From 2c42f2a903141f993b9de52bebb4d8ed2d61ab12 Mon Sep 17 00:00:00 2001 From: Harshvardhan Pandit Date: Sat, 24 Aug 2024 18:05:11 +0100 Subject: [PATCH] minutes for 20 AUG 2024 --- .../data/meeting-2024-08-20.irc | 63 ++++++++ meetings/index.html | 1 + meetings/meeting-2024-08-20.html | 146 ++++++++++++++++++ 3 files changed, 210 insertions(+) create mode 100644 code/minutes-generator/data/meeting-2024-08-20.irc create mode 100644 meetings/meeting-2024-08-20.html diff --git a/code/minutes-generator/data/meeting-2024-08-20.irc b/code/minutes-generator/data/meeting-2024-08-20.irc new file mode 100644 index 000000000..f6637bc79 --- /dev/null +++ b/code/minutes-generator/data/meeting-2024-08-20.irc @@ -0,0 +1,63 @@ +14:54:20 RRSAgent has joined #dpvcg +20:09:03 Scribe: harshPandit +20:09:23 ScribeNick: harsh +14:55:03 repo: w3c/dpv +14:55:13 Meeting: DPVCG Meeting Call +14:55:18 Present: harshPandit, tyttiRintamaki, paulRyan, georgKrog, danielDoherty, delaramGolpayegani +14:55:18 Regrets: julianFlake +14:55:22 Date: 20 AUG 2024 +14:55:26 Agenda: https://www.w3.org/events/meetings/0e21485e-d959-4f78-930a-bd66650adace/20240820T133000/ +14:55:31 Meeting minutes: https://w3id.org/dpv/meetings +14:55:35 purl for this meeting: https://w3id.org/dpv/meetings/meeting-2024-08-20 +14:55:18 Topic: Intro +14:55:18 danielDoherty: Doing masters at Trinity College Dublin, working with Delaram and using AIRO to represent Bias and have a proposal to integrate them in to DPV +14:55:18 Topic: Legal Basis +20:10:04 https://github.com/w3c/dpv/issues/111 -> Issue 111 Model information about legal bases (by coolharsh55) +14:55:18 Subtopic: Fields +14:55:18 harshPandit: (recap of legal basis concepts discussed in previous meeting) We have consent type concepts and statuses, we need something similar for other legal basis. Discussed concepts for contract, legitimate interest, legal obligation, official authority, public and vital interest. +14:55:18 georgKrog: (responding the legitimate interest statuses associated with declared/uncdeclared and objected) According to CNIL, Legitimate Interest must be declared at point of processing and not in privacy policy which is separate and hidden. This means Legitimate interest must be declared to the data subject. +14:55:18 harshPandit: Along with expanding DPV fields, I have also gone through mapping these fields to the ISO 27560 consent record fields so that the same record can be used for recording other legal bases +14:55:18 georgKrog: legal basis fields are needed, propose to go through specific GDPR agreements e.g. Controller-Processor agreement and then we look at other contracts later on. +14:55:18 Subtopic: Agreements as Legal Basis +14:55:18 harshPandit: Agreements like Controller-Processor are not defined as legal measure, we have modelled it as org-measure +14:55:18 georgKrog: should be modelled as legal basis as it is used as such e.g. by processor +14:55:18 paulRyan: we don't use them as a legal basis for Processors in ROPA +14:55:18 harshPandit: so if we model these as legal basis, then all legal agreement becomes legal basis? +14:55:18 paulPandit: yes, if they are used as such (Georg agrees) +14:55:18 harshPandit: Okay, understood. So the controller-processor agreement is used as a legal basis by the processor to process data. And we want to model this. We have to view these as separate from GDPR A6 legal basis as we have broadened the scope to any data or technology, so the legal basis will also have to reflect these e.g. software license to use tech. We can separate out legal basis for processing personal data, from agreements between entities, and legal basis to use technologies +14:55:18 harshPandit: are there similar agreements in AI Act? e.g. provider to deployer? That we should model as legal basis? +14:55:18 delaramGolpayegani: the AI Act doesn't explicitly specify legal basis but has obligations between the actors +14:55:18 harshPandit: okay, so for the AI Act, I expect the market to evolve contracts and licenses etc. to use AI and other technologies. This means they would also need to be treated as legal basis. +14:55:18 harshPandit: So the question for our existing concepts is whether to combine GDPR A6 legal basis with Data Processing Agreements or keep them separate? +14:55:18 \ discussion agreed that having a separate list of GDPR A6 aligned legal basis would be beneficial to distinguish between processing personal data and other types of legal basis +14:55:18 \ discussion on contract concepts proposed - okay to continue with these +14:55:18 \ discussion on contract