2018-10-04 Meeting notes (CR)

Date

2018-10-04

Status of Minutes

Approved

Approved at: 2019-12-12 Meeting notes (CR) DRAFT

Attendees

Voting

Non-Voting

  • Sneha Ved
  • Colin Wallis
  • Tom Jones
  • Sal D'Agostino


Regrets

  •  

Quorum Status


Meeting was <<<>>> quorate


Voting participants


Participant Roster (2016) - Quorum is 5 of 9 as of 2018-07-12

Iain Henderson, Mary Hodder, Harri Honko, Mark Lizar, Jim Pasquale, John Wunderlich, Andrew Hughes, Oscar Santolalla, Richard Gomer

Discussion Items

Time

Item

Who

Notes

4 mins
  • Roll call
  • Agenda bashing
5 min
  • Organization updates
All

Please review these blogs offline for current status on Kantara and all the DG/WG:

There is a new wiki page that will hold all the known implementations of Consent Receipts - Please update the page or inform Andrew of your implementation.

Planning a Member Plenary meeting October 26-ish San Francisco (Friday after IIW)

  • Are there specific cross-group items you'd like to propose to work on?
10 minDemo updatesAll
  • No new demo partners will be ready for Amsterdam - too short notice
  • Retargeting to EIC in May
  • digi.me is scheduling product updates now
    • has suggestions for CR structural updates - we need to figure out how to introduce these, since they would be 'breaking' changes for everyone else
    • Julian Ranger has recommitted to getting the CR better integrated into the product - for example, to be able to get receipts inbound into their dashboard concept
    • More info in a few weeks
20 minInteroperable Consent Receipt roadmap ideasAll

Continuation of the discussion about 'what should interoperate?'


0 minInteroperable Consent Receipt roadmap ideasAll

From 2018-10-04 call:

  • If the legitimate basis is not 'explicit consent' - but rather legitimate interest, is the concept of 'data receipt' still viable?
  • Mark - yes, the current CR was designed to be not confined to 'explicit consent' - so yes, the receipt concept will work for other bases for processing
    • in particular - for updates to privacy notices
  • Mark Q: would it be interesting to have additional values for the 'consent type' field? A: YES! 
    • Jim: maybe this should go to the Consent Management WG?
  • A lawyer at the Seattle event pointed out that it would be useful to capture the actual privacy notice that was agreed by the user.
    • OpenConsent has an alpha product that might suit the purpose
    • There is a systemic problem that needs to be addressed - and capturing the privacy notice won't actually help
    • If there is a strong need for a high value receipt, then it would be very useful to capture the actual notice text
    • So maybe the receipt could have optionality to allow for capture of the notice text.
  • WG needs to take some time to discuss the UX - schedule it
    • Tom has posted some examples that could be discussed
    • Mark - OpenBanking has posted UX guidance
  • Schedule specific multiple calls for this to discuss what the user should see, and how this translates into the 'receipt' concept
    • Should this WG do a spec or guidance on UX or UI?
    • Should this WG talk about what the 'receipt' means and / or represents?
    • (YES to both question)
  • Andrew: suggests first design call on Thursday October 18, 2019 and then every 4 weeks to be kind to the down-under-ers.


From 2018-09-27 call:

See the data flow sketch that Andrew circulated by email

This diagram shows ALL data flows, despite the legitimate basis for processing. The idea is that given this data flow diagram, what are the functions, nouns and verbs for each of the legitimate bases?

Q: How would enforcement work?

Q: What's the difference between 'observe' and 'surveil'? A: Depends on if the user is aware of it or not.

Also see from our archives:

https://kantarainitiative.org/iain-henderson-the-personal-data-eco-system/

The 'my data', 'our data', 'their data' view

Comment Brent: in a social network, what roles do the different actors take? eg if I share an image, what role does the website take, what role do the users who can view my image take? also, how do I represent those rules where I restrict access to my data based on roles or groups I assign to my connections? how do I represent that implicit consent using consent receipts without knowing explicitly who I am granting permission to?

Comment: This picture looks very corporate - must ensure that the individual's perspective is very clear

Comment: The 'interface' for the individual should not be the 'consent receipt' itself - but rather the interaction with the service.

JLINC perspective: Alice grants permission and organization seeks consent. Alice only sees permissions.

Comment: this discussion is oriented towards 'explicit' consent. But all interaction has some level of agreement.

Iain: the highest value work item is the lexicon work


0 min

Permissions v User Consent discussion

notes from From 2018-09-13 call

All

From 2018-09-27 call:


Proposal:

Permission = Authorization to act

Data Permissions = the functional actions that are allowed on information (database: Create, Read, Update, Delete; communications: Copy, Transmit, Store; data flow: Collect, Use, Disclose) or resources.

User Consent = Voluntary agreement by the person to take an action. GDPR includes 'unambiguous'

  • So, a system might be authorized to act on personal data with or without a user's agreement. A person may grant permission or authorize a system to act on personal data.

Questions:

  • Is an OAuth 'consent' / 'authorization' / 'permission' dialog box truly 'user consent'?
    • If it is not 'user consent' then why not?
    • So: the process of obtaining agreement from the user in the OAuth dialog box is "User Consent". What the user has agreed that you can do with their resources is "authorization" in the sense that they give you 'permission' to take actions.
  • How does this apply to Collection, Use and Disclosure of information? (these are the data flow words)
  • To tease out the usable definition of 'authorization': What is the difference between Authorization and Access Control? (data & systems-context)
    • Authorization is the granted right to proceed (a.k.a 'permission')
    • Access control is the functional actions that are allowed

Alternative proposal:

  • Permission is a general authorization to act. Authorization may be granted by actors that are not the data subject.
  • Consent is a specific agreement to act in a limited case.

Note:

  • Permission / authorization as a verb can be granted through an act of user consent.

Another proposal:

  • Should the terms should be Authorization and User consent
5 minAdding feature requests to next version of spec familyAll

AOB



Next meeting

2018-10-11 Same time same number