17:15:54 <RRSAgent> RRSAgent has joined #dpvcg
17:15:58 <RRSAgent> logging to https://www.w3.org/2023/01/04-dpvcg-irc
17:16:00 <harsh> ScribeNick: harsh
17:16:04 <harsh> Meeting: DPVCG Meeting Call
17:16:08 <harsh> Chair: harsh
17:16:29 <harsh> Present: georg, paul, jan, delaram, tek, harsh
17:16:36 <harsh> Date: 04 JAN 2023
17:16:41 <harsh> Agenda: https://lists.w3.org/Archives/Public/public-dpvcg/2023Jan/0000.html
17:16:56 <harsh> Topic: Data Breach
17:17:05 <harsh> georg: Meeting with VC Hungarian DPA who said data breach requirements vary across EU DPAs. Problem for Orgs is that they are required to report to multiple/all DPAs which means there are separate requirements for each reporting. The work required here is to first list what GDPR requires, then see what each DPA requires additionally, and then after this we have the building blocks to create a Data Breach vocabulary.
17:17:12 <harsh> harsh: Paul followed this approach for ROPA, and myself for DPIA so this seems like a repeated pattern we would have to do with all processes.
17:17:15 <harsh> jan: When consenting, it is clear who is the authority (DPA). One idea would be to identify the location or region of the individual and identify the relevant local authorities to present in notice or to be notified.
17:17:20 <harsh> georg: In this case, the reporting is supposed to go to all DPAs. So this is not from the individual, but from the Org directly to DPAs.
17:18:08 <harsh> harsh: I've been mulling on whethere there is a possibility to use ActivityPub to normalise the communications protocols, and build stuff like ROPA and Data Breach upon it. Would be an interesting research application.
17:18:14 <harsh> georg: We can submit something to EDPB on the harmonisation of information requirements.
17:18:18 <harsh> jan: Similar chance for privacy notices information to be 'standardised' or provided in common form?
17:18:26 <harsh> harsh: No, that is difficult because the DPAs and GDPR consider a notice to be contextual and per use-case. So a single notice format is difficult to achieve. There has been some movement to adopt 29184 in CEN/CENELEC as an EU standard - so we may have an authoritative source on information within a GDPR notice as well.
17:18:45 <harsh> Relevant GitHub issue - https://github.com/w3c/dpv/issues/64
17:19:03 <harsh> Topic: Risk Management
17:19:18 <harsh> Proposal to add more risk management concepts under the Risk extension as per ISO 31000 series
17:19:22 <harsh> Relevant GitHub issue - https://github.com/w3c/dpv/issues/74
17:19:47 <harsh> Topic: DPV-LEGAL
17:20:11 <harsh> As we noted in the earlier meeting, we want to focus on laws and authorities and provide guidance on use of external location vocabularies.
17:20:15 <harsh> Relevant GitHub issue - https://github.com/w3c/dpv/issues/46
17:20:31 <harsh> Topic: Justifications
17:20:51 <harsh> We have agreed to create a Justifications extension to provide all kinds of reasons for why something happened or could not happen
17:20:56 <harsh> Relevant GitHub issue - https://github.com/w3c/dpv/issues/83
17:21:06 <harsh> Topic: DPV-TECH
17:21:08 <harsh> georg: Need to specify the 'tech' used e.g. form's security method, or how the email was sent
17:21:12 <harsh> paul: when using a supplier it requires due diligence, etc.
17:21:16 <harsh> harsh: Lets collect use-cases for DPV-Tech so we have a focus
17:21:20 <harsh> tek: SDM for ToMS - https://www.datenschutzzentrum.de/uploads/sdm/SDM-Methodology_V2.0b.pdf - will look through this document and provide more information
17:21:28 <harsh> Topic: Adding More Regulations
17:21:32 <harsh> harsh: we also need to plan around upcoming regulations this year i.e. DGA, DSA, DMA, and the proposed ones i.e. Data Act, AI Act, ePrivacy Regulation, Health Data Space Regulation
17:21:35 <harsh> georg: which of these would be consider first?
17:21:38 <harsh> harsh: preference is on currently enforced (i.e. GDPR), then accepted (i.e. DGA, DSA, DMA), then proposed (i.e. rest) - we also want to avail of guidelines, case law, known use-cases and implementations etc.
17:21:41 <harsh> jan: working on eIDAS - which would also be relevant to the group; am writing an article on this
17:21:44 <harsh> jan: (discussion on standards) what needs to be standardised, what is missing or what are the gaps in ISO/CEN and if the group can be useful there
17:21:48 <harsh> Topic: Next Meeting
17:21:53 <harsh> We will meet again in 1 week, on WED 11th Jan at 14:00 CET.
17:22:01 <harsh> Agenda will be the cumulation of topics discussed today.
17:22:08 <harsh> rrsagent, publish minutes v2
17:22:09 <RRSAgent> I have made the request to generate https://www.w3.org/2023/01/04-dpvcg-minutes.html harsh
17:22:14 <harsh> rrsagent, make logs world-visible