Add Right Non-fulfilment Justifications for GDPR’s rights

[besteves4]

Hey,

In the context of the PROTECT project, we defined a list of exemptions to GDPR’s data subject rights. We welcome discussions with experts in law.

The concepts we are proposing to add to DPV are:

• Right Non-Fulfilment Justification -Definition: Organisations can deny a data subject from exercising their rights where it is necessary and proportionate but also allowed by the relevant regulation -Source: GDPR, Arts. 23, 13.4, 14.5

• Right to be Informed Non-Fulfilment Justification -Definition: Reasons why the data controller should not provide the data subject with the relevant information, according to Arts. 13 or 14 as applicable, about an intended data processing activity -Source: GDPR, Arts. 13.4, 14.5 -Subclass of: Right Non-Fulfilment Justification

• Data Subject is Already Informed -Definition: The data subject already has the relevant information about the intended data -Source: GDPR, Arts. 13.4, 14.5.a -Subclass of: Right to be Informed Non-Fulfilment Justification

• Cause Extraordinary Effort for the Data Controller -Definition: Providing the data subject with the relevant information would imply an impossible or disproportionate effort for the data controller -Source: GDPR, Art. 14.5.b -Subclass of: Right to be Informed Non-Fulfilment Justification

• Render impossible the processing -Definition: Providing the data subject with the relevant information would render impossible or seriously impair the processing -Source: GDPR, Art. 14.5.b -Subclass of: Right to be Informed Non-Fulfilment Justification

• Disclose in a Member State or Union law -Definition: The information due to the data subject is already disclosed in a Member State or Union law -Source: GDPR, Art. 14.5.c -Subclass of: Right to be Informed Non-Fulfilment Justification

• Existence of Confidentiality Obligation -Definition: The data subject is not informed about a data processing activity due to the existence of a confidentiality obligation that covers the processing activity -Source: GDPR, Art. 14.5.d -Subclass of: Right to be Informed Non-Fulfilment Justification

• Expression of Opinion about the Data Subject -Definition: The personal data relating to the data subject consisting of an expression of opinion about the data subject by another given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving it -Source: GDPR, Art. 23.1 -Subclass of: Right Non-Fulfilment Justification

• Prevent Investigation -Definition: There is an allegation being made against the data subject and it is felt that the disclosure of data in the context of the request could in some way hinder the investigation -Source: GDPR, Art. 23.1 -Subclass of: Right Non-Fulfilment Justification

• Safeguard Third Party Rights -Definition: The data subject is only allowed to seek data in relation to themselves. Where another person may be identifiable from any information which may identify the third-party data should be redacted unless the third party has given consent -Source: GDPR, Art. 23.1 -Subclass of: Right Non-Fulfilment Justification

• Confidentiality of Opinion about the Data Subject -Definition: There is a confidential opinion expressed about the data subject by a member of staff -Source: GDPR, Art. 23.1 -Subclass of: Right Non-Fulfilment Justification

• Impair the Achievement of Archiving Purposes -Definition: The request of the data subject can be refused if the exercise of rights would be likely to render impossible or seriously impair the achievement of archiving purposes or such restriction is necessary for the fulfilment of those purposes -Source: GDPR, Art. 23.1 -Subclass of: Right Non-Fulfilment Justification

• Legal Privilege -Definition: Documents that have personal data of the data subject exempt from disclosure in court proceedings apply in relation to a Subject Access Request, this applies to both legal advice and litigation privilege -Source: GDPR, Art. 23.1 -Subclass of: Right Non-Fulfilment Justification

• Safeguard National Security -Definition: The exercise of the right by the data subject can be refused to safeguard national security where accepting the request of the right poses a threat to it -Source: GDPR, Art. 23.1 -Subclass of: Right Non-Fulfilment Justification

• Safeguard Defence -Definition: The exercise of the right by the data subject can be refused to safeguard defence where accepting the request of the right poses a threat to it -Source: GDPR, Art. 23.1 -Subclass of: Right Non-Fulfilment Justification

• Safeguard Public Security -Definition: The exercise of the right by the data subject can be refused to safeguard public security where accepting the request of the right poses a threat to it -Source: GDPR, Art. 23.1 -Subclass of: Right Non-Fulfilment Justification

• Safeguard Judicial Independence or Proceedings -Definition: The exercise of the right by the data subject can be refused to safeguard judicial independence or proceedings where accepting the request of the right poses a threat to it -Source: GDPR, Art. 23.1 -Subclass of: Right Non-Fulfilment Justification

[coolharsh55]

As we discussed in today's meeting (https://www.w3.org/2022/10/19-dpvcg-minutes.html), the concepts would be expressed as justifications for why a right was not fulfilled (RightNonFulfilmentJustification).

The concepts also require their titles to be updated to better indicate what this "justification" is. E.g. "Public Security" should be "Safeguard Public Security". This phrasing can also be interpreted to have Justification utilise some concepts types of Purpose - which means we would need to add Safeguarding Public Security, National Security, and all these to the Purposes list, and also declare them as Justifications for Non-fulfilment of Rights.

[coolharsh55]

@besteves4 could you please provided an updated version of these concepts based on the meeting discussion?

[besteves4]

Should we also have fulfilment justifications to ground why a certain right is being exercised by a data subject, e.g., the justifications on GDPR Art. 17.1 and 18.1?

