Re: Mapping DNT to GDPR

Hi Robin,

I continue to research your questions - in doing so I downloaded a paper written by:

Frederik J. Zuiderveen Borgesius
University of Amsterdam - IViR Institute for Information Law (IViR)

Aleecia M. McDonald
Stanford University

You can find it online here: link<http://https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2588086%23#> It’s an interesting read, however what I find most startling is the COMPLETE omission of the General Data Protection Regulation which is legally binding in May 2018.

Anyway, continuing on. First let’s recap your questions and see if the paper can offer us any worthwhile answers?

  1.  Is the intent of the Tracking Preference Expression that `DNT:0` would convey consent in the sense of GDPR Article 4, definition 11, and Article 7?
  2.  Is the intent of the TPE that `DNT:1` would convey a user's objection to processing in the sense of GDPR Article 21, specifically paragraph 5 concerning the "right to object by automated means using technical specifications".

Our first hint comes on page 16: I highlight the word ‘hope’. (Hope is neither a legal term or useful in programming logic).

  *   Do Not Track is not a technical mechanism that fundamentally changes how web browsers work. Instead, Do Not Track enables people to send a request into the world, with the hope someone will listen and do something.

Our next hint comes on page 18: Now the table has been set - Privacy is clearly based on geographic location.

  *   For United States users, the absence of a Do Not Track signal means users have not made a choice for privacy, and it is acceptable to continue to track them.
  *   For European users, the absence of a Do Not Track signal means they have not consented to tracking, and it is not acceptable to track them.

It then goes on to say:

  *   "In the absence of regulatory, legal, or other requirements, servers may interpret the lack of an expressed tracking preference as they find most appropriate for the given user, particularly when considered in light of the user's privacy expectations and cultural circumstances."50

In the US there are NO regulatory, legal or other requirements - except 1 - California which we’ll discuss later. In the EU there is GDPR and ePr Dir. So in essence we have now ‘forked’ privacy into three regions globally - the US, California and the EU. The default setting for the EU is that they MUST opt-in - this is the equivalent of the DNT:1 signal being transmitted continuously.

At the end of page 18 the paper obliquely references the tracking compliance scope which has now been abandoned.

The paper then makes this statement:

  *   We believe a single European standard that will comply across multiple countries is the most practical approach. Such a standard does not need to come from the W3C Do Not Track group.

The message here is quite clear - the EU needs to come up with their own standard as DNT will not be sufficient. Or do they? One on the one hand both editors of the Do Not Track protocol and one of the authors of this paper have said that it is sufficient for Europe and yet the paper written contradicts that.

It can’t be both.

Now lets move on to Territorial Scope:

  *   The DNT Group discussions about Global Considerations followed the approach that a country's law is relevant for website visitors who live in that country.

Again we return to the fact that Privacy is now determined on real time geographic location and here we can now introduce the California regulation AB370 which requires websites to document how they respond to Do Not Track.

  *   Companies have a choice between trying to determine where each user is located and showing Do Not Track information just to Californians, or the far easier path of adding a paragraph to their privacy policy and informing all visitors about their DNT practices. As a result, CA AB 370 has become a de facto national law in the United States requiring Do Not Track disclosure in privacy policies, including mobile apps.

However as the law states:

  *   The AG's Office added that "all the major browser companies have offered Do Not Track browser headers that signal to websites an individual's choice not to be tracked," but that there was "no legal requirement for sites to honor the headers." Because the new law will only require disclosures in a business' privacy policy, the AG's Office has emphasized that "A.B. 370 is a transparency proposal—not a Do Not Track proposal."

There is NO enforcement mechanism ergo a quick update to your privacy policy which is never enforced is all that is required. This renders DNT impotent everywhere in the US.

In closing out this section it sums up nicely the complexity the europeans face:

  *   In sum, in many situations, EU data protection and privacy rules apply to non-European companies.

On Page 22… the paper makes mention of the fact that they ‘believe’ Do Not Track can work. I equate believe and hope as to the same as wishing - not a very practical form of execution in a legal environment.

