/
2017-05-26 Meeting Notes (CR Legal)

2017-05-26 Meeting Notes (CR Legal)

Dec 12, 2019

Date

May 26, 2017

Attendees

Approved at: 2019-12-12 Meeting notes (CR) DRAFT

  • @Mark Lizar (Unlicensed)

  • Andrew Hughes

  • John Wunderlich

  • David Turner

  • Colin Wallis

  • Chris Cooper

  • Henrik Biering

  • Robert Lapes

  • Sal D'Agostino

  • Iain Henderson

Goals

Hi Everyone,

The GDPR does call out the requirement for open commonly used standards (which the CR is the only one in this space) and our ability to all contribute to this as open source will provide us with an opportunity to put this forward to the v.1.1 forward to Regulators to review. 

We have a lot of ambiguity to clear up in the V.1 and this call is intended to sort that out. 

Here is a link to the notes for this session with a bit of an agendas.

Here is a link to the ICO consent  guidance 

Here is the link to the GDPR text (pdf)

The first draft of the mapping of the CR to GDPR is being developed separately and will be contributed into the CIS WG when it is more mature.

Agenda Plan

  • We are collecting a list of topic for consent legal. 

    1. GDPR Provides an excellent use case for the Consent Receipt v.1

      1. we are working on a mapping the consent receipt to the GDPR as an exercise

    2. Mark L -  contribute a starting point for mapping the CR to the GDPR (from Open Consent)

    3. Jens C-  has provided a review of the CR from a GDPR point of view

    4. Ensure Article 15 is addressed in CR v1 and how CR can be used for data portability & order of operations to ensure subject rights are met

    5. International use of the GDPR - guidance on how it might be interpreted in different places

    6. Design/design how to provide guidance on how the apply the CR to different situations; and 'technical overlay' or 'profile' or 'extensions' 

      1. Instructions for implementers

        1. How to extend the CR to cover different sets of requirements - and then how to configure it for specific use cases

      2. Perhaps this is General Model/Viewpoint and Specific Viewpoints




  • We aim to use these two activities to raise specific issues, identify gaps etc

    1. Identified that Joint DC are missing  (have been added to mapping in highlighted yellow) 

    2.  Identified -  that in the Specification - recipients is missing   (needs to be with 3rd party) 

  • Review mapping 

Discussion Items

  • Mark has started a comparison between the CR v1 fields and the GDPR Articles and Recitals

  • Looks like GDPR 'Joint Controller' and 'Recipients' don't appear in the CR v1

    • John: Although GDPR allows for Joint Controllers, the Receipt is issued by one of those controllers (not by both simultaneous)

  • IAPP is interested in linking over to CR and Generator - they would also like to see some simple use cases e.g. for multiple controllers

  • Note: Article 15 (Right of access by the data subject) - CR provides for all the items in Article 15 in a 'receipt' structure

  • A consent receipt reduces risk of non-compliance - it does not mean that an org is actually compliant

  • Development of the CR was started before GDPR was published - so CIS WG has to go back and update the references to ICO Guidance and GDPR text

  • Mark asks interested contributors to add their analysis to the sheet

  • Consent for children is missing from the CR

    • Any missing fields should be raised as issues in the github for CR

  • Jens raised some interesting issues, in particular, the non-normative Considerations

  • Take a look at Chapter V article 44 for international use case analysis

  • Note: Any work that arises from the 'CR Legal' work has to be introduced to the CIS WG v1.1 work plan through the use of github issues. This formality will allow the WG to prioritize and schedule the work.

  • John: It would be interesting to have someone do a similar analysis for how the FTC applies fines in the US...

  • Chris: Wants to see that this work confirms that the CR is actually fit for GDPR purpose in the market

  • Iain: Need to decide if v1.1 continues to be a 'Consent Receipt' or a more general 'data receipt'

    • If we had started CR after GDPR was published, then we might not have called it Consent Receipt. Because the CR actually addresses all 6 of the lawful purposes defined in GDPR. e.g. 'contract' or 'legitimate interest'

    • Note that the marketing industry is trying to declare that they have 'legitimate interest' - 'legitimate interest' in the GDPR is oriented towards fraud detection and security

Action Items