W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

Re: Summary of First Party vs. Third Party Tests

From: Jeffrey Chester <jeff@democraticmedia.org>
Date: Mon, 28 Nov 2011 10:25:08 -0500
To: "public-tracking@w3.org>" <public-tracking@w3.org>
Message-id: <148E0370-C09D-4028-9360-92EEEFF490DE@democraticmedia.org>
Privacy policymakers in the EU and US are examining the implications of the ad exchange process, where first parties incorporate a broad range of third party data in real-time.  The distinctions between first and third parties have dramatically eroded as a result of real-time bidding, in my opinion.  Consequently, first party providers must be obligated under a DNT system to respect the wishes of users regarding the use of incorporated third party data sets.  We will be following up on this point with a submission on the draft comments.

Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009

On Nov 27, 2011, at 10:14 AM, Rob van Eijk wrote:

> Just to make sure, I want to repeat that a technical definition of 1st and 3rd party is not necessarily the same as a legal definition nor is it a definition that resembles what a user perceives to be intended/not intended interaction. 
> A legal definition is connected to the use of data. In the context of OBA it is connected with the use of data across sites. The use of data across sites is in many cases not transparent at all to the user.
> Just quoting a sentence will likely distort the true meaning of the passage in WP171. 
> The full quote of the relevant paragraphs is therefor:
> "As recently pointed out by the Article 29 Working Party28, whether a publisher can be
> deemed to be a joint controller with the ad network provider will depend on the conditions of
> collaboration between the publisher and the ad network provider. In this context, the Article
> 29 Working Party notes that in a typical scenario where ad network providers serve tailored
> advertising, publishers contribute to it by setting up their web sites in such a way that when a
> user visits a publisher's web site, his/her browser is automatically redirected to the webpage
> of the ad network provider. In doing so, the user's browser will transmit his/her IP address to
> the ad network provider which will proceed to send the cookie and tailored advertising. In
> this scenario, it is important to note that publishers do not transfer the IP address of the visitor
> to the ad network provider. Instead, it is the visitor's browser that automatically transfers such
> information to the ad network provider. However, this only happens because the publisher has
> set up its web site in such a way that the visitor to its own web site is automatically redirected
> to the ad network provider web site. In other words, the publisher triggers the
> transfer of the IP address, which is the first necessary step that will allow the subsequent
> processing, carried out by the ad network provider for the purposes of serving tailored
> advertising. Thus, even if, technically the data transfer of the IP address is carried out by the
> browser of the individual who visits the publisher web site, it is not the individual who
> triggers the transfer. The individual only intended to visit the publisher's web site. He did
> not intend to visit the ad network provider's web site. Currently this is a common scenario.
> Taking this into account, the Article 29 Working Party considers that publishers have a
> certain responsibility for the data processing, which derives from the national implementation
> of Directive 95/46 and/or other national legislation29. This responsibility does not cover all
> the processing activities necessary to serve behavioural advertising, for example, the
> processing carried out by the ad network provider consisting of building profiles which are
> then used to serve tailored advertising. However, the publishers' responsibility covers the first
> stage, i.e. the initial part of the data processing, namely the transfer of the IP address that
> takes place when individuals visit their web sites. This is because the publishers facilitate
> such transfer and co-determine the purposes for which it is carried out, i.e. to serve visitors
> with tailored adverting. In sum, for these reasons, publishers will have some responsibility as
> data controllers for these actions. This responsibility cannot, however, require compliance
> with the bulk of the obligations contained in the Directives."
> Kind regards,
> Rob (speaking for himself)
> On 7-11-2011 11:46, Kimon Zorbas wrote:
>> Dear all,
>> as requested by Rigo, I wanted to shed some light on the distinction between 1st and 3rd party in Europe. In a nutshell, there is a distinction, maybe not as clear as in the USA but nuanced enough to justify the approach proposed by colleagues on differentiating the scenarios.
>> The answer to the question depends primarily on the definition of tracking for each case. (As I explained earlier, the tracking concept does not fit the European legal data protection tradition & legal framework). To simplify things, below explanation assumes tracking refers to cookie use, as this use is what has gained (politically) traction and what can already be managed at browser level, irrespective of UI questions.
