W3C home > Mailing lists > Public > public-tracking-international@w3.org > January 2013

RE: Doodle poll for meeting, please respond ASAP & DNT:0 action-346 issue-189

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Sat, 12 Jan 2013 20:16:45 +0000
To: "Mike O'Neill" <michael.oneill@baycloud.com>, "'Rigo Wenning'" <rigo@w3.org>
CC: "public-tracking-international@w3.org" <public-tracking-international@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <DCCF036E573F0142BD90964789F720E3135E31FF@GQ1-EX10-MB04.y.corp.yahoo.com>
Mike,

Don't you believe it's a bit premature to integrate elements of an unofficial version of the Data Protection Regulation into the de-identification discussion?  There is still considerable time (in parliamentary terms) for the draft regulation to undergo significant changes prior to voting.

As for the compliance and scope document not aligning with yet to be official EU regulation, this is purposeful and is what the Global Considerations document is meant to address.

- Shane

From: Mike O'Neill [mailto:michael.oneill@baycloud.com]
Sent: Saturday, January 12, 2013 8:52 AM
To: 'Rigo Wenning'
Cc: public-tracking-international@w3.org; public-tracking@w3.org
Subject: RE: Doodle poll for meeting, please respond ASAP & DNT:0 action-346 issue-189




The European Parliament's Civil Liberties, Justice & Home Affairs committee has published a report on the draft General Data Protection Regulation (DGDPR) which introduces alleviations on data controllers for the use of pseudonymous identifiers. This is similar in concept to the "de-identification" of data for which the meetings in Washington DC and Brussels have been called to discuss. The report also explicitly refers to our W3C Tracking Protection standards.



This report is therefore extremely germane to one of the topics for this group, namely the definition of DNT:0



The new Regulation is expected to come into force this year (although Member States have a further 2 years to enact it) and the views of this crucial committee of democratically elected representatives will inevitably be strongly represented in the final draft. This is important as it refers explicitly to our work and points to the legal context our standard  will ultimately operate under in Europe.



Referring to this report, in the Explanatory Statement paragraph headed Strengthening individuals' rights our standard is referenced:



As the Regulation implements a fundamental right, a limitation of the material scope, particularly as regards the definition of "personal data", by for instance introducing subjective elements relating to the efforts the data controller should make to identify personal data is rejected. The concept of personal data is further clarified with objective criteria (Article 4(1); Recitals 23 24) . Legitimate concerns regarding specific business models can be addressed without denying individuals their fundamental rights. In this context the rapporteur encourages the pseudonymous and anonymous use of services. For the use of pseudonymous data, there could be alleviations with regard to obligations for the data controller (Articles 4(2)(a), 10), Recital 23).



Consent should remain a cornerstone of the EU approach to data protection, since this is the best way for individuals to control data processing activities. Information to data subjects should be presented in easily comprehensible form, such as by standardised logos or icons (Article 11(2a),(2b)). Technical standards that express a subject's clear wishes may be seen as a valid form of providing explicit consent (Articles 7(2a), 23).



This is made more explicit in Amendment 105 to Article 7 of the DGDPR which introduces a new paragraph (2 a):



If the data subject's consent is to be given in the context of the use of information society services where personal data are processed only in the form of pseudonyms, consent may be given by automated means using a technical standard with general validity in the Union in accordance with paragraph 4c, which allows the data subject to clearly express his or her wishes without collecting identification data.



Justification

This allows for the use of standards such as "Do Not Track", combined with an incentive to use only pseudonymous data based as found e.g. in 15 of the German Tele-Media Law. In order to ensure such a standard is in line with this Regulation, it needs to be approved by the Commission. See related amendments to Articles 4(2a), 7(4c) and Recital 23.



Pseudonymous identifiers are defined in Amendment 85 to Article 4 - introducing new text:



'pseudonym' means a unique identifier which is specific to one given context and which does not permit the direct identification of a natural person, but allows the singling out of a data subject;



Note the qualification that pseudonyms are specific "to one given context". This requirement is repeated in Amendment 117 to Article 10



If the data processed by a controller do not permit the controller to identify or single out a natural person, or consist only of data relating to pseudonyms, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.



Justification

Data controllers may use a unique identifier for the same person across different services and contexts, while still not being able to identify a natural person on their basis. Pseudonyms as defined in the amendment to Article 4 are limited to a specific context. The amendment makes clear that the article applies to both cases...



Two points arise from this that we should discuss:

         The DNT signal is referred to as a Consent signal (for pseudonymous identifiers). This must mean the DNT:0 User Granted Exception. In this context the absence of a DNT signal or if it is set (DNT:1) would mean that consent had not been given and so no unique identifiers should be used, pseudonymous or otherwise.

         If DNT:0 is indicated, taken as the signaling of explicit user consent by automated means, then pseudonymous identifiers may be used but only in a single context. This must mean that an advertiser, say using their domain origin clickads.com, can only use identifiers within that domain i.e. they must not be shared with other entities, and they must not be associated with other data that could identify the user as a natural person, such as their name, address, email address etc.



The current compliance document is incompatible with both these points because

a.       It assumes that an unset DNT signal is equivalent to DNT:0.

b.      The DNT:0 signal would signify that identifying data can be shared between entities without a need for further explicit informed consent



Cheers,



Mike



-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org]
Sent: 08 January 2013 18:54
To: David Wainberg
Cc: public-tracking-international@w3.org<mailto:public-tracking-international@w3.org>
Subject: Re: Doodle poll for meeting, please respond ASAP



David, Chris,



the topics in this task force are very limited. I enumerated them in the kick-off email:



http://lists.w3.org/Archives/Public/public-tracking-international/2012Nov/0000.html



1/ Definition of DNT:0 (which will more or less define what one can do) 2/ TPE additions 3/ Which form should the EU How-to take (Note, best practice, document for webplatform.org)



Those are my main topics. But I'm open to a debate about more urgent things.



I think this is not interesting for people who only want to make sure the things created do not interfere with their solutions. Because the entire work will be brought back to the entire group anyway for decision. But then, it will be bundled and the ability to influence in detail will be less. After all nobody wants to negotiate all the stuff twice..



But if you're really interested in the solutions found for a regulated market, I think you should closely monitor. We also hope to be able to provide an audio link. But the times will be inconvenient.



Does that answer your questions?



-- Rigo



On Tuesday 08 January 2013 10:21:44 David Wainberg wrote:

> Hi Rigo,

>

> Can you state the agenda for the meeting? I know there have been

> conversations, and I think some thoughts have been tossed around, but

> as we get to making concrete plans it would be helpful to know the

> goals and agenda for the meeting. Thanks much.

>

> Best,

>

> David

>

> On 1/8/13 10:16 AM, Rigo Wenning wrote:

> > Hi all,

> >

> > this is to select the meeting days. We can not go earlier than 21

> > Feb, because people have to prepare for traveling. From that I

> > created the doodle poll for a meeting in Berlin/Germany:

> >

> > http://www.doodle.com/4nxv7trzb34xdvqk

> >

> > Known conferences so far:

> > 6-8 March IAPP Washington DC

> >

> > Please fill out the poll ASAP so we can prepare the invitation and

> > the logistics in time.

> >

> > Best,

> >

> > Rigo
Received on Saturday, 12 January 2013 20:17:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 12 January 2013 20:17:25 GMT