We all know that GDPR requires meaningful consent (except in the case of compelling legitimate interest) - On Page 24 the paper states: Valid consent requires an expression of will, which generally calls for an opt-in procedure, rather than the current opt-out.

And now we are getting VERY close to answering your first question…

  *   'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

We now need to refer to Isabelle Falque Pierrotin, Re:Article 29 Data Protection Working Party comments in response to W3C's public consultation on the W3C Last Call Working Draft, 24 April 2014, Tracking Preference Expression (DNT) (June 6, 2004.)

There are several key issues in the draft specification that risk undermining the usefulness of the standard in a European context. These issues create a real risk that Do Not Track (DNT) remains a sugar pill, from an enforcement point of view, instead of evolving into a valid and robust solution.

The six key issues are: (1) terminology, (2) the fact that the specification does not ensure automatic expiration of a tracking preference, (3) doubt whether data controllers will  respect user tracking preference, (4) inclusion of a definition of de-identification, as it does not match with the definition of anonymisation in European data protection law, (5) the risk of undermining valid consent by an ambiguous server response of 'potential consent' and ambiguous use of 'disregarding', and (6) the lack of special considerations for users with special needs. These issues are explained in more detail in the Annex to this letter.

Digging further we focus in on items 2 and 3…

  *   Under European data protection law, personal data must be adequate and accurate, and stored no longer than necessary. In order to comply with these requirements, the introduction of an automatic expiration feature is necessary to allow users to exercise effective control. Therefore, the Working Party recommends adding this requirement to the building blocks.

  *   Respecting a user tracking preference. It is important that it is clear for data controllers to which activities the user consents. A DNT:0 signal must not be interpreted by a data controller as consent for anything other than clearly defined tracking activities.8 In the absence of fully informed user choice, e.g., DNT is unset, a data controller, or a data processor acting on behalf of the data controller, should assume that a user is not aware of tracking. He must therefore ask for consent prior to tracking. Moreover, the Working Party would like to note that, in order to put the user back into control, any tool for managing consent should be implemented at the user agent level.

And now we have your answer  to BOTH of your questions

  1.  If a browser request originates in the EU with a DNT setting of ‘unset’ OR DNT:1 then the Data Controller MUST ask for consent
  2.  An AUTOMATIC EXPIRATION feature MUST be present to allow the users to excursive effective control
  3.  ANY tool that manages consent should be implemented at the user agent level

The paper then continues on to talk about the requirements for a European consent mechanism - page 30. But makes MANY erroneous assumptions!

  1.  First, companies must not collect data for behavioral targeting about Europeans that do not express a preference. Silence is not consent after all
  2.  If somebody visits a website and signals Do Not Track, the website and its partners should not follow that person's activities. No tracking should generally mean no data collection of personally identifiable information, which includes unique identifiers. Some minor exceptions may be allowed for this rule. For instance, in some cases website publishers may store the IP address of certain visitors for a short period, for security reasons for example. This could fit under the balancing provision of data processing. Note that first parties are not exempt.
  3.  Consent must occur before uniquely identifiable cookies are set, not just before data is collected or processed.
  4.  Users must have a way to revoke their consent at a later time. This could be as simple as reversing their Do Not Track preference in a web browser.

------

  *   In the EU meaningful consent is a requirement so a web wide signal is meaningless

  *   Consent MUST occur BEFORE uniquely identifiable cookies are set - which means that nothing can take place until meaningful consent is acquired and recorded

  *   Users MUST have a way to revoke consent - agreed! Setting a global web wide Do Not Track preference in the browser is meaningless as it would affect ALL consents

We now move into the final section of the paper…

Conclusion…

The paper states:

  *   Let us conclude. First, a Do Not Track system for Europe is possible, and the work of the World Wide Web Consortium (W3C) on the Do Not Track standard was originally designed to support European compliance. Second, a European Do Not Track standard could emerge from W3C, or from elsewhere. Third, implementers do not need to wait for a standard, and indeed, there are current DNT implementations that are likely very close to compliant with European law, as shown in Appendix A.

