W3CTechnology and Society

[Workshop Homepage] [Participants] [Position Papers] [Agenda] [Minutes]

Future of P3P Workshop

November 13, 2002

Legal Panel

Danny Weitzner

Two issues that we will touch on.

Degree to which P3P policy statements legally binding?

Legal requirements that may not be adequately expressable in P3P.

how P3P policy needs to be interpreted under consumer law. What can a consumer by expected to rely upon. See slide.

What a consumer can reasonably rely upon.

Structure of interpretation: What is expressed and how is it expressed.

Critical reason: want to make sure a standard way of rendering privacy policies for access. P3P a policy interoperability standard.

Adding a user agent in the middle adds another step.

Ann Cavoukian

Discussion of legal issues is inappropriate at times. P3P is not a legal issue, it is a tool for beginning privacy work. P3P enabling tool, openness and transparency is absolutely essential, P3P facilitates that.

P3P leads with the privacy policy, difference with individual's preferences, leaps out at you rather than going into depths of the policies.

In Canada, legislation, federal statute PIPEDA, covers federally regulated companies, starting 2001, and covers rest of private sector in 2004. Doesn't speak to P3P, intersects regarding notice and consent, two FIPS purpose specification and use limitation, P3P policy would go a long way if a complaint received by federal Privacy Commissioner.

What would I do as a Commissioner, go to privacy policy of Website, if it was P3P enabled, this would send a signal that attempts had been made to allow a consumer to understand what the privacy policy was, then I would look for consistency in practice.

Privacy Statement, promise or inducement, can't be dealt with as whimsy. How important it is to represent policies, they are official statements.

The Policy must then bear some resemblance to application of that policy and built on the legislation. P3P can't ignore or stand in the place of legislation. P3P gaining

Brian Zwit (Question)

Issue in legal community, if you write a human readable policy, when converted to P3P policy, restricted vocabulary. Real fear, incur liability.

Answer from panel

Way that policy is reflected in P3P, I challenge that legalise is more understandable. The same holds true if you have a layered approach to your policies. Start with a shorter simpler version, then consumer can go to more lengthy policy. Vocab is limited right now, you get general flavour, you can get more from detailed policy.

Rigo Wenning (Question)

P3P is less complex than legalise, you expect compliance with a P3P policy. Some see a necessary trade-off with complexity. Complexity costs money.

Ann Cavoukian

Damn right a company has to comply with their P3P policy. A co. is telling the world this (P3P) this is our policy. Can't just do it as a whim. If it is not an accurate refelection, We shut them down.

Brooks Dobbs

Reduction to 53 words is not loss of nuance, but lack of expression.

Answer from the panel

Yes you lose meaning. But what are you left with without P3P, you have nuance but noone reads or understands it. Lose the people. That is too high a price to pay. Don't lose the nuanced policy, but have a tool that brings the simple issues to the people. The issues I need refected are the essential ones that P3P can represent. It is not an either or. Can both tools and nuanced versions.

Brian Zwit

You might not just lose nuance, In some cases, the company hasn't expressed itself in the detail that P3P needs.


then the company needs to work through this.

Dan Schutzer

We take P3P seriously.

In the process of implementing have the following:

Immediate need for more expressive language and what has legal dominance.

This has been a valuable exercise.

Longer term needs:

Some uniformity of clients and agents that represent policies, so people get used to seeing things in a set order.

Explanatory text: to better understand what we are doing.

Why collecting data: regulatory, marketing, knowing customer, and who it can be released to, e.g., under warrant. Hard to define sometimes these types of use.

Noticed that implementations, see some diversity between browsers and user agents, allows for different interpretations by users, legal and reputation risk. That's why we want human readable policy to take precedence.

We have taken pains to make our Priv. Pol. Clear. Nice if we could come up with short privacy statement. This could take a little time. Plus we are rolling this out world-wide

The user agents should all be consistent in representing a P3P policy to a consumer.

AS P3P how to share liability in a shared circle of trust involving various orgs. E,g. financial aggregation, aggregator tool, bringing from various sources. Even sharing with customer ID and password and data source. E.g. Citibank card info. Then goes to Chase, which doesn't have a contract with Citi, no contract or control, how does a customer understand how data is treated.

Cross border transfer of data and how P3P represents that, what about off-line and on-line collection. How is that related. Need a common umbrella and how that data is treated.

Conformance of implementers of P3P,e.g. web service delivered over different browsers, Then can treat differently. Not sure how our policy will be treated as compliant or not. Compact policy optional but P3P policy is not.


Comment of precendence of written policy over P3P policy. I.e., disavow P3P statement.


whatever disclaimers you make, the final answer is what is the final effect on the consumer. How fine was the fine print, can you say this ones counts, the other does not, no you cannot do that.

IF P3P is first thing seen, can't say this doesn't apply. What is first point of contact, that's it must be a darn good match. Look at intent. Expectation, what is the consumer guided by.

Dan Schutzer

P3P is not read by customer, what customer see's is vendors interpretation of P3P language and human readable language. Goes long way to dealing with this.

