W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

Re: Summary of First Party vs. Third Party Tests

From: Rob van Eijk <rob@blaeu.com>
Date: Sun, 27 Nov 2011 16:14:03 +0100
Message-ID: <4ED253BB.8060504@blaeu.com>
To: public-tracking@w3.org
Just to make sure, I want to repeat that a technical definition of 1st 
and 3rd party is not necessarily the same as a legal definition nor is 
it a definition that resembles what a user perceives to be intended/not 
intended interaction.

A legal definition is connected to the use of data. In the context of 
OBA it is connected with the use of data across sites. The use of data 
across sites is in many cases not transparent at all to the user.

Just quoting a sentence will likely distort the true meaning of the 
passage in WP171.
The full quote of the relevant paragraphs is therefor:

"As recently pointed out by the Article 29 Working Party28, whether a 
publisher can be
deemed to be a joint controller with the ad network provider will depend 
on the conditions of
collaboration between the publisher and the ad network provider. In this 
context, the Article
29 Working Party notes that in a typical scenario where ad network 
providers serve tailored
advertising, publishers contribute to it by setting up their web sites 
in such a way that when a
user visits a publisher's web site, his/her browser is automatically 
redirected to the webpage
of the ad network provider. In doing so, the user's browser will 
transmit his/her IP address to
the ad network provider which will proceed to send the cookie and 
tailored advertising. In
this scenario, it is important to note that publishers do not transfer 
the IP address of the visitor
to the ad network provider. Instead, it is the visitor's browser that 
automatically transfers such
information to the ad network provider. However, this only happens 
because the publisher has
set up its web site in such a way that the visitor to its own web site 
is automatically redirected
to the ad network provider web site. In other words, the publisher 
triggers the
transfer of the IP address, which is the first necessary step that will 
allow the subsequent
processing, carried out by the ad network provider for the purposes of 
serving tailored
advertising. Thus, even if, technically the data transfer of the IP 
address is carried out by the
browser of the individual who visits the publisher web site, it is not 
the individual who
triggers the transfer. The individual only intended to visit the 
publisher's web site. He did
not intend to visit the ad network provider's web site. Currently this 
is a common scenario.

Taking this into account, the Article 29 Working Party considers that 
publishers have a
certain responsibility for the data processing, which derives from the 
national implementation
of Directive 95/46 and/or other national legislation29. This 
responsibility does not cover all
the processing activities necessary to serve behavioural advertising, 
for example, the
processing carried out by the ad network provider consisting of building 
profiles which are
then used to serve tailored advertising. However, the publishers' 
responsibility covers the first
stage, i.e. the initial part of the data processing, namely the transfer 
of the IP address that
takes place when individuals visit their web sites. This is because the 
publishers facilitate
such transfer and co-determine the purposes for which it is carried out, 
i.e. to serve visitors
with tailored adverting. In sum, for these reasons, publishers will have 
some responsibility as
data controllers for these actions. This responsibility cannot, however, 
require compliance
with the bulk of the obligations contained in the Directives."

Kind regards,
Rob (speaking for himself)

