W3C home > Mailing lists > Public > public-tracking-international@w3.org > March 2013

Re: Agenda: Global considerations F2F meeting 11-12 Berlin

From: Rigo Wenning <rigo@w3.org>
Date: Thu, 07 Mar 2013 12:06:56 +0100
To: Vinay Goel <vigoel@adobe.com>
Cc: David Wainberg <david@networkadvertising.org>, Haakon Bratsberg <haakonfb@opera.com>, "public-tracking-international@w3.org" <public-tracking-international@w3.org>
Message-ID: <4573724.rX8tvD6U61@hegel.sophia.w3.org>

our exchange is excellent to prepare the meeting. It helps me to shape 
my introduction on Monday. It also helps to address central issues. 

On Wednesday 06 March 2013 16:26:19 Vinay Goel wrote:
> I'll try explaining my stance again, but I'm afraid I'm not being
> clear enough. Here is where I see the disconnect. You write "There is
> a provision in the regulation that allows DNT to be the thing that
> allows for consent without window shades."
This is one option. I think DPAs will ack DNT beforehand. Thus creating 
a real stable framework the industry needs to prosper. 

> My understanding is that the amendments to the proposed regulation
> allows for a data protection board to determine whether commonly
> accepted standards meet compliance with the law.

Yes, but not only. Once the board has said "yes", the Commission can 
issue a delegated act that binds _all_ executive instances of the 
European Union (even the Irish)
> Do you expect the data protection board to approve DNT as currently
> drafted (which creates a distinction between first and third party
> use)?

No. I expect them to approve DNT in a flavor where first parties react 
on a DNT:1 and on a DNT:0 header. Global considerations will discuss how 
to enter this into the Specification without forcing the US market to 
give up the distinction between first and third parties. 
> I don't. Because I don't, I struggle to see how DNT (as currently
> being discussed in the WG) will get rid of the window shades.

Because the browser setting (sending DNT:0) will allow you to determine 
that you don't need a window shade. And DNT:1 will tell you what you can 
still do or collect and how to turn it into a DNT:0 in case you need 
more data. It allows a user to control data collection on your site (if 
you offer that control). It is a tool. You can prefer window shades as a 
tool with unreliable cookies and unreliable DPA reaction. Or you can try 
to get window shades accepted by the data protection board. 
> If the data protection board says that DNT could meet legal compliance
> but only if all websites respond to the DNT header as though they are
> a third party, then I'm saying that global companies will likely say
> 'thanks, but then I'll just stick to my window shade because I can't
> change my website to treat myself as a third party'.

It assumes that window shades are and remain accepted (see below). I 
understand that. This is clearly an option. But IMHO it is a bad option 
as it ruins web site design and is not future proof. This may be an 
interesting compliance regime for the very moment, but I do not believe 
that window shades pointing to 22 pages of legalese will help you for a 
long time. Nobody wants them anyway and we can do better. Window shades 
were done because nobody knew what to do with Article 5.3 of the 
ePrivacy Directive. Many people have moved on from there. 

So while understanding your position I try to give a sense to our 
undertaking. I hold against with the aspect of "implementation how to" 
of DNT in Europe. As Kimon said: Some will accept your window shades, 
others won't. DNT will remedy this. It will be an implementation recipe 
that will be accepted throughout Europe. It is your platform to figure 
out what to do with outreach measurement and site analytics with those 
knowing technically what it means. It will give you the occasion to 
implement once for Europe and Safe Harbour and play everywhere. 
> I hope that explains my worry better. I'm afraid that the data
> protection board won't 'approve' DNT in a way that makes it practical
> for global companies.

And I just think that window shades are not future proof as a way out, 
especially not for safe harbour companies. I try to show a way of having 
easy compliance that is easily implementable because it has all the 
permitted uses and concrete steps. Doing DNT should give you a safe 
area, but will not preclude individual negotiations with DPAs. It will 
be a tool in your toolbox. Note that there is pending litigation before 
the European Court of Justice where Spain wants to know if Google is 
right in pretending the application of Californian law in its relation 
to EU consumers. There is also an appeal pending where ULD wants to know 
whether Facebook is only under Irish law. The latter will go away with 
the regulation. 
> What am I missing here?  What do you see the board approving?  Sorry
> if I'm missing something obvious or am being dense. But, I'm
> struggling to see DNT being enough to satisfy all EU regulators'
> desires without it requiring websites to fundamentally change how it
> handles (defines) DNT for EU websites.  Once we require a different
> DNT implementation for websites for the EU, I believe implementing
> window shades is easier/cheaper than creating different processes for
> DNT.

Summarizing: It is crystal clear that nobody in the EU will accept a 
first/third party distinction. With window shades you make promises and 
claim consent. I doubt this will be accepted on the long run. It is a 
bureaucratic solution to a problem that is seen as being just 
bureaucratic. It will neither help users nor industry. Window shades 
should be an ephemeral phenomenon because Art 5.3 was not really 
implementable as it wasn't done with scale in mind. Window shades don't 
scale either. Neither politically nor technically. The alternative is a 
DNT that gives industry a stable, scalable and technically savvy 
environment and users some control over their data. The difference 
becomes even clearer if you go into the stack of pseudonymous data. 

Received on Thursday, 7 March 2013 11:09:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:40:17 UTC