The future of P3P: Issues to be addressed in order to allow data controllers using P3P to be compliant with the EU Data Protection Directive1


Paper presented by Diana Alonso Blas, European Commission, DG Internal Market, Unit Data Protection, Secretariat to the Internet Task Force of the Article 29 Working Party


This paper has been drafted in co-operation with the members of the Internet Task Force of the Article 29 Working Party, that has endorsed this paper in general terms.


Background

P3P is an emerging standard in the global e-commerce community, but one that has already generated divided opinion. The whole data protection community has followed the development of P3P with great interest.

In April 1998, the International Working Group on Data Protection in Telecommunications issued a common position on the Essentials for privacy-enhancing technologies (e.g. P3P) on the World Wide Web2. This paper sets out the essential conditions to be met by any technical platform for privacy protection on the World Wide Web, with the objective of avoiding the systematic collection of personal data:

  1. Technology cannot in itself secure privacy on the web. It needs to be applied according to a regulatory framework.

  2. Any user should have the option to browse the web anonymously. This also applies to the downloading of information in the public domain.

  3. Before personal data, particularly those disclosed by the user, are processed by a website provider, the user's informed consent must be obtained. In addition, certain non-waivable ground rules should be built into the default configuration of the technical platform.

Two months later, in June 1998, the Working Party also issued an opinion3. This opinion stressed the fact that a technical platform for privacy protection will not in itself be sufficient to protect privacy on the Web. It must be applied within the context of a framework of enforceable data protection rules providing a minimum and non-negotiable level of privacy protection for all individuals. This opinion also mentioned a number of specific issues that would be raised by the implementation of such a system within the European Union.

In order to investigate the application of P3P in the context of the European data protection directive and to foster communication between the EU data protection community and software developers, a joint-seminar was organised in September 1999. A high-level delegation from the World Wide Web Consortium and members of the Internet Task Force participated in this seminar. This seminar showed that a good number of issues still needed to be addressed.

In the Internet Task Force report4the Working Party underlined that, even if these issues were to be solved, the following limitations of the P3P system should be taken into account:

In the meantime the Joint Research Centre of the European Commission has been working on a complete, open source implementation of the Platform for Privacy Preferences standard. The work has been carried out within the Institute for the Protection and Security of the Citizen (IPSC) at the JRC in Ispra. This implementation is a fully compliant implementation of the standard and has been adopted by the W3C as a reference model. A demonstration site and evaluation environment have been developed for the P3P implementation which provide a broad range of assessment and familiarisation functions. The Internet Task Force of the Article 29 Working Party has followed this work with great interest and have carried out some discussions with the JRC concerning this issue. The results of these discussions have been taken on board in the position paper presented by Giles Hogben, of the JRC, whose content is supported in general terms by the Art. 29 Working Party.



Main issues at stake

It should be underlined that P3P, while being a technical tool, has many legal implications, especially in the data protection field. An issue that has raised particular concerns at European level is the fact that P3P allows transactions with a level of privacy protection below the basic criteria as interpreted from the Data Protection Directive (95/46/EC). If P3P were to be used in a configuration, which allowed, for instance, a user to consent to the waiving of his/her right to access his/her data, it would be against the Directive. Consent is one of the legal grounds of the Directive to allow processing but this processing still has to comply with all the other rules of the Directive and in particular with the general principles providing for the fairness of the processing, the legitimacy of the purpose followed and the adequate and non excessive character of the data collected. It also has to comply with the provisions of the Directive concerning the rights of the data subjects.

P3P should be considered as a toolbox that can be configured to specific data protection regimes and as such the coding of the level of protection is up to the implementation. It should however be stressed that at the present stage, the system contains limitations that do not enable users to comply with the information requirements of the European Directive. The language used by P3P lacks the functionality to express a number of core elements of article 10 of the Directive, such as the purposes of the processing, the security policy or the information as to transfers outside the EU and so forth.

Furthermore, even if P3P has been improved since the beginning and can play a positive role in increasing transparency for the data subjects, its use does not guarantee compliance with articles 10 and 11 of the Directive on information provision to the data subject. It has been pointed out by the Article 29 Working Party, that the mere posting of a privacy policy, although useful, is not sufficient to comply with these obligations6.


The transparency of the processing of personal data, as required by Directive 95/46/EC, could potentially be enhanced by a tool like P3P. This is however not the case in the currently commercially available implementations of P3P. Current implementations of user agents available misrepresent the privacy policy of the sites, for example by omitting essential information (Microsoft Internet Explorer) or by oversimplifying (Netscape)(ref1). As it is concluded in the excellent paper of Joel Reidenberg and Lorrie Cranor7, the technological mediation designed to make it easier for users to understand the privacy practices of websites risks adding ambiguity, confusion and legal uncertainty. It should also be noted that there is only one agent (the JRC proxy) that fully implements P3P. Most of the other implementations use P3P only to decide on a cookie policy.

The implementation of P3P in version 6 of Internet Explorer is the most widely publicised example but has been severely criticised in a recent article of James Harvey and Karen Sanzaro8. This article puts forward the following issues of concern regarding this implementation of P3P:

- it is expensive to implement and maintain;

- there is a lack of enforcement, security standards and privacy framework;

- using it has unclear legal consequences;

- it creates consumer confusion.

