Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include a section about Mauritian DPA article 24 #71

Merged
merged 2 commits into from
Mar 22, 2024
Merged

Include a section about Mauritian DPA article 24 #71

merged 2 commits into from
Mar 22, 2024

Conversation

loganaden
Copy link
Contributor

Mauritius DPA was inspired by the GDPR but has some ambiguities as mentioned by Jeffrey Yasskin:

"This is closer to being about opt-outs, but it doesn't say that a globally-configured opt-out wins over a direct consent to a specific sharing request on a specific site. Without that statement, a controller can pretty easily prove that the data subject consented to their particular processing even if they told their browser to object in general. ("We saw a Sec-GPC: 1 header, and then we asked if they wanted to override that for our site, and they said yes, and they never clicked this other button on our site withdrawing that consent.") At best, this winds up saying that if the user turns on GPC after some sites had gotten consent, those sites need to re-request consent. (Yay, more consent banners.)"

@loganaden
Include a section about Mauritian DPA article 24
da62d19 
Mauritius DPA was inspired by the GDPR but has some ambiguities.
@loganaden loganaden mentioned this pull request Mar 17, 2024
Closed
SebastianZimmeck
SebastianZimmeck reviewed Mar 22, 2024
View reviewed changes
Copy link
Member

@SebastianZimmeck SebastianZimmeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @loganaden!

As GPC is intended to convey a generate request that data controllers limit the sale or sharing of the person's personal data to other data controllers, ...

Do you mean "general request"? Otherwise, what do you mean by "generate"?

Mauritian regulators may deem GPC to constitute a legally binding invocation of Article 24 rights. However, there might be ambiguities as there is no explicit mention of global opt-out mechanism winning over a direct consent to a specific sharing request on a specific site.

Is it possible to make this statement a bit more specific as to which cases GPC applies to and for which there is ambiguity? For example, would the following be an accurate description:

Mauritian regulators may deem GPC to constitute a legally binding invocation of Article 24 rights. That would be the case if people's GPC opt out preferences are their only known opt out preferences or their GPC opt out preferences are in line with any other opt out preferences they invoked. However, in case of conflicts there might be ambiguities as there is no explicit mention of global opt-out mechanism winning over a direct consent to a specific sharing request on a specific site.

We are trying to make this as actionable as possible. Feel free to write as you see fit (if it can be made more precise).

@loganaden
Copy link
Contributor Author

Thank you, @loganaden!

As GPC is intended to convey a generate request that data controllers limit the sale or sharing of the person's personal data to other data controllers, ...

Do you mean "general request"? Otherwise, what do you mean by "generate"?

My bad. Fixing this.

Mauritian regulators may deem GPC to constitute a legally binding invocation of Article 24 rights. However, there might be ambiguities as there is no explicit mention of global opt-out mechanism winning over a direct consent to a specific sharing request on a specific site.

Is it possible to make this statement a bit more specific as to which cases GPC applies to and for which there is ambiguity? For example, would the following be an accurate description:

Mauritian regulators may deem GPC to constitute a legally binding invocation of Article 24 rights. That would be the case if people's GPC opt out preferences are their only known opt out preferences or their GPC opt out preferences are in line with any other opt out preferences they invoked. However, in case of conflicts there might be ambiguities as there is no explicit mention of global opt-out mechanism winning over a direct consent to a specific sharing request on a specific site.

Agreed.

We are trying to make this as actionable as possible. Feel free to write as you see fit (if it can be made more precise).

jyasskin
jyasskin reviewed Mar 22, 2024
View reviewed changes
explainer.md
@@ -104,6 +104,8 @@ Virginia and Utah have privacy laws that grant people the right to opt out but d

The European Union and European Economic Area have the General Data Protection Regulation (GDPR). This law provides for a number of bases for data processing, including consent and the "legitimate interest" of the data controller. For processing pursuant to a company’s "legitimate interest," Article 21 of the GDPR offers people an ability to object, or opt out, of such processing. As GPC is intended to convey a general request that data controllers limit the sale or sharing of the person's personal data to other data controllers, European regulators may deem GPC to constitute a legally binding invocation of Article 21 rights. To date, no European regulator has explicitly made this case, though some commentators have argued that [GPC has legal effect under the GDPR](https://berjon.com/gpc-under-the-gdpr/).

Mauritius, an African country, has the Data Protection Act (DPA). The DPA was inspired by the GDPR. The law provides for a number of bases for data processing, including consent and the "legitimate interest" of the data controller. For processing pursuant to a company's "legitimate interest", Article 24 of the DPA offers people an ability to opt out of such processing. As GPC is intended to convey a general request that data controllers limit the sale or sharing of the person's personal data to other data controllers, Mauritian regulators may deem GPC to constitute a legally binding invocation of Article 24 rights. That would be the case if people's GPC opt out preferences are their only known opt out preferences or their GPC opt out preferences are in line with any other opt out preferences they invoked. However, in case of conflicts there might be ambiguities as there is no explicit mention of global opt-out mechanism winning over a direct consent to a specific sharing request on a specific site.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks clear enough w.r.t. my worry in #68.

SebastianZimmeck
SebastianZimmeck approved these changes Mar 22, 2024
View reviewed changes
Copy link
Member

@SebastianZimmeck SebastianZimmeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perfect! Thank you, @loganaden and @jyasskin.

@SebastianZimmeck SebastianZimmeck merged commit 3787447 into privacycg:main Mar 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jyasskin jyasskin jyasskin left review comments

@SebastianZimmeck SebastianZimmeck SebastianZimmeck approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@loganaden @jyasskin @SebastianZimmeck