The is a contradictory paragraph and in my opinion meaningless. The charter of the W3C is to design a global standard. Either it is global or not. Clearly in the case of the EU it is not. It works in CA only because there is no enforcement requirement only transparency and all that is required is an updated privacy policy page.

Perhaps the most compelling part of this paper is the final paragraph on page 33… This paragraph sums up the banality of the Do Not Track protocol.

  *   Individual companies are able to engineer their own European-compliant implementation of Do Not Track. There is no technical barrier to meeting even the most privacy- preserving national laws. That said, web browsers do not enforce Do Not Track policy, let alone to a level that would comply with European laws. Indeed, not one of the companies with a major browser – Apple, Google, Microsoft, Mozilla, Opera – implements Do Not Track on their own websites; they ignore the signals that come from their own browsers. Browser add ons or plugins, including Privacy Badger, Disconnect, and AdBlock, block tracking without consent for Do Not Track users. This approach inverts the model to one of requiring consent first, rather than putting the burden on users to know how to opt out, and may well provide a user experience that accords with European privacy law.

Browsers don’t enforce anything. Regulations are there to enforce - browsers are there to enable the enforcement (or not as in the case of GDPR). The authors conclude that if you want privacy or the illusion of privacy simply add a browser extension. The fact that extensions don’t work on mobile browsers is NOT mentioned. For privacy to have meaning regulations must have meaning and weight in a court of law. Penalties must be enforced otherwise the privacy of the user becomes meaningless.

For my summary I’m going to point to Appendix A in the paper that starts on Page 35.

Here is the rough logic of how AP News could modify their system to align with European privacy law:

IF user is in the EU
THEN
IF DNT:0 /* there is consent to track */
THEN read, set, and process unique identifiers as today
ELSE treat as DNT:1 is today; delete cookies


ELSE /* applies only to non-EU users */
proceed exactly as today

This logic inverts from an opt-out system of data processing to an opt-in system for European users, but not for users who reside elsewhere. It would, of course, be simpler to treat all visitors with the same privacy protections EU law affords, but that seems unlikely in practice for financial reasons.

This is deeply flawed.


  *   If the user is in the EU - how do you know where the user is? Regionalized browsers are irrelevant - I can use a US regionalized browser anywhere in the EU but that does not allow you to ignore GDPR.


  *   If DNT:0 (no current browser supports this setting) - this means that same as DNT unset - which instantly means meaningful consent is REQUIRED - if you’re in the EU there is NO SUCH THING AS DNT:1 or 0 there is ONLY consent.


  *   Delete cookies - you MUST NOT install ANY cookies on a users device UNTIL consent is obtained.

Now for the really, really difficult part. I urge you to install the BayCloud Bounder Extension for Chrome browsers. Make sure you turn off ALL ad blockers and then visit the nytimes.com<http://nytimes.com> web site.

You will see that there are 10 first party domains and 76 third party domains.

Everyone of those will require separate meaningful consent. That means a mechanism must be designed that allows for a minimum of say 100 ‘exceptions’ with time expirations. It will have to work across all devices and on every web site.

This paper as written points to the ineffectiveness of the Do Not Track protocol for the EU privacy regulations. The authors realize this and in closing point to the real answer…

  *   It would, of course, be simpler to treat all visitors with the same privacy protections EU law affords, but that seems unlikely in practice for financial reasons.

And therein lies the answer. It’s unlikely in practice for financial reasons. If GDPR is enforced with the appropriate fines then companies will need to find alternative methods to sustain their business models. Do Not Track as written can not enable that.

Unless someone can contradict with the appropriate logic and pointers, then the answer to your two questions remains:

No.



Peter

Peter Cranstone
CEO, 3PHealth

COMS:
Mobile/Signal: +1 - <tel:303-246-9954> 303-809-7342<tel:303-246-9954> UTC -6hrs
Skype: cranstone
Website | www.3phealth.com<http://www.3phealth.com>  (Healthcare Patient Engagement and Data Interoperability)
Website | www.3pmobile.com<http://www.3pmobile.com> (Privacy by Design Platform for GDPR and ePrivacy reg.)

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you.