[coolharsh55]

Good point. We should model that information. I'm not sure whether it should be a justification or a subtype of that right because it sounds odd to have to justify your own right.

[coolharsh55]

Hi. How about this as the model for information?

dpv:Justification is a concept in DPV. In the Justifications extension, we specialise it for the following types and collect various generic justifications. To support the GDPR extensions, we have generic reasons in Justifications extension, and then extend them in GDPR extension with reference to specific clauses in GDPR. I started collecting justifications with this model in the GDPR extension spreadsheet, starting with Art.12. It isn't complete yet.

Justification	A reason or explanation for specified context	Extended for Rights
Non-Performance Justification	Justification for why the associated process or context was rejected or was decided to not be completed	Right Non-fulfilment Justification
Exercise Justification	Justification for why the associated process or context is being exercised or initiated	Right Exercise Justification
Delay Justification	Justification for why the associated process or context is being delayed	Right Fulfilment Delay Justification

The below are justifications to reject right exercise requests.

Justification	Extend for GDPR
RejectImpossibleToFulfil	GDPR Art. 14.5.b
RejectProcessFrivolous	GDPR Art. 12.5
RejectIdentityVerificationFailure	GDPR Art. 12.2

The below are justifications to delay right exercise fulfilment.

Justification	Extend for GDPR
DelayIdentityVerification	GDPR Art. 12.1,GDPR Art. 12.6
DelayComplexity	GDPR Art. 12.3
DelayInformationRequirement	GDPR Art. 12.6

The below are justifications to issue right exercise requests.

Generic Justification	Extend for GDPR
Exercise due to Non-Necessity	GDPR Art. 17.1
Exercise due to Lack of Further Legality	GDPR Art. 17.2
Exercise Objection	GDPR Art. 17.3
Exercise due to Unlawful Activity	GDPR Art. 17.4
Exercise Legal Obligation	GDPR Art. 17.5, 17.6

[besteves4]

Using the model started above by @coolharsh55, I'm compiling a list of justifications in this webpage and in this spreadsheet. Feedback is welcome on either document.

Next I will also be adding examples of how to model right exercising activities in the webpage.

[besteves4]

Hi, here are some updates on the rights exercising / justifications work:

• The justifications in Article 34.3 do not fit in the model started above, so we suggest adding a new type of justification, used in compliance and not to be used to communicate (should we call it Compliance Justification?) that can be extended for these.

• In addition to the justifications proposed in the previous point, we also propose to add the following Rights concepts:

Term: A22-3-human-intervention Label: A22-3 Right to obtain human intervention on the part of the controller Description: Right of the data subject to obtain human intervention on the part of the controller Parent: dpv:DataSubjectRight Type: dpv:Right

Term: A22-3-pov Label: A22-3 Right to express data subject's point of view Description: Right of the data subject to express his or her point of view Parent: dpv:DataSubjectRight Type: dpv:Right

Term: A22-3-contest-decision Label: A22-3 Right to contest the decision Description: Right of the data subject to contest the decision Parent: dpv:DataSubjectRight Type: dpv:Right

Term: A78 Label: A78 Right to an effective judicial remedy against a supervisory authority Description: Right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning natural or legal person Parent: dpv:Right Type: dpv:Right

Term: A79 Label: A79 Right to an effective judicial remedy against a controller or processor Description: Right to an effective judicial remedy where the data subject considers that his or her rights have been infringed as a result of the processing of his or her personal data Parent: dpv:DataSubjectRight Type: dpv:Right

• More details can be found on the DPVCG's meeting notes from February 21st.

[coolharsh55]

@besteves4 for Art.34-3, can we extend NonPerformanceJustification as NotRequiredJustification and then extend this for the three specific conditions?

I do not think we should get into modelling concepts referring to obligations e.g. A.34-3 can be interpreted as justifications for the obligation not being applicable - as this pulls us into trying to do deontic modelling of GDPR's clauses. Whereas what I think we want to do is more of a stateful representation of why/why-not related to information/processes.

For A22-3-human-intervention - I think this will come under the right to A22 because it is part of that right? There are three rights in A22-3 which can go under A22 as 1 on controller and 2 for data subjects. Following the naming convention on rights being only referred to via clause numbers, we have: A22-3-a human intervention on controller's part, A22-3-b present data subject's pov, and A22-3-c contest decision.

[besteves4]

Makes sense. I updated the spreadsheet here to accommodate for these changes.

The subtypes of Not Required Justifications are now prefixed with JNotReq-, the subtypes of Right Non-Fulfilment Justifications with JNonFulf-, the subtypes of Right Fulfilment Delay Justifications with JDelay- and the subtypes of Right Exercise Justifications with JExercise- to avoid ambiguity and keep them short(er).

[coolharsh55]

See https://github.com/w3c/dpv/issues/83#issuecomment-2068059917 for work on justifications. Once that is resolved, the plan is to create links between specific GDPR clauses and justifications similar to legal basis and rights. E.g.

• eu-gdpr:A21 dpv:hasJustification justifications:IdentityVerificationRequired
• eu-gdpr:A17 dpv:hasJustification justifications:Objection
• eu-gdpr:A14 dpv:hasJustification justifications:FulfilmentImpossible

[coolharsh55]

In addition to rights fulfilment, we should also add justifications associated with data breaches e.g. breach not likely to result in high risk to rights and freedoms of natural personal and therefore no notification to DPA or data subject was needed; or those associated with breach notifications later than 72 hours.