(I don't think I can post to the ProjectVRM list, but I'm about to find out.) Very interesting thread. A few thoughts:


Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl


On Wed, Apr 5, 2017 at 3:39 PM, Adrian Gropper <agropper@healthurl.com> wrote:
Thanks, Tim for the GDPR review. The comments on portability are particularly relevant to UMA. There are many ways to interpret portability:

(a) give me the data and then close access or delete it
(b) put the data under my control and allow me to decide what 3rd party can access it
(c) put the data under my control and allow me and my agent to decide what 3rd party can access it
(d) give out the data under a standard format, protocol, and authorization process
(e) give out the data in whatever format you want and with your special or proprietary authorization process

When we talk about terms and receipts it's important to make clear if and how a data holder interprets portability. Does GDPR differentiate between (a) - (e)? Is there anything other than UMA that can do (c)?

Adrian




On Wed, Apr 5, 2017 at 9:55 AM, Tim Walters <walterswdf2@gmail.com> wrote:
For what it's worth, I just noticed that the WP 217 opinion does include this specific enthusiastic reference to PIM-type platforms ("midata"). (This is pp. 47-48.)

Data portability, 'midata' and related issues
Among the additional safeguards which might help tip the balance, special attention should be given to data portability and related measures, which may be increasingly relevant in an on-line environment. The Working Party recalls its Opinion on Purpose Limitation where it has emphasised that 'in many situations, safeguards such as allowing data subjects/customers to have direct access to their data in a portable, user-friendly and machine-readable format may help empower them, and redress the economic imbalance between large corporations on the one hand and data subjects/consumers on the other. It would also let individuals 'share the wealth' created by big data and incentivise developers to offer additional features and applications to their users.109

The availability of workable mechanisms for the data subjects to access, modify, delete, transfer, or otherwise further process (or let third parties further process) their own data will empower data subjects and let them benefit more from digital services. In addition, it can foster a more competitive market environment, by allowing customers more easily to switch providers (e.g. in the context of online banking or in case of energy suppliers in a smart grid environment). Finally, it can also contribute to the development of additional value-added services by third parties who may be able to access the customers' data at the request and based on the consent of the customers. In this perspective, data portability is therefore not only good for data protection, but also for competition and consumer protection.110

Notes:
108 See Annex II (on Big Data and Open Data) of the Opinion (cited in footnote 9 above), page 45.
109 'See initiatives such as 'midata' in the UK, which are based on the key principle that data should be released back to consumers. Midata is a voluntary programme, which over time should give consumers increasing access to their personal data in a portable, electronic format. The key idea is that consumers should also benefit from big data by having access to their own information to enable them to make better choices. See also 'Green button' initiatives that allow consumers to access their own energy usage information.' For more information on initiatives in the UK and in France see http://www.midatalab.org.uk/ and http://mesinfos.fing.org/.
110 On the right to data portability, see Article 18 of the Proposed Regulation.

On Tue, Apr 4, 2017 at 3:40 PM, Tim Walters <walterswdf2@gmail.com> wrote:
Just to wrap up (maybe).

One, Marcin is quite right that the Article 29 WP's April 2014 opinion (WP 217) provides rather detailed guidance on how legitimate interest may and may not be used. Interestingly, at the recent CIPL event I attended in Madrid, the industry representatives studiously ignored WP 217 and instead repeatedly referred to WP 199, a 2012 opinion that considers how input should (have) be(en) provided for the "data protection reform discussions" i.e., the nascent GDPR. I was relieved to see that when the DPAs and EU officials joined the discussion, they did not hesitate to cite from WP 217.

Second, Iain said:
"And yes, there will be many in the ad tech space that try to utilise ‘legitimate interest’ as an excuse to carry on business as usual. But there are also at least a couple already that regard their platform as illegal come 25th May 18, and taking steps accordingly. Interesting times ahead in adtech."

Could I get more information about these adtech players and what steps they are taking in light of the perceived illegality of their tools?

Cheers,
tw

On Mon, Apr 3, 2017 at 9:29 AM, Doc Searls <dsearls@cyber.law.harvard.edu> wrote:
First, big hats-off to this list and this thread. There are many good and helpful answers to the original question, and to additional questions as well.

Second, it is essential to make clear where Customer Commons stands and comes from, which is the individual customer. (And, since all individuals other perhaps than babies are also customers, we’re talking about all individuals here: the 100%.)

Third, we are working on terms individuals assert as sovereign and independent actors in the marketplace: in legal terms, as first parties. We should each be able to proffer terms as first parties in our dealings with the second parties of the world: namely, everybody else. We are starting with two of those.

Fourth, my questions about the GDPR are primarily about what kind of ease the GDPR provides for individuals proffering terms as first parties, and how (or to what degree) individuals proffering terms addresses both the letter and spirit of the GDPR.

