Re: Mapping DNT to GDPR from David Singer on 2017-10-10 (public-tracking-comments@w3.org from October 2017)

From: David Singer <singer@apple.com>
Date: Tue, 10 Oct 2017 19:00:05 +0200
To: "public-tracking-comments w3.org" <public-tracking-comments@w3.org>, Robin Berjon <robin.berjon@nytimes.com>
Message-id: <D61B044C-2FEC-419E-8C45-5CD2224492B9@apple.com>

Is there a reason this conversation is on pub-tra-comments and not on the general mailing list for the WG, by the way?

> On Oct 10, 2017, at 18:46 , Mike O'Neill <michael.oneill@baycloud.com> wrote:
> 
> Hi Robin,
>  
> The brief answer is “yes”. 
>  
> Our working assumption is that DNT:0 can be a valid indication of user consent as required by the current e-privacy directive (for access to non-exempt terminal storage, not just personal data), defined in the Data Protection Directive and the forthcoming GDPR ,and also one of the legal bases for processing personal data in the GDPR i.e. A6.1(a)
>  
> DNT:1 could also be an indication of the right to object (“by automated means using technical specifications” – A21.5)  for the public and legitimate interest bases (A6.1e, A6.1f). One complication is that the e-privacy directive does not have this idea of lawful processing, just that prior consent is required for access to storage – but best ask a lawyer about that one. 
>  
> We wait with bated breath to see what the new e-privacy regulation will say about all this.
>  
> Mike
>  
>  
> Best regards
>  
> Mike O’Neill
> Director
>  
> Baycloud Systems
> The Oxford Centre for Innovation
> New Road,
> Oxford,
> OX1 1BY
>  
> Tel: +44 1865 735619
> Email: michael.oneill@baycloud.com
> Skype: mikeoneill
>  
>  
>  
>  
> From: Robin Berjon [mailto:robin.berjon@nytimes.com] 
> Sent: 10 October 2017 16:05
> To: public-tracking-comments w3.org <public-tracking-comments@w3.org>
> Subject: Mapping DNT to GDPR
>  
> Dear TPWG,
>  
> I have walked through your documents and mailing list archives in search for an answer to my question but I cannot seem to find it. It is essentially two-fold and concerns the relationship between DNT and the GDPR from the point of view of a website. While I understand that legal questions may be tricky my understanding, which may be wrong, is that your current charter is designed to allow for better alignment with European privacy laws. I will therefore formulate my question in terms of use cases.
>  
> 1) Is the intent of the Tracking Preference Expression that `DNT:0` would convey consent in the sense of GDPR Article 4, definition 11, and Article 7?
>  
> 2) Is the intent of the TPE that `DNT:1` would convey a user's objection to processing in the sense of GDPR Article 21, specifically paragraph 5 concerning the "right to object by automated means using technical specifications".
>  
> Thank you very much for any information!
>  
> PS: Please do not read this message as indicating that the NYT will necessarily deploy DNT (or do so by the GDPR deadline); at this stage it is simply one aspect (amongst numerous others) that we are looking at.
> 
> -- 
> Robin Berjon
> The New York Times Company
> Executive Director, Data Governance
> robin.berjon@nytimes.com

David Singer
Manager, Software Standards, Apple Inc.

Received on Tuesday, 10 October 2017 17:01:04 UTC