Giles has added the new jurisdiction text:
Include in user agent specifications, a note about requirements for EU. Suggested text:
For user-agents subject to European Union law, human readable information on purpose of collection should be presented to the user before any information is captured. This can be acheived on 2 levels. First human readable translations of policies for action uri's of forms should be presented along with forms. In its strictest interpretation, information on purposes should be available before any page is loaded. This might be acheived by a privacy tab which is synchronised to display information before pages load, or by including information which is displayed on clicking a link.
We suggest that an Jurisdiction extension be added to the recipient element:
| [??] | Extension |
= |
Jurisdiction `</Extension> |
Jurisdiction |
= |
`<JURISDICTION name=` quotedstring `EU` `US Safe Harbour` `Other` `/>` |
Example:
<RECIPIENT> <EXTENSION><JURISDICTION name="EU"></JURISDICTION> </EXTENSION> </RECIPIENT>
Text for specification:
The jurisdiction extension element allows user agents to make judgements about the trustworthiness of a data recipient based on the regulatory envirnment they are placed in. For example organizations within the European Union can be assumed to comply to European data protection law. Some jurisdictions prohibit transfer of data to certain other jurisdictions without the explicit consent of the data subject. Therefore declaring a data transfer activity using the P3P jurisdiction extension is not sufficient to guarantee its legality.
Suggested text:
For browsers operating within European Union Jurisdiction, policies must be evaluated before a cookie is set and not on replay. This is because the storage of cookies on a user's computer is considered by European Data Protection authorities to be an act of data processing because the place of storage being on the user's machine is considered immaterial to the act of processing
To use the existing disputes attribute which is a placeholder for seals of any type (which can then be included in the browser's list of approved seals, along with a type attribute).
Accompanying text:
In order to assure users of good security practices in handling data captured through their site, policy writers may also use this attribute to specify seals (such as CPA WebTrust and Shop Smart) validating their security practices.