November 1, 2021

Open PDF

Version: 1.0
Date: 10/27/2021
Editor: Lisa LeVasseur
Authors: Me2BA Respectful Tech Spec Working Group

Abstract

Me2B relationships are comprised of a series of transactions that either deepen or diminish the Me2B relationship called, “Me2B Commitments”. Examples are cookie commitments, newsletter sign-up commitments, and account creation commitments. The Me2B Alliance has identified the key attributes for such a commitment to be safe for and respectful to people (Me-s).

Document Status

This document is a Recommendation produced by the Respectful Tech Spec Working Group and is approved by the Membership of the Me2B Alliance according to its Operating Procedures.

Copyright Notice

Copyright © 2021 Me2B Alliance.
This document is subject to the Creative Commons Attribution 4.0 International Public License.


Revision History

VERSION DESCRIPTION OF CHANGES
1.0 First release

Contents

  1. Clear Data Processing Notice
  2. Viable Permission
    1. Understandability
    2. Freely Given
    3. Intentional Action
    4. Permission Flow to Data Processors (Transitive Permissions)
  3. Identification Minimization
  4. Data Collection Minimization
    1. Volunteered Data
    2. Observed Data
    3. Derived Data
  5. Private by Default
  6. Reasonable Data Use & Sharing Behavior
  7. Data Processing Complies with Data Subject’s Privacy Preferences & Permissions
  8. Data Processing Complies with Policies
  9. Reasonable Commitment Duration
  10. Commitment Termination or Change Behavior
    1. Easy to End or Change Commitment
    2. Record
    3. Data Subject’s Data Forgotten by Service
    4. Permission Change Flow to Data Processors

 

1      Clear Data Processing Notice

There must be a readable data processing notice present in the software before any data collection or processing included in this Me2B Commitment.

References:

GDPR, Article 4 (2): “‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

GDPR, Chapter 1, Article 4 – Definitions, https://gdpr-info.eu/art-4-gdpr/

Related Rules of Engagement:
Rule of Engagement #5:  Good Communication

2     Viable Permission

2.1      Understandability

The Data Subject must be able to easily understand the Me2B Deal required (quid pro quo) for this Me2B Commitment.

This requirement is the “knowledge” condition from Kim’s description of the construction of [legal] consent. It relates closely to Attribute #1, the Clear Data Processing Notice.

References:
“Consent has a variety of meanings in the law, but it is typically a conclusion based upon the presence or absence of three conditions: an intentional manifestation of consent, knowledge, and volition/voluntariness.”

Kim, Nancy S. Consentability (p. 9). Cambridge University Press. Kindle Edition.

“Consentability:  Consent and Its Limits”, Nancy S. Kim, 2019, Cambridge University Press.

Related Rules of Engagement:
Rule of Engagement #5:  Good Communication

2.2     Freely Given

The Data Subject must have the ability to provide permission before any transaction carried out as a part of the Me2B Deal for this Me2B Commitment. There should be no element of coercion when seeking consent.

This is the “volition/voluntariness” portion of the construction of legal consent.

References:
GDPR Recital 42 “Burden of Proof and Requirements for Consent” https://gdpr-info.eu/recitals/no-42/

GDPR Recital 43 “Freely Given Consent” https://gdpr-info.eu/recitals/no-43/

Related Rules of Engagement:
Rule of Engagement #1:  Freedom

2.3     Intentional Action

The Data Subject must provide a definitive, recorded affirmation of permission for the Me2B Deal required for this Me2B Commitment.

This is the “intentional manifestation of consent” portion of the construction of legal consent.

An affirmation or clear signal should provide enough information to provide a receipt of that transaction.

References:
ISO/IEC TS 27560 “Consent record information structure” is under development.

HL7 FHIR includes a Consent Resource with data structures https://www.hl7.org/fhir/consent.html

Kantara Initiative Consent Receipt Specification https://kantarainitiative.org/download/7902/

Related Rules of Engagement:
Rule of Engagement #5:  Good Communication

2.4    Permission Flow to Data Processors (Transitive Permissions)

Data Subject’s permissions must be shared with all Data Processors.

3     Identification Minimization

Any kind of identification performed must be proportional to the particular Me2B Commitment.  Thus, the software must collect only the minimum set of identity attributes necessary to uniquely identify an individual as needed for the particular Me2B Commitment.

References:
GDPR Article 5(1)(c ) “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’)” <add link>

See section 4.1.4 “Data Minimization” of the Kantara Report “Privacy & Identity protection in mobile Driving License ecosystems” https://kantarainitiative.org/download/7902/

Related Rules of Engagement:
Rule of Engagement #3:  Respectful Defaults

4     Data Collection Minimization

4.1     Volunteered Data

The amount of Volunteered Data collected as a part of the Me2B Deal for this Me2B Commitment must be appropriate to the Commitment.

Related Rules of Engagement:
Rule of Engagement #2: Respect of Boundaries and
Rule of Engagement #3:  Respectful Defaults

4.2    Observed Data

The amount of Observed Data collected as a part of the Me2B Deal for this Me2B Commitment must be appropriate to the Commitment.

Related Rules of Engagement:
Rule of Engagement #2: Respect of Boundaries and
Rule of Engagement #3:  Respectful Defaults

4.3    Derived Data

The amount of Derived Data collected as a part of the Me2B Deal for this Me2B Commitment must be appropriate to the Commitment.

Related Rules of Engagement:
Rule of Engagement #2: Respect of Boundaries and
Rule of Engagement #3:  Respectful Defaults

5     Private by Default

For the particular Me2B Commitment, any information shared must be private between the Data Subject and the Data Controller and any necessary Data Processors by default, without requiring any action by the Data Subject.

Related Rules of Engagement:
Rule of Engagement #3:  Respectful Defaults

6     Reasonable Data Use & Sharing Behavior

The observed Data Processing (with a particular focus on outbound data flow) must be appropriate / proportional for this particular Me2B Commitment.

References:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/

Related Rules of Engagement:
Rule of Engagement #4:  Fairness & Non-exploitation
Rule of Engagement #7:  Non-harming

7     Data Processing Complies with Data Subject’s Privacy Preferences & Permissions

The observed data processing behavior must comport with the Data Subject’s preferences related to this Me2B Commitment.

Related Rules of Engagement:
Rule of Engagement #2: Respect of Boundaries
Rule of Engagement #6: Keeps Promises

8     Data Processing Complies with Policies

The observed processing behavior (inclusive of collection) must match what is described in the Data Controller’s privacy policy and terms of service.

Related Rules of Engagement:
Rule of Engagement #6: Keeps Promises

9     Reasonable Commitment Duration

This particular Me2B Commitment’s duration must match the expected or promised duration.

Related Rules of Engagement:
Rule of Engagement #5:  Good Communication

10   Commitment Termination or Change Behavior

10.1    Easy to End or Change Commitment

The Data Subject must be able to easily change or terminate the commitment.

Related Rules of Engagement:
Rule of Engagement #1:  Freedom

10.2   Record

The termination or change of the commitment must be recorded and provided to the Data Subject.

Related Rules of Engagement:
Rule of Engagement #5:  Good Communication

10.3   Data Subject’s Data Forgotten by Service

The Data Subject’s data must be forgotten/deleted by all Data Controllers and Data Processors upon the termination of the commitment.

Related Rules of Engagement:
Rule of Engagement #3:  Respectful Defaults

10.4   Permission Change Flow to Data Processors

Permission changes by the Data Subject must flow down to all co-Data Controller and Data Processors, who must all take appropriate action (i.e. remove data).

Related Rules of Engagement:
Rule of Engagement #3:  Respectful Defaults