The WG decided to remove this built-in data transfer mechanism, and thus leave the data transfer to external mechanisms not specified by P3P. Indeed, some form of data transfer will be needed, and such data transfer should be covered by privacy policies, hence the initial motivation for P3P.
The main disadvantage of removing this standardized data transfer mechanism is that users may be required to repeatedly enter the same data, once for each service that wants it. It was felt that providing a standardized mechanism for requesting data from a user, storing it in a local repository, and transferring it to servers who agree to the user's privacy preferences would be a huge benefit to users, both in time savings and privacy assurance. Consequently, services would benefit by having easier access to such data.
But recently the working group became aware that very few services which rely on obtaining user data for their business had planned to use the proposed P3P data transfer mechanism. Instead, they generally prefer to use the currently available HTML FORM fill-out or a proprietary mechanism such as "electronic wallets". The current specification allows P3P policies to cover such external data transfer mechanisms in any case, although more work is needed to specify how such mechanisms would interface with P3P software components on the client and server. Since we must support this interface to external mechanisms, and since there is a lack of demand for a built-in mechanism, the working group felt we should spend our time on other issues.
Some critics of P3P have feared that a data transfer mechanism built-in to P3P could lead to breaches of privacy rights either: a) because of faulty implementations that allowed data transfers without adequate user agreement, or b) web services might cause data transfer to occur in a manner contrary to their stated privacy policies. Whether or not P3P includes a data transfer mechanism, it will be the responsibility of those who collect data to do so in a manner than complies with privacy policies declared through P3P and consistent with any other existing legal constraints.
Given all these reasons for removing the data transfer mechanism from P3P, and a lack of strong interest for keeping it, the P3P Specification Working Group has decided to proceed with the removal. The P3P specification drafts will also be augmented to further specify how external data transfer mechanisms may interface with P3P preference matching mechanisms.
Comments are invited regarding these issues and our decision. Please write to email@example.com.