Fifth, while it will be helpful for Customer Commons to specify how it treats terms individuals respond to as second parties, it would be best for other entities (e.g. CISWG/Consent Receipts, UMA/Authorization Server, PDEC, Hyperledger, Sovrin Foundation, Indie Web...). Fortunately, others are working on those things, and Customer Commons can coordinate with them. (It helps that some of us are active in more than one of those efforts.)

Sixth, we need to be very careful about framing all possible choices, actions and outcomes inside standing administrative systems, which are built to understand the individual entirely as a second party. This is why ProjectVRM, Customer Commons and allied efforts are pioneering work. We have been defaulted as second parties for so long, and in so many different ways that it is very very hard to think and work outside that old incumbent industrial age box. But we need to. (I should note that the GDPR does not appear to comprehend the individual as a first party. But maybe I’m missing it. What it does do, clearly, is recognize the individual as a sovereign entity with a bundle of rights that need to be protected by law. This is a Good Thing that I believe gives us some of the ease we need.)

Seventh, at some point, and in some way (or ways), we need to grow Customer Commons, beyond its current few members. Once we do that, we can do a much better job of integrating with allied developers and development efforts. Help with that is also welcome.

Cheers,

Doc

On Apr 3, 2017, at 7:22 AM, Adrian Gropper <agropper@healthurl.com> wrote:

Doc's original post is about Terms in Customer Commons. My comment about GDPR and UMA is related to how Customer Commons decides to threat a term for Transparency and a term for Consumer-Directed Sharing of data. 

As a starting point, I propose that we link some Customer Commons Terms directly to GDPR as follows:

A Transparency Term tells the customer how and where they will be notified when their data is used. Apple, for example, notifies me every time some of my data is modified (sign-in from a new machine, a charge of $0.99 for a song) by sending an email to an address that I specify. This Transparency Term is a cousin to consent receipts but, last time I looked, the consent receipt did not actually address _contemporaneous_ transparency of data use or the means by which a customer specifies where the consent receipts are to be sent. This may have been fixed in later versions - if so, my apologies in advance.

A Customer-Directed Sharing Term tells the customer how they will be able to direct a data controller to share data with a requesting party. Tim Walters starts to point out where this intersects with GDPR in his comment 10 hours ago. This is also where UMA comes in. I hope that UMA can directly address this GDPR issue and that Customer Commons will figure out how to make it clear to customers if they have a right to authorize sharing using UMA or any other standard automated agent that does that.

As far as advertising is concerned, data uses need to be at least transparent and hopefully specifically authorized by may authorization server _every time_. If I then decide that I only want aggregate notifications once a quarter from the data controllers, then that should be my choice. I don't think advertising is fundamentally different from any other data uses in GDPR or anywhere else. If my data is used to target an add for diapers, I expect Google to notify me that my data was shared with a named broker that presented a Depends ad to me and I expect Google to give me an opportunity to introduce an (UMA) Authorization Server to be consulted the every time they decide to share my data with any other business unit in Alphabet or with an outside party.

Adrian



On Sun, Apr 2, 2017 at 8:28 PM, Iain Henderson <iainhenderson@mac.com> wrote:
The post below is how I see some practical  implications of GDPR


That post was on the back of the recent ICO (UK) consent guidance. I was surprised to see it so directly set out that most current consents held will not meet the necessary standard, so re-permissioning will be required at mass scale.

We should not be thinking in black and white terms, there will be a range of organisational responses, with only a small proportion taking the high ground. I suspect that will pay off nicely for them.

And yes, there will be many in the ad tech space that try to utilise ‘legitimate interest’ as an excuse to carry on business as usual. But there are also at least a couple already that regard their platform as illegal come 25th May 18, and taking steps accordingly. Interesting times ahead in adtech.

As a community, my suggestion is that we get behind the concept of the personal data receipt, aka consent receipt. I think if that story is told well, the individual can inherently get that idea - ‘i give you my data, you give me a receipt’. They don’t have to buy into that they can then use that receipt, merely having one would get the ball rolling.

Thoughts on personal data receipts as something to get behind?

Cheers

Iain




On 2 Apr 2017, at 19:37, Marcin Betkier <Marcin.Betkier@vuw.ac.nz> wrote:

Dear All,
 
Just a couple of comments from (yet another) technology lawyer.
 
The question about the relation between VRM and GDPR is an excellent one. I just wanted to draw your attention to Article 29 Working Party’s opinions: about data portability (end of last year, linked below by Manon), and about “legitimate interest” grounds (April (?) 2014). They both shed some light on the possible scope and limitations of data portability right.
 
