Improve comprehensibility of section 1.1.2 Privacy labour

[polcak]

Privacy labour is the practice of having a person carry out the work of ensuring data processing of which they are the subject or recipient is appropriate, instead of putting the responsibility on the actors who are doing the processing. Data systems that are based on asking people for their consent tend to increase privacy labour.

Some legal requirements on data processing such as GDPR allow processing after consent (see for example https://curia.europa.eu/juris/liste.jsf?num=C-673/17, https://curia.europa.eu/juris/liste.jsf?num=C-61/19 how such consent looks like) which might be the only option for some types of processing (see for example https://curia.europa.eu/juris/liste.jsf?num=C-252/21, especially replies to questions 3-5 and related recitals).

However, it seems to me that the text of 1.1.2 promotes processing without obtaining consent to remove the labour from the user. The text highlights that FIPs were created in 1970s but it does not provide any alternative.

In my opinion the text needs to clarify:

• The actors who are doing the processing might be required to obtain consent according to law.
• How should the actor who is doing the processing lower the amount of labour.

This issue is likely related to #273. I think that moving the discussion of privacy labour to processing section might improve the comprehensibility and possibly address the two issues in a better shape.

[npdoty]

I believe the intent is to note that while some processing may be legal in some jurisdictions with consent, constantly asking users for consent for unnecessary processing is just putting an undue burden on them.

The introduction (including 1.1.2) doesn't get into the recommendations or principles much, but 2.2 (Data Minimization), 2.5 (Data Rights), 2.7 (Collective Privacy), and 2.12 (Consent) go into more detail on how to design appropriate use of data without burdening individual users with more privacy labour.