statuses - georg suggested different termination types which are TBD later +14:55:18 Topic: Risk Taxonomy +20:10:04 https://github.com/w3c/dpv/issues/181 -> Issue 181 Refine RISK taxonomy into a single consistent hierarchy (by coolharsh55) +14:55:18 Subtopic: Structure +14:55:18 harshPandit: (describing the new structure from last meeting where there is a singular risk taxonomy) After conversation with Rob Brennan who helped with the risk taxonomy modelling, the new taxonomy structure now has the CIA infosec triad as it is familiar to security professionals. The other groups of impact such as societal etc. are still present. +14:55:18 delaramGolpayegani: the distinction between societal and individual is not clear - there seem to be overlapping in concepts e.g. privacy? +14:55:18 harshPandit: could be, though the intent is to separate issues that affect society at large or affect only a particular individual +14:55:18 \ group to discuss risk taxonomy further to refine it +14:55:18 Subtopic: Move Fee to DPV +14:55:18 harshPandit: the concept `Fee` in the risk/impact taxonomy seems out of place as no one would model _fee_ as an impact or state that it is the consequence or risk of something. Propose this be moved to main DPV spec, and a relation be provided `hasFee` to associate the fee. This will allow it to be used e.g. with services or rights exercises to indicate the payment of a fee +14:55:18 delaramGolpayegani: how would payments for other matters be indicated? +14:55:18 harshPandit: there are concepts such as `Renumeration` and `Compensation` in the risk taxonomy that would be appropriate for such payments +14:55:18 \ discussed and agreed to move Fee +14:55:18 Subtopic: Rights Impact +20:10:04 https://github.com/w3c/dpv/issues/184 -> Issue 184 Add Rights Impact concepts for each Right (by coolharsh55) +14:55:18 delaramGolpayegani: from AI Act perspective, it would be helpful to have rights and health and safety risk +14:55:18 harshPandit: yes, though for specific rights, we will create specific concepts in the context of the right. So for EU fundamental rights, this will be in the EU Rights extension - where for each concept we create an `ImpactOn...` concept associated with that right. +14:55:18 harshPandit: rather than directly stating something is a violation of a right, we use the generic impact concept, and then provide additional specific concepts - such as preventing exercise of a right, and then at the extreme end state a right violation as a concept. So there is clarity and appropriate concepts needed to accurately represent what has taken place - as whether something is a rights violation can be complex legal investigation. +14:55:18 \ okay to continue for now with the current concepts, and to discuss later about how to model these +14:55:18 Topic: DPIA concepts +20:10:04 https://github.com/w3c/dpv/issues/183 -> Issue 183 Represent activities where DPIA is required in EU-GDPR (by coolharsh55) +14:55:18 tyttiRintamaki: working on identifying new concepts to be added to DPV based on processes that require a DPIA, will share with the group. To be discussed soon - next week likely. +14:55:18 Topic: AI Bias proposal +20:10:04 https://github.com/w3c/dpv/issues/182 -> Issue 182 Adding AI bias concepts (by DelaramGlp) +14:55:18 danielDoherty: bias taxonomy extracted from ISO 24027, there are bias concepts and fairness metrics. Also used AI Ontology (AIO) based on NIST which have types of biases such as computational and data bias. For MSc work these are applied in a risk management context, and how they map to fundamental rights violations or harms to fundamental rights. +14:55:18 harshPandit: this is a good detailed proposal, thank you for that. The ISO concepts can be added as it as they are based in authoritative source - though the terms may be renamed to fit the DPV naming style. +14:55:18 harshPandit: Do we also add discrimination concepts as counterparts to bias? E.g. there are specific types of bias which are 'risk sources'. The effect of this bias would be discrimination based on the topic of the bias e.g. `GenderBias` would lead to `GenderDiscrimination`. +14:55:18 \ yes this makes sense and should be added by delaram & georg +14:55:18 Topic: Next Meeting +16:03:29 \ next meeting will be in 1 week on TUESDAY 27 August at 13:30 WEST / 14:40 CEST. Agenda will be continuation of today's topics with any updates on github/mailing list and AOB. diff --git a/meetings/index.html b/meetings/index.html index 5dcc97594..44feaec7b 100644 --- a/meetings/index.html +++ b/meetings/index.html @@ -14,6 +14,7 @@