As per the relation in question, I think that VRM (as I understand it) is simply more advanced concept than GDPR. GDPR is limited by thinking based on OECD principles and, even deeper into the past, on FIPs from 1973. So, instead of individual/customer right to independence (informational self-determination, or autonomy, if you prefer) you have a number of procedural provisions which, taken together, may not really do the job. As a result, we need to look for VRM ideas in institutions like revocable consent, right to object, data portability, or maybe privacy by design & default.
 
 
Best regards,
 
Marcin
 
From: Iain Henderson [mailto:iainhenderson@mac.com] 
Sent: Monday, 3 April 2017 8:27 a.m.
To: Tim Walters <walterswdf2@gmail.com>
Cc: Manon Molins <mmolins@fing.org>; ProjectVRM list <projectvrm@eon.law.harvard.edu>
Subject: Re: [projectvrm] GDPR and individuals as first parties
 
Hi Doc, I think what we discussed before was having the individual point to GDPR as at least one of the terms they propose. In addition we'd need to create a formal Guidance doc that sets out the Customer Commons interpretation of each of the key areas. So, as mentioned below, 'industry' will wish to use their own interpretations; for example marketers (e.g. through IAB 'guidance') might (i.e. are already) argue that digital advertising is permitted as a legitimate interest of the recipient. That's pretty dubious in most cases, but that's what's being argued, and without a strong counter point could win. The Customer Commons Guidance would be much more overtly on the side of the customer. So what the individual would be pointing to in their terms offer would be 'GDPR, subject to Customer Commons interpretation.
 
Lots of detail to build in there, but I think the approach is solid.
 
Iain


On 2 Apr 2017, at 16:06, Tim Walters <walterswdf2@gmail.com> wrote:

Manon - 

Thanks for the information. I'm very interested in attending Mydata and will seriously consider submitting a proposal.

Concerning data portability: Zbynek is right that this is the most direct connection to VRM in the GDPR. However, it is important to be aware of the conditions or restrictions. Article 20 states: 

"The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where [and I stress, only where]:

(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
(b) the processing is carried out by automated means."

The provisions listed in (a) refer to consent provided by the data subject (Article 6(1) and Article 9(2)) or data required for the performance of a contract (Article 6(1)(b).) 

Consent and performance of a contract are two of the six legal grounds for data collection and processing. Of the remaining four, the most interesting/troubling is "legitimate interest." I won't go into the many details here -- in fact this could be the subject of a presentation at Mydata -- but suffice to say that businesses have multiple incentives to use the legitimate interest ground (thus excluding data from the portability requirements) and for the purview of that ground to be a broad as possible (thus legitimizing wide(r) spread data collection).

I recently witnessed industry representatives and EU data protection authorities (DPAs) playing handball with legitimate interest in a joint meeting. I was pleased to see that the DPAs resisted all efforts to make legitimate interests a "get out of jail free card" for intrusive marketing. But continued vigilance will certainly be necessary.

Cheers, 
tw

 

 
On Sun, Apr 2, 2017 at 11:58 AM, Manon Molins <mmolins@fing.org> wrote:
Hello, 
 
+1 Zbynek, the data portability right is indeed the VRM core of the GDPR.
 
"The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided"
 
Maybe you have already seen the G29’s Guidelines on the right to data portability
  • The Midata project in United Kingdom + the MesInfos project (Fing) in France are listed examples of those guidelines on how this portability right can foster innovation in Europe.
  • Individuals will be able to transmit their data from a controller to another (this other controller can be another competing organisation or a third-party service, a Pims - as Zbynek said : « VRM tools (private clouds, personal assistants, etc.) » 
  • Data concerned by this right is the one provided by the individual - see p7 - and this term cover so much more than just address, name, etc. It’s the data resulting in the relationship between the individual and the data controller/organisation. Ex: consumption data from smart meters, from loyalty programs, from IoT, browsing history, geolocation, list of calls (telco), bank data, etc.
 
Companies will need to be GDPR compliant by may 2018, they are positioning themselves as we speak to see how (creating API, download functionalities, etc.).
 
You may know this too, but just a reminder: the main European event on the subject (on VRM, My Data, Self Data, Pims economy, etc. - so many names to speak of individual empowerment through data!) is called Mydata2017 - Advancing Human Centric Personal Data (end of August/beginning of September in Helsinki and Tallinn). 
  • It will have a specific track on GDPR. At Mydata2016 (in which Doc spoke) we had a presentation of the GDPR by Edouard Geffray the General Secretary of the National Commission for Information Technology and Civil Liberties (CNIL). Now that it is « out » we will be able to go even deeper. 
  • It’s a collaborative event, in which anyone can contribute to the program, and we need your input for our 12 tracks :) 
  • We can contribute through the call for proposals (if you think of a speaker, a session, a use case, …), it is open till mid-april! 
  • If you want to come, the registration opens up mid-april: http://mydata2017.org/registration/
 
 
Best to all, 
 
Manon on behalf of the MesInfos project team
————————————————————————————————
FING - association pour la Fondation Internet Nouvelle Génération 
Manon Molins -  mmolins@fing.org - 06 85 86 47 05
http://www.fing.org  /  http://www.internetactu.net
Soutenez les actions et travaux de la Fing, adhérez !
 
