RE: Summary of First Party vs. Third Party Tests

Dear all,



as requested by Rigo, I wanted to shed some light on the distinction between 1st and 3rd party in Europe. In a nutshell, there is a distinction, maybe not as clear as in the USA but nuanced enough to justify the approach proposed by colleagues on differentiating the scenarios.



The answer to the question depends primarily on the definition of tracking for each case. (As I explained earlier, the tracking concept does not fit the European legal data protection tradition & legal framework). To simplify things, below explanation assumes tracking refers to cookie use, as this use is what has gained (politically) traction and what can already be managed at browser level, irrespective of UI questions.



It’s important to keep in mind, that data protection law is not harmonised in the EU and different countries have transposed European directives differently and interpretations vary sometimes significantly. At EU level, there’s no agreed view that gives one response. The closest to a European uniform view/approach is Article 29 Working Party. However, that group is just an advisory body, its opinions are not legally binding and it tends often to take the strictest positions / interpretations on data protection. I say this as arguing along those opinions puts you on the safe side.



Art. 5.3 of the revised E-Privacy directive does not differentiate between 1st and 3rd parties but sets out special provisions for 1st parties for the storing data on a user’s device that are necessary for technical purposes or services specifically requested by a user. I quote the respective provision that excludes from the consent provision the following scenarios (that are interpreted differently at national level):
“This [EXCEPTION FROM CONSENT REQUIREMENT] shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

In general, those exceptions apply to services for which the first party is responsible, as e.g. is the case with web analytics (following here CNIL’s position, the French data protection authority).



The general data protection directive (95/46/EC) makes a distinction between controller and processor. While there is a question if and when that directive applies to storing technologies - e.g. cookies- (as the E-Privacy directive is lex specialis), let’s argue with the stricter view & assuming the applicability. In this case, one would need to understand who is controller and who is processor in 3rd party scenarios.



Even Article 29 WP acknowledges different responsibilities in its opinion paper WP171, 00909/10/EN, 2/2010 (that relate to the concepts of data controller and processor), arguing that meeting the legal requirements in the case of OBA (notice & consent) are primarily the third party’s responsibility. That clearly builds on a disctinction between 1st and 3rd parties:

“In sum, for these reasons, publishers will have some responsibility as data controllers for these actions. This responsibility cannot, however, require compliance with the bulk of the obligations contained in the Directives.”



I hope that helps with the distinction between 1st and 3rd parties in Europe. If you have any questions on this, please let me know.



As disclaimer, I would like to add that I do not necessarily share the views expressed above, but I try to argue with the strictest possible view to demonstrate that authorities make a nuanced distinction between first and third parties.



Kind regards,

Kimon



Kimon Zorbas

Vice President IAB Europe



IAB Europe - The Egg – Rue Barastraat 175 – 1070 Brussels - Belgium

Phone +32 (0)2 5265 568

Mob +32 494 34 91 68

Fax +32 2 526 55 60

vp@iabeurope.eu

Twitter: @kimon_zorbas



www.iabeurope.eu







IAB Europe supports the .eu domain name www.eurid.eu



IAB Europe is supported by:

Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Russia, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey, Ukraine and United Kingdom representing their 5.000 members. The IAB network represents over 90% of European digital revenues and is acting as voice for the industry at National and European level.



IAB Europe is powered by:

Adconion Media Group, Adobe, ADTECH, Alcatel-Lucent, AOL Advertising Europe, AudienceScience, BBC, CNN, comScore Europe, CPX Interactive, Criteo, eBay International Advertising, Ernst & Young, Expedia Inc, Fox Interactive Media, Gemius, Goldbach Media Group, Google, GroupM, Hi-media, InSites Consulting, Koan, Microsoft Europe, Millward Brown, MTV Networks International, Netlog, News Corporation, nugg.ad, Nielsen Online, Orange Advertising Network, Prisa, Publicitas Europe, Sanoma Digital, Selligent, Specific Media, The Walt Disney Company, Tradedoubler, Truvo, United Internet Media, ValueClick, White & Case, Yahoo! and zanox.



IAB Europe is associated with:

Advance International Media, Banner, Emediate, NextPerformance, OMD, Right Media and Turn Europe



-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org]
Sent: 04 November 2011 00:46
To: Kimon Zorbas
Cc: Amy Colando (LCA); Shane Wiley (yahoo); David Wainberg; public-tracking@w3.org; Jonathan Mayer
Subject: Re: Summary of First Party vs. Third Party Tests



Kimon,



could you expand on the distinction between 1st & 3rd parties by European regulators? This was one of the reasons why I argued against the distinction.

(to better align and make DNT usable in the EU context) So I'm really curious here as this may be a game changer.



All,



there is the legal issue, but also the technical issue to transport the information on who is a first and who is a third party to the user. The well- known-location would have to reflect which parties have a legal relationship to the owner of the requested URI/domain and what that legal relation is. As things can get complex (Kai Scheppe from Dt. Telekom talked about 250

contributors) there is an issue of boundaries here that we have to solve if we distinguish.



Best,



Rigo



On Thursday 03 November 2011 22:15:09 Kimon Zorbas wrote:

> Fully support Amy & Shane - common sense applies and also reflects

> what even European regulators express on distinction between 1st & 3rd

> parties. Works for us too.

>