DPVCG Meeting Minutes

purl: https://w3id.org/dpv/meetings

See W3C DPVCG Calendar for upcoming meetings, agenda, and joining instructions.

    +
  1. DPVCG Meeting 20 August 2024 Tuesday
  2. DPVCG Meeting 13 August 2024 Tuesday
  3. DPVCG Meeting 06 August 2024 Tuesday
  4. DPVCG Meeting 30 July 2024 Tuesday
    5. diff --git a/meetings/meeting-2024-08-20.html b/meetings/meeting-2024-08-20.html new file mode 100644 index 000000000..addb4156e --- /dev/null +++ b/meetings/meeting-2024-08-20.html @@ -0,0 +1,146 @@ + + + + +DPVCG Meeting Call – 20 AUG 2024 + + + + + + + + + + +
    +

    W3C

    + +

    DPVCG Meeting Call

    +

    20 AUG 2024

    + + +
    + +
    +
    +

    Attendees

    +
    +
    Present
    danielDoherty, delaramGolpayegani, georgKrog, harshPandit, paulRyan, tyttiRintamaki
    +
    Regrets
    julianFlake
    +
    Chair
    -
    +
    Scribe
    harsh, harshPandit
    +
    +
    + + +
    + +
    +

    Meeting minutes

    +

    Repository: w3c/dpv

    +

    Meeting minutes: https://w3id.org/dpv/meetings

    +

    purl for this meeting: https://w3id.org/dpv/meetings/meeting-2024-08-20

    +
    + +
    +

    Intro

    +

    danielDoherty: Doing masters at Trinity College Dublin, working with Delaram and using AIRO to represent Bias and have a proposal to integrate them in to DPV

    +
    + +
    +

    Legal Basis

    +

    <ghurlbot> Issue 111 Model information about legal bases (by coolharsh55)

    +

    Fields

    +

    harshPandit: (recap of legal basis concepts discussed in previous meeting) We have consent type concepts and statuses, we need something similar for other legal basis. Discussed concepts for contract, legitimate interest, legal obligation, official authority, public and vital interest.

    +

    georgKrog: (responding the legitimate interest statuses associated with declared/uncdeclared and objected) According to CNIL, Legitimate Interest must be declared at point of processing and not in privacy policy which is separate and hidden. This means Legitimate interest must be declared to the data subject.

    +

    harshPandit: Along with expanding DPV fields, I have also gone through mapping these fields to the ISO 27560 consent record fields so that the same record can be used for recording other legal bases

    +

    georgKrog: legal basis fields are needed, propose to go through specific GDPR agreements e.g. Controller-Processor agreement and then we look at other contracts later on.

    +

    Agreements as Legal Basis

    +

    harshPandit: Agreements like Controller-Processor are not defined as legal measure, we have modelled it as org-measure

    +

    georgKrog: should be modelled as legal basis as it is used as such e.g. by processor

    +

    paulRyan: we don't use them as a legal basis for Processors in ROPA

    +

    harshPandit: so if we model these as legal basis, then all legal agreement becomes legal basis?

    +

    paulPandit: yes, if they are used as such (Georg agrees)

    +

    harshPandit: Okay, understood. So the controller-processor agreement is used as a legal basis by the processor to process data. And we want to model this. We have to view these as separate from GDPR A6 legal basis as we have broadened the scope to any data or technology, so the legal basis will also have to reflect these e.g. software license to use tech. We can separate out legal basis for processing personal data, from agreements between entities, and legal basis to use technologies

    +

    harshPandit: are there similar agreements in AI Act? e.g. provider to deployer? That we should model as legal basis?

    +

    delaramGolpayegani: the AI Act doesn't explicitly specify legal basis but has obligations between the actors

    +

    harshPandit: okay, so for the AI Act, I expect the market to evolve contracts and licenses etc. to use AI and other technologies. This means they would also need to be treated as legal basis.

