17:31:05 RRSAgent has joined #dpvcg 17:31:05 logging to https://www.w3.org/2022/09/28-dpvcg-irc 17:31:08 ScribeNick: harsh 17:31:14 Meeting: DPVCG Meeting Call 17:31:18 Chair: harsh 17:31:29 Present: harsh, beatriz, georg, delaram, paul 17:31:33 Date: 28 SEP 2022 17:31:42 Agenda: https://lists.w3.org/Archives/Public/public-dpvcg/2022Sep/0010.html 17:33:14 Previous minutes -> https://www.w3.org/2022/09/21-dpvcg-minutes.html 17:33:48 Topic: dpv-legal external vocabs 17:34:43 Bert Van Nuffelen suggested using EU vocabularies as an authoritative source for concepts currently in DPV-LEGAL. Namely countries and EU membership. 17:34:54 See https://github.com/w3c/dpv/issues/46 for the issue and discussion. 17:35:36 Given that the EU vocabularies are authoritative and well-maintained, we decide to remove these concepts from DPV-LEGAL and use the ones from EU instead. 17:36:03 This means rewriting most of concepts to use EUvoc IRIs, e.g. for expressing laws and authorities and other sources. 17:37:19 If there are other authoritative vocabularies, then alignment is simple given that they all use ISO 3166 codes for countries. 17:38:05 Topic: ISO 27560 Consent Record 17:38:27 The standard is closing towards stability, with an expected publication date of June 2023. 17:38:57 Once the schema is relatively stable and consensus is reached, DPV will provide a guide on creating consent records based on 27560, along with providing the relevant 'schema' and vocabulary. 17:39:48 An example of how using DPV can be used for the current draft is here - https://github.com/coolharsh55/dpv-consent-record 17:39:52 Topic: Rules 17:40:12 We discussed the need (and limitation) for simple mechanisms to express rules over DPV defined information. 17:40:47 The proposal is to have `hasRule` as a relation that takes a target `Rule`, which may be of type `Permission`, `Prohibition`, and `Obligation`. For anything more, we refer to external vocabularies such as ODRL. 17:41:30 These rules can be associated with any /block/ such as PDH's. If they have to be applied over single concepts, e.g. to say data category Identifier is prohibited, then it is tricky to express this. 17:42:14 Because using triple notations, there are two sets of information here - 1) `hasPersonalData Identifier`; and 2) `hasRule Prohibited`. 17:43:35 Alternative is to provide specific relations, e.g. as `hasProhibition [ hasPersonalData Identifier ]` - which is still the same solution with a less elegant expression, no explicit notation of the /rule/, and requires creating such relations for every type of rule. 17:44:19 Paul has asked for examples (e.g. mailing list) for how the proposed rule expression will work. The next meeting will discuss the examples and decide on rule expression. 17:45:30 Topic: Right Exercise 17:46:16 Rights can be of two types - `ActiveRight` which means some action must be taken to exercise it, and `PassiveRight` which means no action needs to be taken as it is always under exercise. 17:46:54 Examples are GDPR (D)SAR or Data Portability being active rights, while right to privacy is a passive (and fundamental) right. 17:47:10 We therefore focus on how to exercise active rights. 17:48:17 georg raised an interesting question - if some information is needed to exercise right, this should be indicated in the notice/record. The appropriate legal basis for this would be legal obligation. 17:51:00 We discussed the use-cases for rights, and tried to identify the key information / concepts. 17:51:16 We have `Right` and `hasRight` in DPV. We need a way to indicate how/where to exercise that right. 17:51:39 This can be through a relation `isExercisedAt` that points to some resource or link where the right exercise can be requested or performed. 17:52:32 To express what is needed for this, such as some information (e.g. email) or technical measure (e.g. authentication) - a PDH instance can be used which provides the framework for describing purposes, processing, personal data, entities associated. 17:53:51 To indicate who made the request, which may not always be the data subject but an authorised party, the relations `isMadeBy` and `isMadeTo` were discussed. 17:54:08 Note - we have `isIndicatedBy` which can be reused here with a complement as `isIndicatedTo` 17:54:51 To indicate the data subject whose right is being exercised, the existing `hasDataSubject` can be used. As with consent, it may not be necessary to always duplicate informatoin on who indicated and who the data subject if they are the same. 17:55:28 A single access point for rights can handle multiple rights. This can be indicated by using `hasRight` with all the rights. 17:57:22 To indicate the scope of the request, e.g. a specific purpose or personal data, or a temporal duration, `hasScope` and `Scope` can be used. 17:58:26 An open question is how to express the authorisation (relation or information) between Data Subject and the request initiator. We may need to establish a way for these relationships and information. 18:00:06 Rights exercises have stages/events. There is a request by the data subject, then an acknowledgement by the controller, then a response. 18:00:28 Response may be successul exercise of the right, and may contain additional information and/or actions such as download data or view a page. 18:00:51 Response may be failure to exercise right with justification, or an intermediary stage asking for more information or authentication. 18:01:13 An open question for requests - how to express data should be in a specific format, e.g. PDF. 18:01:31 An open question - how to express where information should be communicated, e.g. via emails. 18:01:49 We will circulate ideas/proposals/discussions via the mailing list, and take this up again next week. 18:01:53 Topic: Next meeting 18:04:03 We will meet again in 1 week, on OCT-15 13:00 WEST / 14:00 CEST. 18:04:17 Topics will be Rules and Rights Exercise, with other items on agenda and AOB. 18:04:20 rrsagent, publish minutes v2 18:04:20 I have made the request to generate https://www.w3.org/2022/09/28-dpvcg-minutes.html harsh 18:04:26 rrsagent, make logs world-visible 18:04:52 rrsagent, bye 18:04:52 I see no action items