- From: Lauren Gelman <gelman@blurryedge.com>
- Date: Mon, 23 Jan 2012 19:18:51 -0800
- To: public-tracking@w3.org
Anyone watching this discussion has to be thinking about the relationship with consent... NYT: Europe Weighs Tough Law on Online Privacy http://www.nytimes.com/2012/01/24/technology/europe-weighs-a-tough-law-on-online-privacy-and-user-data.html?_r=1&partner=rss&emc=rss On Jan 23, 2012, at 1:33 AM, <Frank.Wagner@telekom.de> <Frank.Wagner@telekom.de> wrote: > Hi Ninja, > > You are right. It's Issue-14, "How do what we talk about with 1st/3rd party relate to European law about data controller vs data processor?" rob and me are working on. I drafted a first text, still the feedback from rob is pending. He just wanted to do some aditional work, a bit more related to the EU Directive than my first draft was. Results are still pending... Sorry. > > > Best regards, CU tomorrow > Frank > > > Deutsche Telekom AG > Service Headquarters, Group Privacy > Frank Wagner > Deutsche-Telekom-Allee 7, 64295 Darmstadt, Germany > +49 6151 937-3514 (Phone) > +49 521 9210-1175 (Fax) > +49 175 181-9770 (Mobile) > E-Mail: frank.wagner@telekom.de > www.telekom.com > > Life is for sharing. > > Deutsche Telekom AG > Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman) > Board of Management: René Obermann (Chairman), > Dr. Manfred Balz, Reinhard Clemens, Niek Jan van Damme, > Timotheus Höttges, Claudia Nemat, Thomas Sattelberger > Commercial register: Amtsgericht Bonn HRB 6794 > Registered office: Bonn > > Big changes start small - conserve resources by not printing every e-mail. > > -----Ursprüngliche Nachricht----- > Von: Ninja Marnau [mailto:nmarnau@datenschutzzentrum.de] > Gesendet: Sonntag, 22. Januar 2012 14:02 > An: Wagner, Frank > Cc: aleecia@aleecia.com; public-tracking@w3.org > Betreff: Re: Request for thoughts: US, EU, and international DNT > > Hi Frank, > > great to hear that you want to participate. I am looking forward to > meeting you on Tuesday. > > Do I remember correctly that you and Rob work on the issue in which way > 1st party/3rd party relate to data controller/data processor? I think it > would be very helpful to combine these two topics. Do you already have a > draft for this issue, which I can read to prepare for the meeting? > > Best regards, > > Ninja > > Am 22.01.2012 12:12, schrieb Frank.Wagner@telekom.de: >> Greetings, >> >> I am highly interested in participating on this issue. Let's talk at the >> f2f meeting how to organize it. >> >> Best, have good trip ! >> Frank >> >> >> >> Deutsche Telekom AG >> Service Headquarters, Group Privacy >> Frank Wagner >> Deutsche-Telekom-Allee 7, 64295 Darmstadt, Germany >> +49 6151 937-3514 (Phone) >> +49 521 9210-1175 (Fax) >> +49 175 181-9770 (Mobile) >> E-Mail: frank.wagner@telekom.de <mailto:frank.wagner@telekom.de> >> www.telekom.com <http://www.telekom.com> >> >> Life is for sharing. >> >> Deutsche Telekom AG >> Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman) >> Board of Management: René Obermann (Chairman), >> Dr. Manfred Balz, Reinhard Clemens, Niek Jan van Damme, >> Timotheus Höttges, Claudia Nemat, Thomas Sattelberger >> Commercial register: Amtsgericht Bonn HRB 6794 >> Registered office: Bonn >> >> Big changes start small - conserve resources by not printing every e-mail. >> >> >> Am 10.01.2012 um 11:27 schrieb "Aleecia M. McDonald" >> <aleecia@aleecia.com <mailto:aleecia@aleecia.com>>: >> >>> Greetings, >>> >>> I've been giving some thought to how we can make our work relevant in >>> the EU and US, despite some strong differences. Nations have borders >>> but the Internet does not. How can we support different regional >>> cultures, norms, and laws on the Internet? I am putting this out as >>> some things to think about and discuss further. >>> >>> Here are a few of my starting assumptions: >>> >>> * In the US, a first v. third party distinction is very important to >>> businesses. >>> In many (but not all) EU countries, first party is not an interesting >>> or meaningful way to look at things. >>> * Key word in Europe: Consent >>> - Users who do not consent to data practices must have their privacy >>> protected. >>> - A global consent may not be sufficient; consent must be particular >>> to a company and to a description of data use (in at least some countries) >>> - We should at least address Article 5(3) of the 2002 ePrivacy >>> Directive [1] >>> - There is wide interest in finding a way to implement the revised >>> framework of the Article 5(3) ePrivacy Directive without a deeply >>> painful (on business or users) implementation, and DNT may help [2] >>> - The exemptions we consider would not be valid in the EU without >>> specific consent [3] >>> * Key word in US: Choice >>> - Users who choose to interact with a site do not need as much privacy >>> protection as they do from sites they do not choose to interact with >>> - We should at least fulfill the requirements for DNT set out in the >>> FTC staff report [4] >>> - We should co-exist with existing industry self-regulation mechanisms [5] >>> >>> Here are three areas where