    +

    harshPandit: So the question for our existing concepts is whether to combine GDPR A6 legal basis with Data Processing Agreements or keep them separate?

    +

    discussion agreed that having a separate list of GDPR A6 aligned legal basis would be beneficial to distinguish between processing personal data and other types of legal basis

    +

    discussion on contract concepts proposed - okay to continue with these

    +

    discussion on contract statuses - georg suggested different termination types which are TBD later

    +
    + +
    +

    Risk Taxonomy

    +

    <ghurlbot> Issue 181 Refine RISK taxonomy into a single consistent hierarchy (by coolharsh55)

    +

    Structure

    +

    harshPandit: (describing the new structure from last meeting where there is a singular risk taxonomy) After conversation with Rob Brennan who helped with the risk taxonomy modelling, the new taxonomy structure now has the CIA infosec triad as it is familiar to security professionals. The other groups of impact such as societal etc. are still present.

    +

    delaramGolpayegani: the distinction between societal and individual is not clear - there seem to be overlapping in concepts e.g. privacy?

    +

    harshPandit: could be, though the intent is to separate issues that affect society at large or affect only a particular individual

    +

    group to discuss risk taxonomy further to refine it

    +

    Move Fee to DPV

    +

    harshPandit: the concept Fee in the risk/impact taxonomy seems out of place as no one would model fee as an impact or state that it is the consequence or risk of something. Propose this be moved to main DPV spec, and a relation be provided hasFee to associate the fee. This will allow it to be used e.g. with services or rights exercises to indicate the payment of a fee

    +

    delaramGolpayegani: how would payments for other matters be indicated?

    +

    harshPandit: there are concepts such as Renumeration and Compensation in the risk taxonomy that would be appropriate for such payments

    +

    discussed and agreed to move Fee

    +

    Rights Impact

    +

    <ghurlbot> Issue 184 Add Rights Impact concepts for each Right (by coolharsh55)

    +

    delaramGolpayegani: from AI Act perspective, it would be helpful to have rights and health and safety risk

    +

    harshPandit: yes, though for specific rights, we will create specific concepts in the context of the right. So for EU fundamental rights, this will be in the EU Rights extension - where for each concept we create an ImpactOn... concept associated with that right.

    +

    harshPandit: rather than directly stating something is a violation of a right, we use the generic impact concept, and then provide additional specific concepts - such as preventing exercise of a right, and then at the extreme end state a right violation as a concept. So there is clarity and appropriate concepts needed to accurately represent what has taken place - as whether something is a rights violation can be complex legal investigation.

    +

    okay to continue for now with the current concepts, and to discuss later about how to model these

    +
    + +
    +

    DPIA concepts

    +

    <ghurlbot> Issue 183 Represent activities where DPIA is required in EU-GDPR (by coolharsh55)

    +

    tyttiRintamaki: working on identifying new concepts to be added to DPV based on processes that require a DPIA, will share with the group. To be discussed soon - next week likely.

    +
    + +
    +

    AI Bias proposal

    +

    <ghurlbot> Issue 182 Adding AI bias concepts (by DelaramGlp)

    +

    danielDoherty: bias taxonomy extracted from ISO 24027, there are bias concepts and fairness metrics. Also used AI Ontology (AIO) based on NIST which have types of biases such as computational and data bias. For MSc work these are applied in a risk management context, and how they map to fundamental rights violations or harms to fundamental rights.

    +

    harshPandit: this is a good detailed proposal, thank you for that. The ISO concepts can be added as it as they are based in authoritative source - though the terms may be renamed to fit the DPV naming style.

    +

    harshPandit: Do we also add discrimination concepts as counterparts to bias? E.g. there are specific types of bias which are 'risk sources'. The effect of this bias would be discrimination based on the topic of the bias e.g. GenderBias would lead to GenderDiscrimination.

    +

    yes this makes sense and should be added by delaram & georg

    +
    + +
    +

    Next Meeting

    +

    next meeting will be in 1 week on TUESDAY 27 August at 13:30 WEST / 14:40 CEST. Agenda will be continuation of today's topics with any updates on github/mailing list and AOB.

    +
    +
    + + +
    Minutes manually created (not a transcript), formatted by scribe.perl version 217 (Fri Apr 7 17:23:01 2023 UTC).
    + + +