Le 2 avr. 2017 à 10:34, zbynek@loebl.info a écrit :
 
Dear Doc and others,

I rarely contribute to your discussion. I am a technology lawyer from Czechia and in this capacity I deal with GDPR in detail. I agree with Tim that GDPR has a VRM core. In addition to what Tim mentions in his email I would add data portability (Art. 20). This Article contains a totally new right of data subjects to request transfer of their data provided to the data controller based on consent or contract in a standard format.

Data subjects can transfer their data to a new data controller or control them themselves using - VRM tools (private clouds, personal assistants etc.). This is a direct link to what you are preparing - via such VRM tools data subjects can negotiate contract terms with service providers, they can provide them with necessary authenticity checks regarding data subjects or their childern etc.

Best personal wishes,

Zbynek

Dne 2017-04-01 23:47, Tim Walters napsal:

I'm not sure if this is useful, but:
Article 5 spells out the fundamental principles of personal data
collection/processing. these are (more detail upon request):
* lawfulness, fairness, and transparency
* purpose limitation [i.e., the controller must state precisely what
the collected data will be used for, and use it only for the purpose]
* data minimization [i.e., use only what is necessary for the stated
purpose]
* accuracy [i.e., controller has an obligation to ensure that data is
accurate and up to date]
* storage limitation [i.e., kept no longer than necessary for the
stated purpose]
* integrity and confidentiality [i.e., data is secure]
This if followed by a "behavioral" requirement for "accountability" --
i.e., not only must you follow all of these principles, you must be
able to demonstrate and document that you do so.
However -- I think these stated principles are based in and in certain
ways trumped by a more fundamental conviction: namely, that personal
data always only belongs to the person it identifies.
Recital 7 states: "Natural persons should have control of their own
personal data." And it ties this directly to "the importance of
creating trust that will allow the digital economy to develop across
the internal [EU] market."
I recently attended an event in which Telefonica presented their
"Aura" personal data management platform. It clearly does not adhere
to each of the six core principles, but it does express the notion
that people should control their own data. I asked two EU data
protection authorities what they thought of it. Naturally, they would
not give a definitive judgement. But they did both say that they like
the innovative approach to putting people in charge of their data,
even if it did not accord with every one of the principles.
Cheers,
tw
On Sat, Apr 1, 2017 at 8:27 PM, Adrian Gropper
<agropper@healthurl.com> wrote:

Is'nt it important to be able to signal that the entity seeking
consent must register with and contact a standard authorization
server?
This particular term ought to be a profile of UMA labeled and
documented for GDPR.
Adrian
On Sat, Apr 1, 2017 at 10:26 AM Mike O'Neill
<michael.oneill@baycloud.com> wrote:

Hi Doc,
The GDPR does not have much in terms of signalling from the user
(aka the Data Subject), other than the ability to give or revoke
consent, and the right to object.
Article 4.11 defines consent, Article 6.1(a) says it is one of the
legal bases for processing, Recital 32 further describes it, plus
other Recitals refer to it.
Article 21 deals with the right to object, especially A21.5 which
says it can be expressed by "automated means". This applies when
another  basis for processing (other than consent) is claimed.
In terms of information required to be given by companies i.e.
website (the Data Controller), this is spread throughout but
Article 13 covers most of it.
The other place which deals with user signalling, i.e. consent,
ability to revoke at any time etc. is the proposed ePrivacy
Regulation which is supposed to come into force at the same time
as the GDPR, though it is still being debated. Here is a link to
the proposal:
[1]
Mike

-----Original Message-----
From: Doc Searls [mailto:doc@searls.com]
Sent: 01 April 2017 14:34
To: ProjectVRM list <projectvrm@eon.law.harvard.edu>
Subject: [projectvrm] GDPR and individuals as first parties
Customer Commons and its partners are working on terms
individuals proffer as

first parties in dealings with sites and services acting as
second parties can

satisfy both the letter and the spirit of the GDPR—or at least
some of its

requirements.
Since there are people on this list who know the GDPR better
than I, it would be

good if we could get pointed to the parts of the GDPR that
justify this claim. I

believe somebody here (Iain?) has done this before, but I
can’t find anything

right now, so help would be welcome.
Thanks!
Documents:
The GDPR in English HTML—
<http://eur-lex.europa.eu/legal- [2]
content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN <http://eur-
lex.europa.eu/legal- [3]
content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN>>
The Wikipedia page on the GDPR—
Doc
--
Adrian Gropper MD
PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/ [5]




--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/






--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma