W3C home > Mailing lists > Public > public-tracking@w3.org > November 2011

Re: Summary of First Party vs. Third Party Tests

From: Rob van Eijk <rob@blaeu.com>
Date: Mon, 28 Nov 2011 19:22:14 +0100
Message-ID: <4ED3D156.9020309@blaeu.com>
To: public-tracking@w3.org
Kimon, I agree with you that "we have a legal framework we can not 
entirely ignore and DNT has to somehow take it into account." However, I 
have to disagree on the disctinction you make: the distinction between 
first party and third party is a technical distinction.

I think it is a nice-to-have if the DNT solution from the standards 
community solves legal problems, but it shouldn't be the main goal. I 
argue that the main goal should be transparancy for the user by offering 
technical means to express explicit consent.

I am favouring the prcess that we let the effort reflected in e.g. the 
cross-site discussion-thread take it's turn before taking the legal 
aspect (issue-98) by the horns. By the way, issue-98 is a possible item, 
that could be declared out of scope. The tracking protection group 
doesn't do legal, as agreed in the Face 2 Face meeting in San Jose.

Kind regards,
Rob van Eijk (Speaking for himself)

On 28-11-2011 17:37, Kimon Zorbas wrote:
>
> I think Jeff raises an important point: The distinction of first party 
> -- third party is really a legal distinction in relation to cookies. I 
> agree with Jeff as far as the IT world is moving very fast. But trying 
> to capture first parties is very problematic for us. There are a 
> number of subcontractors working for first parties that could appear 
> being third parties. However, in such cases, the legal obligations are 
> addressing first parties. (At least in Europe, where we use the 
> controller / processor approach -- the legal obligations lie with the 
> controller, not the processor.) Again the problem that we have a legal 
> framework we can not entirely ignore and DNT has to somehow take it 
> into account.
>
> Kind regards,
>
> Kimon
>
> *From:*Jeffrey Chester [mailto:jeff@democraticmedia.org]
> *Sent:* 28 November 2011 16:25
> *To:* public-tracking@w3.org>
> *Subject:* Re: Summary of First Party vs. Third Party Tests
>
> Privacy policymakers in the EU and US are examining the implications 
> of the ad exchange process, where first parties incorporate a broad 
> range of third party data in real-time.  The distinctions between 
> first and third parties have dramatically eroded as a result of 
> real-time bidding, in my opinion.  Consequently, first party providers 
> must be obligated under a DNT system to respect the wishes of users 
> regarding the use of incorporated third party data sets.  We will be 
> following up on this point with a submission on the draft comments.
>
> Jeffrey Chester
>
> Center for Digital Democracy
>
> 1621 Connecticut Ave, NW, Suite 550
>
> Washington, DC 20009
>
> www.democraticmedia.org <http://www.democraticmedia.org>
>
> On Nov 27, 2011, at 10:14 AM, Rob van Eijk wrote:
>
>
>
> Just to make sure, I want to repeat that a technical definition of 1st 
> and 3rd party is not necessarily the same as a legal definition nor is 
> it a definition that resembles what a user perceives to be 
> intended/not intended interaction.
>
> A legal definition is connected to the use of data. In the context of 
> OBA it is connected with the use of data across sites. The use of data 
> across sites is in many cases not transparent at all to the user.
>
> Just quoting a sentence will likely distort the true meaning of the 
> passage in WP171.
> The full quote of the relevant paragraphs is therefor:
>
> "As recently pointed out by the Article 29 Working Party28, whether a 
> publisher can be
> deemed to be a joint controller with the ad network provider will 
> depend on the conditions of
> collaboration between the publisher and the ad network provider. In 
> this context, the Article
> 29 Working Party notes that in a typical scenario where ad network 
> providers serve tailored
> advertising, publishers contribute to it by setting up their web sites 
> in such a way that when a
> user visits a publisher's web site, his/her browser is automatically 
> redirected to the webpage
> of the ad network provider. In doing so, the user's browser will 
> transmit his/her IP address to
> the ad network provider which will proceed to send the cookie and 
> tailored advertising. In
> this scenario, it is important to note that publishers do not transfer 
> the IP address of the visitor
> to the ad network provider. Instead, it is the visitor's browser that 
> automatically transfers such
> information to the ad network provider. However, this only happens 
> because the publisher has
> set up its web site in such a way that the visitor to its own web site 
> is automatically redirected
> to the ad network provider web site. In other words, the publisher 
> triggers the
> transfer of the IP address, which is the first necessary step that 
> will allow the subsequent
> processing, carried out by the ad network provider for the purposes of 
> serving tailored
> advertising. Thus, even if, technically the data transfer of the IP 
> address is carried out by the
> browser of the individual who visits the publisher web site, it is not 
> the individual who
> triggers the transfer. The individual only intended to visit the 
> publisher's web site. He did
> not intend to visit the ad network provider's web site. Currently this 
> is a common scenario.
>
> Taking this into account, the Article 29 Working Party considers that 
> publishers have a
> certain responsibility for the data processing, which derives from the 
> national implementation
> of Directive 95/46 and/or other national legislation29. This 
> responsibility does not cover all
> the processing activities necessary to serve behavioural advertising, 
> for example, the
> processing carried out by the ad network provider consisting of 
> building profiles which are
> then used to serve tailored advertising. However, the publishers' 
> responsibility covers the first
> stage, i.e. the initial part of the data processing, namely the 
> transfer of the IP address that
> takes place when individuals visit their web sites. This is because 
> the publishers facilitate
> such transfer and co-determine the purposes for which it is carried 
> out, i.e. to serve visitors
> with tailored adverting. In sum, for these reasons, publishers will 
> have some responsibility as
> data controllers for these actions. This responsibility cannot, 
> however, require compliance
> with the bulk of the obligations contained in the Directives."
>
> Kind regards,
> Rob (speaking for himself)
>
> On 7-11-2011 11:46, Kimon Zorbas wrote:
>
> Dear all,
>
> as requested by Rigo, I wanted to shed some light on the distinction 
> between 1st and 3rd party in Europe. In a nutshell, there is a 
> distinction, maybe not as clear as in the USA but nuanced enough to 
> justify the approach proposed by colleagues on differentiating the 
> scenarios.
>
> The answer to the question depends primarily on the definition of 
> tracking for each case. (As I explained earlier, the tracking concept 
> does not fit the European legal data protection tradition & legal 
> framework). To simplify things, below explanation assumes tracking 
> refers to cookie use, as this use is what has gained (politically) 
> traction and what can already be managed at browser level, 
> irrespective of UI questions.
>
> It's important to keep in mind, that data protection law is not 
> harmonised in the EU and different countries have transposed European 
> directives differently and interpretations vary sometimes 
> significantly. At EU level, there's no agreed view that gives one 
> response. The closest to a European uniform view/approach is Article 
> 29 Working Party. However, that group is just an advisory body, its 
> opinions are not legally binding and it tends often to take the 
> strictest positions / interpretations on data protection. I say this 
> as arguing along those opinions puts you on the safe side.
>
> Art. 5.3 of the revised E-Privacy directive does not differentiate 
> between 1^st and 3^rd parties but sets out special provisions for 1^st 
> parties for the storing data on a user's device that are necessary for 
> technical purposes or services specifically requested by a user. I 
> quote the respective provision that excludes from the consent 
> provision the following scenarios (that are interpreted differently at 
> national level):
>
> "This [EXCEPTION FROM CONSENT REQUIREMENT] shall not prevent any 
> technical storage or access for the sole purpose of carrying out the 
> transmission of a communication over an electronic communications 
> network, or as strictly necessary in order for the provider of an 
> information society service explicitly requested by the subscriber or 
> user to provide the service."
>
> In general, those exceptions apply to services for which the first 
> party is responsible, as e.g. is the case with web analytics 
> (following here CNIL's position, the French data protection authority).
>
> The general data protection directive (95/46/EC) makes a distinction 
> between controller and processor. While there is a question if and 
> when that directive applies to storing technologies - e.g. cookies- 
> (as the E-Privacy directive is lex specialis), let's argue with the 
> stricter view & assuming the applicability. In this case, one would 
> need to understand who is controller and who is processor in 3^rd 
> party scenarios.
>
> Even Article 29 WP acknowledges different responsibilities in its 
> opinion paper WP171, 00909/10/EN, 2/2010 (that relate to the concepts 
> of data controller and processor), arguing that meeting the legal 
> requirements in the case of OBA (notice & consent) are primarily the 
> third party's responsibility. That clearly builds on a disctinction 
> between 1^st and 3^rd parties:
>
> "In sum, for these reasons, publishers will have some responsibility 
> as data controllers for these actions. This responsibility cannot, 
> however, require compliance with the bulk of the obligations contained 
> in the Directives."
>
> I hope that helps with the distinction between 1^st and 3^rd parties 
> in Europe. If you have any questions on this, please let me know.
>
> As disclaimer, I would like to add that I do not necessarily share the 
> views expressed above, but I try to argue with the strictest possible 
> view to demonstrate that authorities make a nuanced distinction 
> between first and third parties.
>
> Kind regards,
>
> Kimon
>
> Kimon Zorbas
>
> Vice President IAB Europe
>
> IAB Europe - The Egg -- Rue Barastraat 175 -- 1070 Brussels - Belgium
>
> Phone +32 (0)2 5265 568
>
> Mob +32 494 34 91 68
>
> Fax +32 2 526 55 60
>
> vp@iabeurope.eu <mailto:vp@iabeurope.eu>
>
> Twitter: @kimon_zorbas
>
> www.iabeurope.eu <http://www.iabeurope.eu/>
>
> IAB Europe supports the .eu domain name www.eurid.eu 
> <http://www.eurid.eu/>
>
> IAB Europe is supported by:
>
> Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, 
> Finland, France, Germany, Greece, Hungary, Ireland, Italy, Luxembourg, 
> Netherlands, Norway, Poland, Portugal, Romania, Russia, Serbia, 
> Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey, Ukraine and 
> United Kingdom representing their 5.000 members. The IAB network 
> represents over 90% of European digital revenues and is acting as 
> voice for the industry at National and European level.
>
> IAB Europe is powered by:
>
> Adconion Media Group, Adobe, ADTECH, Alcatel-Lucent, AOL Advertising 
> Europe, AudienceScience, BBC, CNN, comScore Europe, CPX Interactive, 
> Criteo, eBay International Advertising, Ernst & Young, Expedia Inc, 
> Fox Interactive Media, Gemius, Goldbach Media Group, Google, GroupM, 
> Hi-media, InSites Consulting, Koan, Microsoft Europe, Millward Brown, 
> MTV Networks International, Netlog, News Corporation, nugg.ad, Nielsen 
> Online, Orange Advertising Network, Prisa, Publicitas Europe, Sanoma 
> Digital, Selligent, Specific Media, The Walt Disney Company, 
> Tradedoubler, Truvo, United Internet Media, ValueClick, White & 
> Case, Yahoo! and zanox.
>
> IAB Europe is associated with:
>
> Advance International Media, Banner, Emediate, NextPerformance, OMD, 
> Right Media and Turn Europe
>
> -----Original Message-----
> From: Rigo Wenning [mailto:rigo@w3.org]
> Sent: 04 November 2011 00:46
> To: Kimon Zorbas
> Cc: Amy Colando (LCA); Shane Wiley (yahoo); David Wainberg; 
> public-tracking@w3.org <mailto:public-tracking@w3.org>; Jonathan Mayer
> Subject: Re: Summary of First Party vs. Third Party Tests
>
> Kimon,
>
> could you expand on the distinction between 1st & 3rd parties by 
> European regulators? This was one of the reasons why I argued against 
> the distinction.
>
> (to better align and make DNT usable in the EU context) So I'm really 
> curious here as this may be a game changer.
>
> All,
>
> there is the legal issue, but also the technical issue to transport 
> the information on who is a first and who is a third party to the 
> user. The well- known-location would have to reflect which parties 
> have a legal relationship to the owner of the requested URI/domain and 
> what that legal relation is. As things can get complex (Kai Scheppe 
> from Dt. Telekom talked about 250
>
> contributors) there is an issue of boundaries here that we have to 
> solve if we distinguish.
>
> Best,
>
> Rigo
>
> On Thursday 03 November 2011 22:15:09 Kimon Zorbas wrote:
>
> > Fully support Amy & Shane - common sense applies and also reflects
>
> > what even European regulators express on distinction between 1st & 3rd
>
> > parties. Works for us too.
>
> >
>
Received on Monday, 28 November 2011 18:32:42 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:22 UTC