Hi Peter,
On 15.03.21 20:07, Peter Schober wrote:
- Bernd Oberknapp bo@ub.uni-freiburg.de [2021-03-15 19:53]:
The point is that we cannot force users to consent to releasing PII (like a pairwise-id/eduPersonTargetedID) that isn't necessary (if the user doesn't want to use the personalization) and deny access to resources necessary for their studies or research if the users don't give their consent - that again wouldn't be free and informed consent.
Maybe my issues with the paragraph above are due to merely phrasing things in an unfortunate way (I'm not discounting the possibilty that we all agree on these issues), but not knowing that for sure all I have to go on is what's written above. To which I'll say this:
You can't ever "force users to consent", obviously. (You can certainly ask them to consent, though. Unless consent is not the legal basis for processing, see below.) And asking for consent in cases where the processing "isn't necessary" is exactly the right case to be asking for consent, IMO. Vice versa, asking for consent to processing that's necessary (e.g. GDPR Art. 6 1 b) is wrong anyway, then the legal bases is not consent and you shouldn't give the impression it is by asking for it.
the wording was indeed unfortunate. What I was trying to say is that if consent is used as a legal basis, the user must have a choice to not release the attribute and still get access to the resource (or have an comparable alternative to the institutional login), and that using a different legal basis might be difficult.
Best regards, Bernd