This article concludes that the future of such an implementation remains to be seen, even if websites that are not P3P-compliant may not function fully and properly for visitors using Internet Explorer 6.


Other issues of concern from the European perspective are the following:

- The rule editor set that should allow the users to choose from the existing list of privacy preferences or to create an own file is too complicated for the average user. If P3P is to be of any use in terms of data protection compliance, data subjects must understand how it works and must be able to adjust the protocol's settings easily. It is therefore disappointing that the Appel language, that was aimed at allowing Internet users to program their own privacy preferences by themselves or on the basis of proposals made by others they trust (for instance the Data Protection Authority) has not been developed after four years. The result in practice is that the preferences´ settings used are those of the software editors, which is certainly not satisfactory.

- In the light of the complexity of the system as it stands, the default position becomes extremely important. Most of the users will not know, or will not even consider, changing the default settings concerning privacy preferences. In that respect, and following the idea that P3P should be seen as a toolbox that can be configured to specific data protection regimes, P3P would only be acceptable for European consumers if a `European version´ of the preference settings exist on the basis of the Directive and this is the default setting for P3P in Europe.

- P3P requires the deployment of a P3P policy on the server side, whilst this is not a legal requirement arising from the Directive. A key point is that sites may be compliant with the Directive without being P3P-compliant because a site can comply with the requirements of the Directive without publishing a (P3P or not) policy statement. It can therefore not be used as an instrument to assess compliance with the Directive.

As Jan Matlis has pointed it out in his article on Computerworld9, few web providers publish privacy policies at the moment. The list of such sites maintained at the P3P website underlines the presently small number of P3P-compliant providers existing. If P3P does not catch on, web users who embrace it may have to bend their own standards the majority of times they bring up new pages, until, as critics point out, they simply turn off the warning.



Conclusions


It is important not to overestimate the potential of P3P. It is a tool that only addresses one of the principles of the Directive, transparency, and does certainly not exempt controllers from complying with the provisions of the Directive as a whole. P3P could help individuals to manage their on-line privacy choices and therefore could, to an extent, help data controllers to comply with their legal obligations concerning transparency. However, P3P will not provide all the answers and data controllers relying on it will have to rely on supplemental technologies and procedures in order to comply.


In order to be of any real value, the P3P protocol must operate within a suitable regulatory framework. There is a real danger that unscrupulous data controllers will merely use P3P technology as a means of reassuring data subjects (e-customers, website visitors or whoever) that they employ a high standard of privacy protection when this is not the case. As it has been already mentioned, there is nothing in the P3P protocol that can guarantee that the data controller is operating within the terms of its stated protocol. The Working Party wishes to stress that it would take an extremely dim view of data controllers misusing P3P protocols, and that such misuse would constitute the unfair processing of personal data.


However, the idea behind P3P surely deserves being welcomed: to provide a technical, standardised means of informing users about a website´s privacy practices and to assist consumers with automatic interpretation of (sometimes long and complicated) privacy policies and thus allay consumers´ on-line privacy-related concerns. As many Internet users who care about personal privacy will have realised, there is a growing need for an effective, automated means to 'filter out' the sorts of websites to which they want to provide personal data or with which they want to interact at all.

The finding of solutions to the identified shortcomings deserves therefore being encouraged. A more user-friendly and less complicated P3P tool with privacy default settings in compliance with the provisions of the Directive would surely be considered as a useful tool as regards the transparency of the information provided to the Internet user.

1 Please note that the issues raised in this paper apply to the P3P protocol as it presently stands and to any applications or tools based on this protocol.

2 This text is available at: http://www.datenschutz-berlin.de/doc/int/iwgdpt/priv_en.htm

3 Opinion 1/98 on Platform for Privacy Preferences (P3P) and Open Profiling Standard (OPS), adopted on 16 June 1998, WP 11, XV D/5032/98.

4 Working Document Privacy on the Internet - An integrated EU Approach to On-line Data Protection- adopted on 21st November 2000.

5 See also the Article by CAVOUKIAN, A. and GURSKI, M. (Information and Privacy Commissioner Ontario) and MULLIGAN, D. and SCHWARTZ, A. (Center for Democracy Technology), P3P and privacy: an update for the Privacy Community, available at: wysiwyg://16/http://www.cdt.org/privacy/pet/p3pprivacy.


6 Recommendation 2/2001 on certain minimum requirements for collecting personal data on-line in the European Union, adopted on 17 May 2001, WP 43.

7 Lorrie Faith Cranor, Joel R. Reidenberg: Can user agents accurately represent privacy notices?, Discussion Draft 1.0, August 30, 2002.

8 P3P and IE 6: Raising More Privacy Issues Than They Resolve? by James A. Harvey and Karen M. Sanzaro, available at http://www.gigalaw.com/articles/2002-all/harvey-2002-02-all.html

9 P3P by Jan Matlis, October 28, 2002, available at http://www.computerworld.com/printthis/2002/0,4814,75389,00.html