W3C

– DRAFT –
DPVCG Meeting Call

10 MAR 2021

Attendees

Present
MarkLizar
Regrets
-
Chair
harsh
Scribe
harsh

Meeting minutes

Moving DPV(CG) repos to Github/W3C

conversation about moving DPV specs to w3c

note: harsh and beatriz working on issues migration -> to decide if adding directly to w3c repo

Proposal to add concepts

Legal bases: we add categories as sub-classes for LegalBasis e.g. legitimate interest, consent, law

For existing DPV-GDPR, these are instances of LegalBasis, but we redefine them as per their category e.g. Art.4-x as instance of Consent as subclasses of LegalBasis

beatriz: is Consent currently defined as a standalone concept, we need to integrate this as well

Later, we will also need to think about explicit consent, different requirements for consent

Also, we also need to think about properties for other legal basis e.g. legitimate interest -> what was it? e.g. contract -> what document? who signed it / are parties?

Technologies - databases, etc. - add and associate with existing concepts, e.g. data storage, transfer, encryption

paulryan: I can share document specifying tech&org measures to help with this discussion

beatriz: we can utilise the same abstraction/pattern as risk i.e. hasRisk

We can apply this as a 'test' to the document to be shared by paul

rana: companies need to specify technologies in a DPIA (e.g.), and they need to associate technologies with some kind of risk

paulryanryan: Vendors also ask/specify ISO certifications, anti-virus, etc. And the risk assessment considers these and new technologies.

Georg: DPAs require information about implementation, and also measures e.g. privacy by design

paulryan: if there are existing vocabularies, how to use/associate these?

harsh: we can point to those, but we need to provide the 'glue' to connect DPV concepts to those e.g. high-level concepts and relationships

To add: consent fields (generic: see consent receipt and GDPR consent record requirements)

beatriz: I'm interested to work on this

georg: I'm interested regarding this as well

MarkLizar: we have the project Pae:CG Privacy as Expected Consent Gateway https://privacy-as-expected.org/ working on newer version of consent record/receipt which we intend to submit back to DPVCG

MarkLizar: At Kantara, ANCR we intend to standardise this and submit it back to ISO 27560 for standardisation internationally

harsh: ISO 29184 mentions machine-readable records - which is what the DPV could be useful to

Consent Community Group

https://www.w3.org/community/consent/

Welcome to join and work on specifics for consent

Slight overlap with DPVCG regarding semantics and concepts, but the scope of CONSENT-CG is much broader and involves everything to do with consent

We can certainly collaborate and sync relevant work

Next Meeting

In 2 weeks, MAR-24 13:00 WET / 14:00 CET

Minutes manually created (not a transcript), formatted by scribe.perl version 127 (Wed Dec 30 17:39:58 2020 UTC).

Diagnostics

Succeeded: s/paul/paulryan

Succeeded: s/paul/paulryan/

Maybe present: beatriz, Georg, harsh, note, paulryan, paulryanryan, rana