I think we can have a uniform underlying >>> technical standard that is flexible enough to accommodate different >>> national and regional policy priorities: >>> >>> (A) As we have discussed, a tri-part DNT signal. DNT: 1 means enable >>> DNT, DNT: 0 means do not enable DNT, and nothing sent means users have >>> not made a selection. >>> In the US, no DNT signal gets viewed as "users did not choose to >>> enable DNT" and treated as DNT: 0. >>> In some of the EU, no DNT signal gets viewed as "users did not consent >>> to tracking" and treated as DNT: 1. >>> (B) In the US, site-specific exceptions will allow users to "opt back >>> in" for specific first and third party pairs (perhaps along the likes >>> of what Shane and Nick co-authored). In the EU, some (but not all) >>> countries will require consent on a site-by-site basis, rather than a >>> global "DNT: 0" signal or no DNT signal at all. The site-specific >>> exemptions mechanism becomes the path to enable users to consent per site. >>> (C) In the US, first parties have minimal responsibilities when >>> receiving a DNT: 1 signal (perhaps along the lines of what Jonathan >>> and Tom co-authored). In some (but not all) EU countries, there may be >>> nothing that applies globally to all first and third parties, (and >>> more to the point, the data controller) perhaps making the first/third >>> party distinction irrelevant. >>> >>> I think this could be good enough in enough different ways for enough >>> different interests. I'd like to hear other reactions. Does anyone >>> have better or simpler ideas? Is this still too US-centric to work in >>> Europe? >>> >>> If we find something we think will work, we could add a non-normative >>> section to one of the specifications, or we could issue a note. Either >>> way, I think specifications shouldn't be hard-coded to specific >>> regulations and laws. However, since I think this approach could be >>> confusing to those implementing the specification, I would like to >>> give implementors a fighting chance by providing our opinions (and not >>> legal advice!) with pointers to additional information. How does this >>> approach sound? >>> >>> And last but not least: any volunteers to work on these topics? >>> >>> Aleecia >>> >>> Thanks to a few TPWG members for taking time to step me through some >>> of the issues here. All mistakes are, of course, my own. Citations and >>> useful reading: >>> >>> [1] For the before & after versions of 5(3), see [7], p 7 >>> [2] See slides from Carl Christian Buhr, a member of Commissioner >>> Kroes' Cabinet (European Commission), particularly slides 11-13, >>> suggesting DNT could satisfy 5(3): >>> http://www.slideshare.net/ccbuhr/20111206-buhr-cookieconundrum >>> [3] As per 5(3), "Exceptions to the obligation to provide information >>> and offer the right to refuse should be limited to those situations >>> where the technical storage or access is strictly necessary for the >>> legitimate purpose of enabling the use of a specific service >>> explicitly requested by the subscriber or user" is a given, but are >>> other exemptions allowed? Recital 25 reads to me as: yes with consent, >>> and no without consent. For example, billing for ad impressions is not >>> part of the service explicitly requested, and seems to require >>> informed consent. See [7], p 8 >>> [4] FTC staff report, starting p 63, >>> http://www.ftc.gov/os/2010/12/101201privacyreport.pdf >>> [5] In particular, it would be unfortunate if DNT off with an opt-out >>> cookie was interpreted one way by self-regulatory bodies, and another >>> way in the DNT recommendations. We likely will reach different end >>> points than the self-regulation guidelines, but they remain a very >>> fruitful source of background information, including the recent >>> multi-site data principles (http://www.aboutads.info/msdprinciples) >>> and the OBA principles (http://www.aboutads.info/obaprinciples). >>> [6] A very readable summary of [7] discussing where industry >>> self-regulation is seen to fall short of >>> 5(3):http://www.edri.org/edrigram/number9.17/article-29-oba-industry-cookie. >>> >>> [7] The actual report itself: >>> ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf >>> <http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf> >>> (COCOM10-34, Implementation of the revised Framework- Article 5(3) of >>> the ePrivacy Directive) >>> [8] The whole text is worth at least skimming, including a brief note >>> on children under 12. In particular the section on consent for cookies >>> starting on p 8, and examples of consent not using pop ups on p 9: >>> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp188_en.pdf > > -- > > Ninja Marnau > mail: NMarnau@datenschutzzentrum.de - http://www.datenschutzzentrum.de > Telefon: +49 431/988-1285, Fax +49 431/988-1223 > Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein > Independent Centre for Privacy Protection Schleswig-Holstein > > Lauren Gelman BlurryEdge Strategies 415-627-8512 gelman@blurryedge.com http://blurryedge.com
Received on Tuesday, 24 January 2012 03:19:21 UTC