- From: Bert Bos <bert@w3.org>
- Date: Thu, 24 Jan 2019 19:51:03 +0100
- To: public-dpvcg@w3.org
See also: https://www.w3.org/2019/01/22-dpvcg-minutes
[1]W3C
[1] https://www.w3.org/
– DRAFT –
Data Privacy Vocabularies and Controls Community Group Teleconference
22 January 2019
[2]Previous meeting [3]Agenda [4]IRC log
[2] https://www.w3.org/2019/01/08-dpvcg-minutes.html
[3] https://www.w3.org/mid/36891304.CWuKmcZnDW@nyx
[4] https://www.w3.org/2019/01/22-dpvcg-irc
Attendees
Present
Bert, Bud, Eva, Harsh, Javier, Mark, Martin, simonstey
Regrets
Axel
Chair
Bert
Scribe
harsh
Contents
* [5]Meeting minutes
* [6]Summary of action items
* [7]Summary of issues
Meeting minutes
Agenda for today: [8]https://lists.w3.org/Archives/Public/
public-dpvcg/2019Jan/0008.html
[8] https://lists.w3.org/Archives/Public/public-dpvcg/2019Jan/0008.html
Bert: any concerns about previous minutes of meeting? (no
replies)
Bert: Axel proposed (via email) to move the next meeting by -/+
1 hour. We'll talk about that at the end of the meeting.
<Bert> [9]actions
[9] https://www.w3.org/community/dpvcg/track/actions/open
Bert: looking for any actions we can close
<Bert> action-13?
<trackbot> action-13 -- Stefano Bocconi to Propose use case(s)
for the decode project -- due 2018-08-14 -- CLOSED
<trackbot> [10]https://www.w3.org/community/dpvcg/track/
actions/13
[10] https://www.w3.org/community/dpvcg/track/actions/13
<Bert> action-33?
<trackbot> action-33 -- Harshvardhan Pandit to Summarize
elements of consent from the mails and align with mark lizar on
"concent receipt" definition (e.g. on delegation) -- due
2018-11-13 -- OPEN
<trackbot> [11]https://www.w3.org/community/dpvcg/track/
actions/33
[11] https://www.w3.org/community/dpvcg/track/actions/33
<Bert> action-42?
<trackbot> action-42 -- Eva Schlehahn to Look into requirements
of data protection assessment, and whether it would make sense
to formalize that in terms of what we standardize -- due
2018-12-10 -- OPEN
<trackbot> [12]https://www.w3.org/community/dpvcg/track/
actions/42
[12] https://www.w3.org/community/dpvcg/track/actions/42
harsh: regarding consent, we (me and Mark) are talking about a
minimum version of consent receipt which can incorporate DPVCG
vocabularies
Eva: I'm looking(-ed) at the opinion of Article 29 WP, for
cases such as impact assessment which can assist us in
understanding which data can be considered sensitive
Eva: it is difficult to assess whether data is sensitive
because they are context sensitive and this makes it difficult
to capture it in a vocabulary
Eva: I would consider this action point as done since the
information cannot be categorised based on the opinion
<Bert> close action-42
<trackbot> Closed action-42.
harsh: would it be helpful to list the criteria / concepts
about the assessment and have them as the ontology?
Eva: I can share the points of assessment (from my research)
with the mailing list and we can discuss if it is useful to use
them
Mark: is this the difference between high risk and risk?
Action: Eva to send mail to list with the criteria for data
protection assessment from EDPB
<trackbot> Created ACTION-59 - Send mail to list with the
criteria for data protection assessment from edpb [on Eva
Schlehahn - due 2019-01-29].
Eva: In the opinion (A29 WP) they have described if such a high
risk exists or can exist and controllers are expected to carry
out the assessment to see if this is possible
Mark: In Canada, there was a call for comments, and resulted in
update to privacy laws, where risk must be provided for
meaningul consent. So this is a similar activity on risk.
Eva: Let's discuss these criteria on the mailing list (after I
share them), as they are highly context dependant which are
evolving constantly.
Mark: (regarding consent) Kantara is working with/for a working
group for ISO 29184 for consent/privacy notices, and this work
is going in an annex in that report. The idea is to create a
minimal viable consent report which can be extended by
different organisations.
Mark: so there can be an extension submitted by this work group
and reviewed in that context.
<Bert> action-48?
<trackbot> action-48 -- Harshvardhan Pandit to Look into
classifications of organisations that could serve as a basis
for clsssifying data controllers -- due 2018-12-11 -- OPEN
<trackbot> [13]https://www.w3.org/community/dpvcg/track/
actions/48
[13] https://www.w3.org/community/dpvcg/track/actions/48
shared email for categories of organisations [14]https://
lists.w3.org/Archives/Public/public-dpvcg/2018Dec/0021.html
[14] https://lists.w3.org/Archives/Public/public-dpvcg/2018Dec/0021.html
Mark: There are SIC codes (different ones for North America,
EU, UN (UK?). So we can use that as a company classification.
And a company can have a service which can be different from
the company classification. In GDPR, it refers to categories
from SIC codes.
Eva: what might be relevant is that there could be different
purposes or could mix into each other (for big corps)
Mark: the primary purpose or the core purpose has been brought
up a few times - too much flexibility can increase confusion
harsh: should we summarise this as using SIC (or compatible)
codes to define categories of organisations?
Mark: GDPR specifically mentions terms/categories defined by
trade bodies
Eva: it is useful to revisit the question of "why" we need
categories of controllers
harsh: GDPR code of conduct mentions categories
Bert: so it may be that there are far lesser categories than
SIC codes specify
Bert: we can close this action and have another look at where
this categories are useful?
<Bert> close action-48
<trackbot> Closed action-48.
