GDPR AEORR (requirements + capabilities) Interactive Design Session

From IIW

GDPR AEORR (Access, Erasure, Objection, Restriction, Rectification)


Wednesday 5E

Convener: Doc Searls, Dazza Greenwood

Notes-taker(s): Scott Mace


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


Elizabeth R.: GDPR and EPR directives were meant to govern privacy offline and online. Still some derivations by member state. But GDPR was to create uniformity. First draft of GDPR was 2011. Think about how significantly things have changed since then. GDPR in some ways is kind of obsolete. Technology that is so dated. But it is what it is. The E-Privacy Regulation is still in draft. Probably will become law in about 2 years. Super interesting. Even though offline and online difference is eroding, EPR governs machine to machine communications. EPR could in a couple of years have more impact. GDPR still requires some sort of human nexus. EPR for those of us who work with blockchain. GPDR focuses on personal data. EPR focuses on metadata. The drafts get leaked and circulated to some key stakeholders. By the time it goes public it’s been doctored and altered. All that is the landscape. Caution to think about the GDPR in that context. We identified data subject, data controller, data processor, 3 key parties. There is such disruptive tech already that challenges the fundamental model set up in GDPR, not only challenges but is inherently inconsistent. Data subject is problem number one. The classification of these roles is inherently flawed. Thinking about self-sovereign identity, how do we govern? I am the identity owner, the data controller, I craft my terms and conditions. That would be a truly self-sovereign identity. But if you think about how hard that would be to implement commercially, every business would have to intermediate all these terms and conditions for every individual. Concessions to be made to have a functional society. There is a tension there. SSI Big Tech initiative launched today. How do we architect that.


Doc: Context. On May 25, if Wendell’s right, all of a sudden if you’re in Europe, there’s a new front door to every Web site to require a new pile of consents for individuals. The self-sovereign minded, the individual will do something autonomous. For Oath and other companies in the traditional ad tech business, how do we keep it going. I have a feeling that in the same way that Y2K was like a small thing a big deal was made of, GDPR may be a big thing that little is made of.


Elizabeth: The establishment test is broad. The activities test is also extremely broad. The biggest difference is the reach is significantly broader. We’re overemphasizing consent. It’s really not true. It’s super watered-down. Another prong, the legitimate basis test. Some things will require expressed consent. Does this thing have any teeth? Most violations are 2% of annual gross revenue, per violation. Some are 4%. In reality, there’s no way the regulators in the EU are going to disrupt the global economy with their enforcement. It will be the obvious people, Facebook and Google, and smaller bad actors. We’re overemphasizing some things and underemphasizing others.


Paul Knowles: In Europe if you are negligent about GDPR they’ll come down on you. If you’re thinking about data protection, they will embrace that.


Elizabeth: Totally true.


Dazza: Access: Tech capabilities: Get/post, email, FTP.


Elizabeth: Design “patterns” (components): Workflow – request, identify and allow for authentication and authorization (i.e. OAuth2), delivery


Dazza: SSI?


Elizabeth: We’re moving away from triparty model. If you have SSI, you don’t need this, ultimately.


Dazza: Perhaps. In the SSI world being envisioned, we only control our identity and personal data and there will be things outside the boundary condition, like government agencies, who also have our personal data. Legal regimes give us access rights to it. And also an endpoint they can deliver it to.


Wendell: Why does logging into a Wordpress site not totally solve this problem? Small publisher comment site. Use existing account.


Q: Account system.


Yogi: That’s just a simple case. CRM systems beyond simple WordPress sites. Like a clear button. A registry service.


Elizabeth: This is where the EPR comes into play. Some of these rights will be mediated through the machine to machine communications.


Bryan Pon: What is the overlap between GDPR and EPR?


Elizabeth: They’re meant to be complementary.


Doc: A practical question. My blog is a Harvard blog. If I hear Wendell right, it is incumbent on Harvard to put up that door saying you need to consent...because of GDPR. Do they need to do that, and what is it going to say on there? Most people reading it have never logged in and made a comment. Are they going to have to register to read it?


Elizabeth: No. Everything here is designed to be proportional to its use. Reasonable means.


Doc: They’re running between 4-6 trackers, Google Analytics, Quantcast etc.


Elizabeth: That’s EPR. Way beyond cookies. That will be regulated. A good example of how the two would work together. The GDPR would be the dominant regulation. The EPR would be there in the background.


Doc: What are these entities (Harvard, LJ) going to do? If you run a log file you’re going to have to put up a warning page?


Wendell: Generally. It is data about a person with their identity in these log files. Part of the analysis is, what are you logging, how long are you keeping it, what’s the purpose. Many other business processes you want to do often entail building more stuff. Given you can boil down what you need for a simple entertainment site, what would you have to build. The example we used was WordPress. Set of logins, tracking users and comments over time. You would have to provide these facilities to all the data subjects because we have their data.


Dazza: Postulate LJ and GDPR regulation. Stretch goal, say person can actually deploy a term on which consent is contingent: “Only show me ads that comply with Do Not Track.”


Wendell: All the login preferences, size preferences, package up in a tarball zip file.


Doc: That’s a different request. Is that a SAR?


Wendell: A subject access request.


Doc: The scenario I laid out, a reader says show me ads not based on tracking.


Wendell: Say you don’t have a paywall. You have to go by consent. A dialog, check box. Serving ads without tracking. Not allowing free form terms, exotic permissions.


Doc: You’re saying give me a cookie that says consent.


Wendell: They’ll record that choice.


Doc: A regime you worked out?


Wendell: Indeed. IAB, 6 bit-ish, Oath 9 bit-ish. You can revoke core consent, you may not have my data at all. These are obligations you have for holding data.


Yogi: My worry here is we are overemphasizing consent. If you have legitimate interest you are not obligated to these terms.


Doc: We’re looking at GDPR as a forcing function.


Elizabeth: You shouldn’t rely on consent. It’s extremely hard to implement and to prove.