RE: Mapping DNT to GDPR from Mike O'Neill on 2017-10-10 (public-tracking-comments@w3.org from October 2017)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Tue, 10 Oct 2017 17:46:32 +0100
To: "'Robin Berjon'" <robin.berjon@nytimes.com>, "'public-tracking-comments w3.org'" <public-tracking-comments@w3.org>
Message-ID: <241f01d341e7$54b33d80$fe19b880$@baycloud.com>

Hi Robin,

 

The brief answer is “yes”. 

 

Our working assumption is that DNT:0 can be a valid indication of user
consent as required by the current e-privacy directive (for access to
non-exempt terminal storage, not just personal data), defined in the Data
Protection Directive and the forthcoming GDPR ,and also one of the legal
bases for processing personal data in the GDPR i.e. A6.1(a)

 

DNT:1 could also be an indication of the right to object (“by automated
means using technical specifications” – A21.5)  for the public and
legitimate interest bases (A6.1e, A6.1f). One complication is that the
e-privacy directive does not have this idea of lawful processing, just that
prior consent is required for access to storage – but best ask a lawyer
about that one. 

 

We wait with bated breath to see what the new e-privacy regulation will say
about all this.

 

Mike

 

 

Best regards

 

Mike O’Neill

Director

 

Baycloud Systems

The Oxford Centre for Innovation

New Road,

Oxford,

OX1 1BY

 

Tel: +44 1865 735619

Email: michael.oneill@baycloud.com

Skype: mikeoneill

 

 

 

 

From: Robin Berjon [mailto:robin.berjon@nytimes.com] 
Sent: 10 October 2017 16:05
To: public-tracking-comments w3.org <public-tracking-comments@w3.org>
Subject: Mapping DNT to GDPR

 

Dear TPWG,

 

I have walked through your documents and mailing list archives in search for
an answer to my question but I cannot seem to find it. It is essentially
two-fold and concerns the relationship between DNT and the GDPR from the
point of view of a website. While I understand that legal questions may be
tricky my understanding, which may be wrong, is that your current charter is
designed to allow for better alignment with European privacy laws. I will
therefore formulate my question in terms of use cases.

 

1) Is the intent of the Tracking Preference Expression that `DNT:0` would
convey consent in the sense of GDPR Article 4, definition 11, and Article 7?

 

2) Is the intent of the TPE that `DNT:1` would convey a user's objection to
processing in the sense of GDPR Article 21, specifically paragraph 5
concerning the "right to object by automated means using technical
specifications".

 

Thank you very much for any information!

 

PS: Please do not read this message as indicating that the NYT will
necessarily deploy DNT (or do so by the GDPR deadline); at this stage it is
simply one aspect (amongst numerous others) that we are looking at.


-- 
Robin Berjon
The New York Times Company
Executive Director, Data Governance
robin.berjon@nytimes.com <mailto:robin.berjon@nytimes.com>

Received on Tuesday, 10 October 2017 16:47:37 UTC