| Version: | 1.0 |
| Date: | 10/27/2021 |
| Editor: | Lisa LeVasseur |
| Authors: | Me2BA Respectful Tech Spec Working Group |
Abstract
Me2B relationships are comprised of a series of transactions that either deepen or diminish the Me2B relationship called, “Me2B Commitments”. Examples are cookie commitments, newsletter sign-up commitments, and account creation commitments. The Me2B Alliance has identified the key attributes for such a commitment to be safe for and respectful to people (Me-s).
Document Status
This document is a Recommendation produced by the Respectful Tech Spec Working Group and is approved by the Membership of the Me2B Alliance according to its Operating Procedures.
Copyright Notice
Copyright © 2021 Me2B Alliance.
This document is subject to the Creative Commons Attribution 4.0 International Public License.
Revision History
| VERSION | DESCRIPTION OF CHANGES |
| 1.0 | First release |
Contents
- Clear Data Processing Notice
- Viable Permission
- Identification Minimization
- Data Collection Minimization
- Private by Default
- Reasonable Data Use & Sharing Behavior
- Data Processing Complies with Data Subject’s Privacy Preferences & Permissions
- Data Processing Complies with Policies
- Reasonable Commitment Duration
- Commitment Termination or Change Behavior
1 Clear Data Processing Notice
There must be a readable data processing notice present in the software before any data collection or processing included in this Me2B Commitment.
References:
GDPR, Article 4 (2): “‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
GDPR, Chapter 1, Article 4 – Definitions, https://gdpr-info.eu/art-4-gdpr/
Related Rules of Engagement:
Rule of Engagement #5: Good Communication
2 Viable Permission
2.1 Understandability
The Data Subject must be able to easily understand the Me2B Deal required (quid pro quo) for this Me2B Commitment.
This requirement is the “knowledge” condition from Kim’s description of the construction of [legal] consent. It relates closely to Attribute #1, the Clear Data Processing Notice.
References:
“Consent has a variety of meanings in the law, but it is typically a conclusion based upon the presence or absence of three conditions: an intentional manifestation of consent, knowledge, and volition/voluntariness.”
Kim, Nancy S. Consentability (p. 9). Cambridge University Press. Kindle Edition.
“Consentability: Consent and Its Limits”, Nancy S. Kim, 2019, Cambridge University Press.
Related Rules of Engagement:
Rule of Engagement #5: Good Communication
2.2 Freely Given
The Data Subject must have the ability to provide permission before any transaction carried out as a part of the Me2B Deal for this Me2B Commitment. There should be no element of coercion when seeking consent.
This is the “volition/voluntariness” portion of the construction of legal consent.
References:
GDPR Recital 42 “Burden of Proof and Requirements for Consent” https://gdpr-info.eu/recitals/no-42/
GDPR Recital 43 “Freely Given Consent” https://gdpr-info.eu/recitals/no-43/
Related Rules of Engagement:
Rule of Engagement #1: Freedom
2.3 Intentional Action
The Data Subject must provide a definitive, recorded affirmation of permission for the Me2B Deal required for this Me2B Commitment.
This is the “intentional manifestation of consent” portion of the construction of legal consent.
An affirmation or clear signal should provide enough information to provide a receipt of that transaction.
References:
ISO/IEC TS 27560 “Consent record information structure” is under development.
HL7 FHIR includes a Consent Resource with data structures https://www.hl7.org/fhir/consent.html
Kantara Initiative Consent Receipt Specification https://kantarainitiative.org/download/7902/
Related Rules of Engagement:
Rule of Engagement #5: Good Communication
2.4 Permission Flow to Data Processors (Transitive Permissions)
Data Subject’s permissions must be shared with all Data Processors.
3 Identification Minimization
Any kind of identification performed must be proportional to the particular Me2B Commitment. Thus, the software must collect only the minimum set of identity attributes necessary to uniquely identify an individual as needed for the particular Me2B Commitment.
References:
GDPR Article 5(1)(c ) “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’)” <add link>
See section 4.1.4 “Data Minimization” of the Kantara Report “Privacy & Identity protection in mobile Driving License ecosystems” https://kantarainitiative.org/download/7902/
Related Rules of Engagement:
Rule of Engagement #3: Respectful Defaults
4 Data Collection Minimization
4.1 Volunteered Data
The amount of Volunteered Data collected as a part of the Me2B Deal for this Me2B Commitment must be appropriate to the Commitment.
Related Rules of Engagement:
Rule of Engagement #2: Respect of Boundaries and
Rule of Engagement #3: Respectful Defaults
4.2 Observed Data
The amount of Observed Data collected as a part of the Me2B Deal for this Me2B Commitment must be appropriate to the Commitment.
Related Rules of Engagement:
Rule of Engagement #2: Respect of Boundaries and
Rule of Engagement #3: Respectful Defaults
4.3 Derived Data
The amount of Derived Data collected as a part of the Me2B Deal for this Me2B Commitment must be appropriate to the Commitment.
Related Rules of Engagement:
Rule of Engagement #2: Respect of Boundaries and
Rule of Engagement #3: Respectful Defaults
5 Private by Default
For the particular Me2B Commitment, any information shared must be private between the Data Subject and the Data Controller and any necessary Data Processors by default, without requiring any action by the Data Subject.
Related Rules of Engagement:
Rule of Engagement #3: Respectful Defaults
6 Reasonable Data Use & Sharing Behavior
The observed Data Processing (with a particular focus on outbound data flow) must be appropriate / proportional for this particular Me2B Commitment.
Related Rules of Engagement:
Rule of Engagement #4: Fairness & Non-exploitation
Rule of Engagement #7: Non-harming
7 Data Processing Complies with Data Subject’s Privacy Preferences & Permissions
The observed data processing behavior must comport with the Data Subject’s preferences related to this Me2B Commitment.
Related Rules of Engagement:
Rule of Engagement #2: Respect of Boundaries
Rule of Engagement #6: Keeps Promises
8 Data Processing Complies with Policies
The observed processing behavior (inclusive of collection) must match what is described in the Data Controller’s privacy policy and terms of service.
Related Rules of Engagement:
Rule of Engagement #6: Keeps Promises
9 Reasonable Commitment Duration
This particular Me2B Commitment’s duration must match the expected or promised duration.
Related Rules of Engagement:
Rule of Engagement #5: Good Communication
10 Commitment Termination or Change Behavior
10.1 Easy to End or Change Commitment
The Data Subject must be able to easily change or terminate the commitment.
Related Rules of Engagement:
Rule of Engagement #1: Freedom
10.2 Record
The termination or change of the commitment must be recorded and provided to the Data Subject.
Related Rules of Engagement:
Rule of Engagement #5: Good Communication
10.3 Data Subject’s Data Forgotten by Service
The Data Subject’s data must be forgotten/deleted by all Data Controllers and Data Processors upon the termination of the commitment.
Related Rules of Engagement:
Rule of Engagement #3: Respectful Defaults
10.4 Permission Change Flow to Data Processors
Permission changes by the Data Subject must flow down to all co-Data Controller and Data Processors, who must all take appropriate action (i.e. remove data).
Related Rules of Engagement:
Rule of Engagement #3: Respectful Defaults