We do intend to make it consistent.

Danny Weitzner

what if user agent renders policy inconsistent with actual privacy policy.

Brian Zwit

if we have consistent language and interpretation same then 53 word cannot express privacy policy, then regulators P3P is the broad view, then for details go to the full policy. Business fear, if we didn't capture.

Ann Cavoukian

Regulators deal case by case basis. E.g. Airline safety, can be expressed through various methods they are not inconsistent just various levels of detail. The Question. Just as you cannot shit burden to consumer if you have difficulty expressing your actions to the consumer.

If a user agent has certain about of control and misleads consumer. Either the original expressor or user agent are accountable.

You have to test you user agent is representing your policy.

We need a common expressable language.

Marty Abrams

What is the role of types of different notices. There is real risk with layered notices. As we move to legislated processes. Shouldn't we move this discussion focus on layers and notice.

Ann Cavoukian

P3P speaks to a group, younger demographic that you would lose.

Diana Alonso-Blas

EU perspective.

P3P has a lot of legal implications. Important issue.

  1. P3P might allow transactions that go below minimum level of protection that the EU set. There are non-waivable rights, which P3P allows.

  2. What role P3P in context of Article 10 of EU directive. Has to comply with Article 10, needs to set ID of controller, purposes of data, processed only for compatible purposes. Then transfer outside EU. Opt-out an issue, Fair processing as main principle and these things have to be taken into account in the P3P vocabulary, If consent basis for processing, In our jurisdiction obligation to inform data subject. If problems, policy taken into account. Question is fair processing.

  3. Consent is it possible to gain consent through XML. Consent should be sufficient and informed and a clear indication of wishes, thus opt out is not a clear indication. Should be unambiguous and explicit, but doesn't have to be in writing.

Question from Cem Paya

Opt-out not considered consent?

Diana Alonso-Blas

In EU user has to do actively something..

Ann Cavoukian: Canada, sliding scale, type of consent determines type of consent. Eg health opt in , marketing ok for opt out.

In US also slide scale and specific pieces of legislation set out types of consent.

Danny Weitzner

How to pursue Article 10 issues.

Diana Alonso-Blas

hope that P3P take our concerns, perhaps organise meeting with EU to find way to satisfiy us all.

Jos Dusmortier

Answer question: convince companies in Europe to implement P3P.

Argument possible contradictions between P3P and readable statements.

In EU, have to see P3P as commercial communications. Legal dep't.s know how to handle commercial communications.

Find a compromise in approach, language has to be precise to express and flexible enough to express everything. Implement language has to be clear. We have commercial and legal drivers. Need to communicate effectively. Obligation of result on data controller so that data subject is actually informed

Why do we need a standard for this communications process. I.e., P3P.

Ultimate goal of a standard, tool to measure, thus following the standard should give you more security in your approach. P3P has to become generally recognised. What we need is more implementation so it becomes a standard.

More and more, negotiations, consent are being given through automatic means such as P3P. We need to be careful, legal arguments are used as excuse to not implement P3P.

Danny Weitzner

Is there a difference what would happen if consent happened in background. Can that translate into consented data transfer?


Consumer, no difference at what stage consent is being given. Take into account that consent has to be given for certain transactions.

David Stampley

It depends, the rule is context driven. We have complex practices. Consumer protection officials exist for those times they need protection. Dangerous for business for taking on burden of translating the complex into simple. The effect on the consumer governs the legal conclusion of a business practice.

What matters to the consumer to make commercial choice. Has to matter. In whether or not the consumer has been deprived or effected.

It would be nice if we could articulate a hard and fast standard. But we can't.

In business, you want reliability. What P3P demonstrates, tremendous benefit in introducing transparency. Is there a need for further regulation, no doubt.

There has been a great deal accomplished.

Yesterday interest expressed in having government authorities to help move this forward. But you don't want me in there. I can't partner with a standard body. I can only comment case by case basis. Could create a conflict of interest.

Brian Zwit

Business issue: P3P just one tool, want some recognition in spec of its limitation, if we can't express our policies adequately we want that recognised.


Certain restrictions apply, look at the insert, that is helpful. It is for consumers to say that this works.

Mixed views, difficult to communicate on what it is not. Better to better represent what P3P really is..

Able to say P3P has limited expressiveness if you want to see complete PP click here.

Independent interpretation of various agents.

See Sect. 3.2 of P3P documentation on Policies..

In cases where the P3P vocabulary etc….


text does not make everyone feel comfortable. The question that the spec writers wrestle with, what is legal and what not. We the spec writers can say what we intend and hope to accomplish.

Open to ways to take Sect. 3.2 another step, but at the time same time we gave it our best shot.

Diana Alonso-Blas

Adding to the spec won't help the user. But if it helps you feel better go ahead.

Brooks Dobbs

Responsibilty, rendered by user agents you don't control.

[Workshop Homepage] [Participants] [Position Papers] [Agenda] [Minutes]

Last update $Date: 2002/12/02 12:05:09 $ by $Author: rigo $