handling_Personal_Data

harsh: I have added brief descriptions to the wiki page (link above)

<Bert> action-58?

<trackbot> action-58 -- Eva Schlehahn to Look at iab europe consent framework -- due 2019-01-15 -- OPEN

<trackbot> https://‌www.w3.org/‌community/‌dpvcg/‌track/‌actions/‌58

Eva: there are only 5 purposes which are generic, and there's no information on how they envision changes to the policy or consent (withdraw, updates, changes), or if data subject wants to have something rectified

Eva: I don't understand vendor as a concept, and some of the terms are generic . I'm sceptical of its use to the community.

<Javier> sorry we can also discuss action-55

Eva: what would be useful is where the vendors are located, how they share data - these are all missing.

harsh: vendors in this sense refers to anyone who wants to sell ads and thereby collect consent

<Bert> close action-58

<trackbot> Closed action-58.

<Bert> action-55?

<trackbot> action-55 -- Javier D. Fernández to Look into how to align special duration vocab with “deletion-ideas” from eva’s slide (e.g. include no-retention, deleted-by, etc.) in our vocabulary -- due 2018-12-11 -- OPEN

<trackbot> https://‌www.w3.org/‌community/‌dpvcg/‌track/‌actions/‌55

<Javier> - no-retention: no storage beyond using once

<Bert> close action-55

<trackbot> Closed action-55.

<Javier> - stated purpose: until purpose has been fulfilled

<Javier> - legal-requirement: storage period defined by a law requiring it

<Javier> - business practices: requires a deletion concept of controller

<Javier> - Indefinitely: e.g. for really anonymized data, public archives...

<Javier> - delete-by_ or delete-x-date_month_after <event>

javier: for action-55, I spoke with Eva for our SPECIAL use-cases and these are the options for retention.

Javier: (to Eva) do you have any specific events for the last point?

Eva: this was for example for controllers that have legal obligations to keep the data after a certain time e.g. billing dat

Javier: if it is a time then its fine, but if it's event-based then can we know what these events are?

Eva: these are context-dependant, e.g. purpose fulfilling in a contract

Eva: I can look at the use-cases to see if it matches with the deletion rules ideas

Mark: (to Eva) are these the exceptions to the specified purpose (as in retention for one purpose but deletion for some other purpose)

Eva: there can be differentiation between usage data and billing data, then these datasets can be handled according to different storing periods

Action: eva to look at use cases in the wiki to see if one matches the deletion rules ideas Eva posted (especially deletion depending on an event or purpose rather than a fixed period)

<trackbot> Created ACTION-60 - Look at use cases in the wiki to see if one matches the deletion rules ideas eva posted (especially deletion depending on an event or purpose rather than a fixed period) [on Eva Schlehahn - due 2019-01-29].

harsh: in this case, the law overrides the GDPR rather than the GDPR having an exception?

Javier: we have a term legal / law (?) that can be a URI to a law

Bert: about the next call, there was an request from Axel if we can have the call +/-1 hour

Proposed is next telco on 12th (rather than 5th) February and holding it at 2 rather than 4

no objections

Next call confirmed on 12th Feb 14:00

Action: bbos to schedule webex for 12 Feb 14:00

<trackbot> Created ACTION-61 - Schedule webex for 12 feb 14:00 [on Bert Bos - due 2019-01-29].

Summary of action items

  1. Eva to send mail to list with the criteria for data protection assessment from EDPB
  2. eva to look at use cases in the wiki to see if one matches the deletion rules ideas Eva posted (especially deletion depending on an event or purpose rather than a fixed period)
  3. bbos to schedule webex for 12 Feb 14:00

Summary of issues

  1. where are categories of data controllers used, where are they useful? (cf. recital 98, 99, 100)
Minutes manually created (not a transcript), formatted by Bert Bos's scribe.perl version 2.52 (2019/01/22 11:01:10), a reimplementation of David Booth's scribe.perl. See CVS log.