[gnso-rds-pdp-wg] Legal basis vs. lawful

Tapani Tarvainen ncsg at tapani.tarvainen.info
Wed Feb 7 06:07:37 UTC 2018 

Hi Sam,

I think you have half of it right but not all. Comments inline.

On Tue, Feb 06, 2018 at 05:41:03PM -0500, Sam Lanfranco (sam at lanfranco.net) wrote:
> 
> Using a set theory/Venn diagram approach here is my one shot comment here:
> 
> We are taking about the act of "processing" here. The universe of processes
> can be divided into Lawful and Unlawful. None of the Unlawful are Legal. Of
> the Lawful some are coded into law (and may have forms/procedures that must
> accompany processing). They are Legal (in a technical sense). Legal is an
> identifiable subset within Lawful.

Yes. But in some cases Lawful implies Legal, or requires it.

> Here if one wants to cast the "right to process" with a wide net, go for
> Lawful. If one wants to cast the "right to process" with a narrow net, go
> for Legal. If one wants Integrity, well that is a whole other kettle of
> fish.

Yes.

But:

> As I read that, if one wants to restrict access to Law Enforcement Agencies
> and Court Orders, one goes for Legal. If one wants access by misc. security
> interests, detectives, fraud hunters, etc. one goes for Lawful.

No. Private actors can have legal basis for access and processing, too.

The key distinction, as I understand it, is that "lawful" would be
defined by the negative, everything that some law does not prohibit,
where as "legal basis" is defined by the positive, only things whose
justification can be explicitly derived from law.

That does not mean a very specific, detailed justification - the law
does not need to explicitly mention DNS for DNS-based things to have
legal basis in this sense.

In the GDPR this is pretty clear. For example, Article 13, "Information
to be provided where personal data are collected from the data subject"
says, inter alia,

"Where personal data relating to a data subject are collected from the
data subject, the controller shall, at the time when personal data are
obtained, provide the data subject with all of the following
information:
[...]

(c) the purposes of the processing for which the personal data are
    intended as well as the legal basis for the processing;"

So not only does there have to be a legal basis but it has to be
explicitly provided to the person whose data is being collected.

Article 6, "Lawfulness of processing", lists possible legal bases.
And it is exhaustive, it says "Processing shall be lawful only if and
to the extent that at least one of the following applies".

This interpretation of "legal basis" is further supported later
in the same article by wordings like "The basis for processing
referred to in point (c) and (e) ...".


So I would prefer "legal basis" specifically in this sense: that
any processing would have to be explicitly based on one of the
criteria, or bases, as listed in GDPR Article 6, or similar
explicit justification in other data protection legislation.


-- 
Tapani Tarvainen

More information about the gnso-rds-pdp-wg mailing list