Issue: where are categories of data controllers used, where are
they useful? (cf. recital 98, 99, 100)
<trackbot> Created ISSUE-9 - Where are categories of data
controllers used, where are they useful? (cf. recital 98, 99,
100). Please complete additional details at <[15]https://
www.w3.org/community/dpvcg/track/issues/9/edit>.
[15] https://www.w3.org/community/dpvcg/track/issues/9/edit>.
Mark: R98, R99, R100 are relevant for categories of controllers
<Bert> action-57?
<trackbot> action-57 -- Harshvardhan Pandit to Start
definitionsions of the high-level purposes at [16]https://
www.w3.org/community/dpvcg/wiki/
purposes_for_handling_personal_data#high-level_categories_.28to
-be-discussed.29 and map them to purposes collected from use
cases -- due 2018-12-18 -- OPEN
[16] https://www.w3.org/community/dpvcg/wiki/purposes_for_handling_personal_data#high-level_categories_.28to-be-discussed.29
<trackbot> [17]https://www.w3.org/community/dpvcg/track/
actions/57
[17] https://www.w3.org/community/dpvcg/track/actions/57
page in wiki: [18]https://www.w3.org/community/dpvcg/wiki/
Purposes_for_handling_Personal_Data
[18] https://www.w3.org/community/dpvcg/wiki/Purposes_for_handling_Personal_Data
harsh: I have added brief descriptions to the wiki page (link
above)
<Bert> action-58?
<trackbot> action-58 -- Eva Schlehahn to Look at iab europe
consent framework -- due 2019-01-15 -- OPEN
<trackbot> [19]https://www.w3.org/community/dpvcg/track/
actions/58
[19] https://www.w3.org/community/dpvcg/track/actions/58
Eva: there are only 5 purposes which are generic, and there's
no information on how they envision changes to the policy or
consent (withdraw, updates, changes), or if data subject wants
to have something rectified
Eva: I don't understand vendor as a concept, and some of the
terms are generic . I'm sceptical of its use to the community.
<Javier> sorry we can also discuss action-55
Eva: what would be useful is where the vendors are located, how
they share data - these are all missing.
harsh: vendors in this sense refers to anyone who wants to sell
ads and thereby collect consent
<Bert> close action-58
<trackbot> Closed action-58.
<Bert> action-55?
<trackbot> action-55 -- Javier D. Fernández to Look into how to
align special duration vocab with “deletion-ideas” from eva’s
slide (e.g. include no-retention, deleted-by, etc.) in our
vocabulary -- due 2018-12-11 -- OPEN
<trackbot> [20]https://www.w3.org/community/dpvcg/track/
actions/55
[20] https://www.w3.org/community/dpvcg/track/actions/55
<Javier> - no-retention: no storage beyond using once
<Bert> close action-55
<trackbot> Closed action-55.
<Javier> - stated purpose: until purpose has been fulfilled
<Javier> - legal-requirement: storage period defined by a law
requiring it
<Javier> - business practices: requires a deletion concept of
controller
<Javier> - Indefinitely: e.g. for really anonymized data,
public archives...
<Javier> - delete-by_ or delete-x-date_month_after <event>
javier: for action-55, I spoke with Eva for our SPECIAL
use-cases and these are the options for retention.
Javier: (to Eva) do you have any specific events for the last
point?
Eva: this was for example for controllers that have legal
obligations to keep the data after a certain time e.g. billing
dat
Javier: if it is a time then its fine, but if it's event-based
then can we know what these events are?
Eva: these are context-dependant, e.g. purpose fulfilling in a
contract
Eva: I can look at the use-cases to see if it matches with the
deletion rules ideas
Mark: (to Eva) are these the exceptions to the specified
purpose (as in retention for one purpose but deletion for some
other purpose)
Eva: there can be differentiation between usage data and
billing data, then these datasets can be handled according to
different storing periods
Action: eva to look at use cases in the wiki to see if one
matches the deletion rules ideas Eva posted (especially
deletion depending on an event or purpose rather than a fixed
period)
<trackbot> Created ACTION-60 - Look at use cases in the wiki to
see if one matches the deletion rules ideas eva posted
(especially deletion depending on an event or purpose rather
than a fixed period) [on Eva Schlehahn - due 2019-01-29].
harsh: in this case, the law overrides the GDPR rather than the
GDPR having an exception?
Javier: we have a term legal / law (?) that can be a URI to a
law
Bert: about the next call, there was an request from Axel if we
can have the call +/-1 hour
Proposed is next telco on 12th (rather than 5th) February and
holding it at 2 rather than 4
no objections
Next call confirmed on 12th Feb 14:00
Action: bbos to schedule webex for 12 Feb 14:00
<trackbot> Created ACTION-61 - Schedule webex for 12 feb 14:00
[on Bert Bos - due 2019-01-29].
Summary of action items
1. [21]Eva to send mail to list with the criteria for data
protection assessment from EDPB
2. [22]eva to look at use cases in the wiki to see if one
matches the deletion rules ideas Eva posted (especially
deletion depending on an event or purpose rather than a
fixed period)
3. [23]bbos to schedule webex for 12 Feb 14:00
Summary of issues
1. [24]where are categories of data controllers used, where
are they useful? (cf. recital 98, 99, 100)
Minutes manually created (not a transcript), formatted by
Bert Bos's [25]scribe.perl version 2.52 (2019/01/22
11:01:10), a reimplementation of David Booth's
[26]scribe.perl. See [27]CVS log.
[25] https://dev.w3.org/2002/scribe2/scribedoc.html
[26] https://dev.w3.org/2002/scribe/scribedoc.htm
[27] https://dev.w3.org/cvsweb/2002/scribe2/
Received on Thursday, 24 January 2019 18:51:06 UTC