>> It’s important to keep in mind, that data protection law is not harmonised in the EU and different countries have transposed European directives differently and interpretations vary sometimes significantly. At EU level, there’s no agreed view that gives one response. The closest to a European uniform view/approach is Article 29 Working Party. However, that group is just an advisory body, its opinions are not legally binding and it tends often to take the strictest positions / interpretations on data protection. I say this as arguing along those opinions puts you on the safe side.
>> Art. 5.3 of the revised E-Privacy directive does not differentiate between 1st and 3rd parties but sets out special provisions for 1st parties for the storing data on a user’s device that are necessary for technical purposes or services specifically requested by a user. I quote the respective provision that excludes from the consent provision the following scenarios (that are interpreted differently at national level):
>> “This [EXCEPTION FROM CONSENT REQUIREMENT] shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”
>> In general, those exceptions apply to services for which the first party is responsible, as e.g. is the case with web analytics (following here CNIL’s position, the French data protection authority).
>> The general data protection directive (95/46/EC) makes a distinction between controller and processor. While there is a question if and when that directive applies to storing technologies - e.g. cookies- (as the E-Privacy directive is lex specialis), let’s argue with the stricter view & assuming the applicability. In this case, one would need to understand who is controller and who is processor in 3rd party scenarios.
>> Even Article 29 WP acknowledges different responsibilities in its opinion paper WP171, 00909/10/EN, 2/2010 (that relate to the concepts of data controller and processor), arguing that meeting the legal requirements in the case of OBA (notice & consent) are primarily the third party’s responsibility. That clearly builds on a disctinction between 1st and 3rd parties:
>> “In sum, for these reasons, publishers will have some responsibility as data controllers for these actions. This responsibility cannot, however, require compliance with the bulk of the obligations contained in the Directives.”
>> I hope that helps with the distinction between 1st and 3rd parties in Europe. If you have any questions on this, please let me know.
>> As disclaimer, I would like to add that I do not necessarily share the views expressed above, but I try to argue with the strictest possible view to demonstrate that authorities make a nuanced distinction between first and third parties.
>> Kind regards,
>> Kimon
>> Kimon Zorbas
>> Vice President IAB Europe
>> IAB Europe - The Egg – Rue Barastraat 175 – 1070 Brussels - Belgium
>> Phone +32 (0)2 5265 568
>> Mob +32 494 34 91 68
>> Fax +32 2 526 55 60
>> vp@iabeurope.eu
>> Twitter: @kimon_zorbas
>> www.iabeurope.eu
>> IAB Europe supports the .eu domain name www.eurid.eu
>> IAB Europe is supported by:
>> Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Russia, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey, Ukraine and United Kingdom representing their 5.000 members. The IAB network represents over 90% of European digital revenues and is acting as voice for the industry at National and European level.
>> IAB Europe is powered by:
>> Adconion Media Group, Adobe, ADTECH, Alcatel-Lucent, AOL Advertising Europe, AudienceScience, BBC, CNN, comScore Europe, CPX Interactive, Criteo, eBay International Advertising, Ernst & Young, Expedia Inc, Fox Interactive Media, Gemius, Goldbach Media Group, Google, GroupM, Hi-media, InSites Consulting, Koan, Microsoft Europe, Millward Brown, MTV Networks International, Netlog, News Corporation, nugg.ad, Nielsen Online, Orange Advertising Network, Prisa, Publicitas Europe, Sanoma Digital, Selligent, Specific Media, The Walt Disney Company, Tradedoubler, Truvo, United Internet Media, ValueClick, White & Case, Yahoo! and zanox.
>> IAB Europe is associated with:
>> Advance International Media, Banner, Emediate, NextPerformance, OMD, Right Media and Turn Europe
>> -----Original Message-----
>> From: Rigo Wenning [mailto:rigo@w3.org] 
>> Sent: 04 November 2011 00:46
>> To: Kimon Zorbas
>> Cc: Amy Colando (LCA); Shane Wiley (yahoo); David Wainberg; public-tracking@w3.org; Jonathan Mayer
>> Subject: Re: Summary of First Party vs. Third Party Tests
>> Kimon,
>> could you expand on the distinction between 1st & 3rd parties by European regulators? This was one of the reasons why I argued against the distinction.
>> (to better align and make DNT usable in the EU context) So I'm really curious here as this may be a game changer.
>> All,
>> there is the legal issue, but also the technical issue to transport the information on who is a first and who is a third party to the user. The well- known-location would have to reflect which parties have a legal relationship to the owner of the requested URI/domain and what that legal relation is. As things can get complex (Kai Scheppe from Dt. Telekom talked about 250
>> contributors) there is an issue of boundaries here that we have to solve if we distinguish.
>> Best,
>> Rigo
>> On Thursday 03 November 2011 22:15:09 Kimon Zorbas wrote:
>> > Fully support Amy & Shane - common sense applies and also reflects
>> > what even European regulators express on distinction between 1st & 3rd
>> > parties. Works for us too.
>> >
Received on Monday, 28 November 2011 15:52:12 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:42 UTC