On 7-11-2011 11:46, Kimon Zorbas wrote:
>
> Dear all,
>
> as requested by Rigo, I wanted to shed some light on the distinction 
> between 1st and 3rd party in Europe. In a nutshell, there is a 
> distinction, maybe not as clear as in the USA but nuanced enough to 
> justify the approach proposed by colleagues on differentiating the 
> scenarios.
>
> The answer to the question depends primarily on the definition of 
> tracking for each case. (As I explained earlier, the tracking concept 
> does not fit the European legal data protection tradition & legal 
> framework). To simplify things, below explanation assumes tracking 
> refers to cookie use, as this use is what has gained (politically) 
> traction and what can already be managed at browser level, 
> irrespective of UI questions.
>
> It’s important to keep in mind, that data protection law is not 
> harmonised in the EU and different countries have transposed European 
> directives differently and interpretations vary sometimes 
> significantly. At EU level, there’s no agreed view that gives one 
> response. The closest to a European uniform view/approach is Article 
> 29 Working Party. However, that group is just an advisory body, its 
> opinions are not legally binding and it tends often to take the 
> strictest positions / interpretations on data protection. I say this 
> as arguing along those opinions puts you on the safe side.
>
> Art. 5.3 of the revised E-Privacy directive does not differentiate 
> between 1^st and 3^rd parties but sets out special provisions for 1^st 
> parties for the storing data on a user’s device that are necessary for 
> technical purposes or services specifically requested by a user. I 
> quote the respective provision that excludes from the consent 
> provision the following scenarios (that are interpreted differently at 
> national level):
>
> “This [EXCEPTION FROM CONSENT REQUIREMENT] shall not prevent any 
> technical storage or access for the sole purpose of carrying out the 
> transmission of a communication over an electronic communications 
> network, or as strictly necessary in order for the provider of an 
> information society service explicitly requested by the subscriber or 
> user to provide the service.”
>
> In general, those exceptions apply to services for which the first 
> party is responsible, as e.g. is the case with web analytics 
> (following here CNIL’s position, the French data protection authority).
>
> The general data protection directive (95/46/EC) makes a distinction 
> between controller and processor. While there is a question if and 
> when that directive applies to storing technologies - e.g. cookies- 
> (as the E-Privacy directive is lex specialis), let’s argue with the 
> stricter view & assuming the applicability. In this case, one would 
> need to understand who is controller and who is processor in 3^rd 
> party scenarios.
>
> Even Article 29 WP acknowledges different responsibilities in its 
> opinion paper WP171, 00909/10/EN, 2/2010 (that relate to the concepts 
> of data controller and processor), arguing that meeting the legal 
> requirements in the case of OBA (notice & consent) are primarily the 
> third party’s responsibility. That clearly builds on a disctinction 
> between 1^st and 3^rd parties:
>
> “In sum, for these reasons, publishers will have some responsibility 
> as data controllers for these actions. This responsibility cannot, 
> however, require compliance with the bulk of the obligations contained 
> in the Directives.”
>
> I hope that helps with the distinction between 1^st and 3^rd parties 
> in Europe. If you have any questions on this, please let me know.
>
> As disclaimer, I would like to add that I do not necessarily share the 
> views expressed above, but I try to argue with the strictest possible 
> view to demonstrate that authorities make a nuanced distinction 
> between first and third parties.
>
> Kind regards,
>
> Kimon
>
> Kimon Zorbas
>
> Vice President IAB Europe
>
> IAB Europe - The Egg – Rue Barastraat 175 – 1070 Brussels - Belgium
>
> Phone +32 (0)2 5265 568
>
> Mob +32 494 34 91 68
>
> Fax +32 2 526 55 60
>
> vp@iabeurope.eu
>
> Twitter: @kimon_zorbas
>
> www.iabeurope.eu
>
> IAB Europe supports the .eu domain name www.eurid.eu
>
> IAB Europe is supported by:
>
> Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, 
> Finland, France, Germany, Greece, Hungary, Ireland, Italy, Luxembourg, 
> Netherlands, Norway, Poland, Portugal, Romania, Russia, Serbia, 
> Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey, Ukraine and 
> United Kingdom representing their 5.000 members. The IAB network 
> represents over 90% of European digital revenues and is acting as 
> voice for the industry at National and European level.
>
> IAB Europe is powered by:
>
> Adconion Media Group, Adobe, ADTECH, Alcatel-Lucent, AOL Advertising 
> Europe, AudienceScience, BBC, CNN, comScore Europe, CPX Interactive, 
> Criteo, eBay International Advertising, Ernst & Young, Expedia Inc, 
> Fox Interactive Media, Gemius, Goldbach Media Group, Google, GroupM, 
> Hi-media, InSites Consulting, Koan, Microsoft Europe, Millward Brown, 
> MTV Networks International, Netlog, News Corporation, nugg.ad, Nielsen 
> Online, Orange Advertising Network, Prisa, Publicitas Europe, Sanoma 
> Digital, Selligent, Specific Media, The Walt Disney Company, 
> Tradedoubler, Truvo, United Internet Media, ValueClick, White & 
> Case, Yahoo! and zanox.
>
> IAB Europe is associated with:
>
> Advance International Media, Banner, Emediate, NextPerformance, OMD, 
> Right Media and Turn Europe
>
> -----Original Message-----
> From: Rigo Wenning [mailto:rigo@w3.org]
> Sent: 04 November 2011 00:46
> To: Kimon Zorbas
> Cc: Amy Colando (LCA); Shane Wiley (yahoo); David Wainberg; 
> public-tracking@w3.org; Jonathan Mayer
> Subject: Re: Summary of First Party vs. Third Party Tests
>
> Kimon,
>
> could you expand on the distinction between 1st & 3rd parties by 
> European regulators? This was one of the reasons why I argued against 
> the distinction.
>
> (to better align and make DNT usable in the EU context) So I'm really 
> curious here as this may be a game changer.
>
> All,
>
> there is the legal issue, but also the technical issue to transport 
> the information on who is a first and who is a third party to the 
> user. The well- known-location would have to reflect which parties 
> have a legal relationship to the owner of the requested URI/domain and 
> what that legal relation is. As things can get complex (Kai Scheppe 
> from Dt. Telekom talked about 250
>
> contributors) there is an issue of boundaries here that we have to 
> solve if we distinguish.
>
> Best,
>
> Rigo
>
> On Thursday 03 November 2011 22:15:09 Kimon Zorbas wrote:
>
> > Fully support Amy & Shane - common sense applies and also reflects
>
> > what even European regulators express on distinction between 1st & 3rd
>
> > parties. Works for us too.
>
> >
>
Received on Sunday, 27 November 2011 15:15:44 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:22 UTC