Data-Protection-Control / ADPC

Advanced Data Protection Control (ADPC) is a mechanism to communicate data subjects' (users') consent and privacy decisions with data controllers (service providers).
http://dataprotectioncontrol.org
Mozilla Public License 2.0
48 stars 6 forks source link

Utilise controlled, limited, or open-ended vocabulary to specify preferences #1

Open coolharsh55 opened 3 years ago

coolharsh55 commented 3 years ago

Currently, the ADPC suggests the fields and notations for specifying permissions and prohibitions. It doesn't provide guidance on what the terms within those rules or policies or signals should be, which need to be commonly understood by all parties and be interoperable. My suggestion is to use something akin to (or as is) the Data Privacy Vocabulary either as the interoperable semantic vocabulary or as restricted vocabulary (concept must exist in DPV or be declared as derived from a DPV concept) http://w3.org/ns/dpv

gb-noyb commented 3 years ago

Interesting, thanks still for the pointer! I finally got around to take a better look into the Data Pravicy Vocabulary now. I see the appeal of making the exchanged information much more standardised and machine-readable, rather than our consent request being just a text field with only human-readable content. Making such content structured and machine-readable can however, as you probably know well, be quite a complex endeavour; especially when trying not to limit what can be expressed to a small subset of what one can do in natural language.

For the current specification, we tried to keep things simple and not go down the rabbit hole of machine-readable policies (where P3P is perhaps the best known prior art), but I can imagine that it will be possible (for us or others) to create extensions that add some machine-readability. Even if it may never be able to replace the human-readable text field, it could augment it with basic information. For example, I suppose a consent request under GDPR could list the legal bases of the processing on using the DPV-GDPR. Just thinking aloud here; you and others will likely have further ideas in mind already.