[ACTION-48] Re-phrase 3.6.1.2.1

Hi Amy and Meme, 

we wanted to provide legal text for the outsourcing scenario.

the current wording of the Specification[1] is: 
the third party makes commitments that are consistent with {the requirements 
of|adhering to} this standard in a form that is legally enforceable (directly 
or indirectly) by the first party, individual users, and regulators; data 
retention by the third party must not survive the end of this legal 
enforceability;

What this tries to achieve is to make sure the first party benefiting from that 
exemption does not lightly take a third party into its privilege and to make 
sure the third party behaves like a "data-processor" in the EU sense. Namely 
that the third party does not have own rights on the data processed. Not 
trusting our first party, David Singer wanted to give the user/consumer an 
independent right against the third party to comply. 

As we realized, this would go beyond what a compliance specification could 
possibly prescribe as we attempted to create a right for an independent third 
party. This is normally reserved to laws for a certain jurisdiction. We could 
mimic this by obliging the first party to contract a specific clause with the 
third party to the benefit of the user. But this is of a contractual complexity 
that creates exactly the legal overkill that we want to avoid here. 

Instead, we wanted to make sure that the user/consumer and also the service 
understands that despite the absence of such complex contractual construct, 
there are legal remedies at the fingertips of the user. We wanted to have those 
legal remedies written down in a footnote to the section 3.6.1.2 as they are 
only informative and not normative. 

Amy and Meme committed to provide some remedies for the US legal system. I was 
tasked to provide the (easier, because regulated) description for the EU 
environment. 

Here is my suggested text: 
For the EU, the outsourcing scenario is clearly regulated. In the current EU 
Directive 95/46/EC, but also in the suggested regulation reforming the data 
protection regime, an entity using or processing data is subject to data 
protection law. An entity acting as a first party and contracting services of 
another party is responsible for the overall processing. If the third party 
has own rights and privileges concerning the processing of the data collected 
by the first party, it isn't a data processor anymore and thus not covered by 
exemptions. This third party is then considered as a second data controller 
with all duties attached to that status. As the pretensions of users are based 
on law, they apply to first and third party alike unless the third party acts 
as a mere data processor. 

Ninja, Rob, feel free to correct if this is wrong. I tried to keep it 
comprehensible. 

Now Amy said, in the US, somebody mimicking being a data processor and 
claiming that he only processes on behalf of the first party but then taking 
data for own purposes would be in risk of liability for deceptive practices 
and could be subject to class actions (note, class actions do not exist in 
most civil law jurisdictions). I'm sure Amy or Meme have a better wording 
here. 

Best, 

Rigo


1.http://www.w3.org/2011/tracking-protection/drafts/tracking-
compliance.html#TypesofTrackingOutsourcingNorm


On Wednesday 25 January 2012 16:10:22 Amy Colando wrote:
> We are without reliable email/Internet today.
> 
> Rigo is in agreement with the conclusion below. He wants to provide a
> textual explanation to the group to explain the difficulty here, and the
> reality that there are alternate protections without creating third party
> beneficiaries. In particular, we thought we could point out that there are
> existing protections in the EU (Rigo to draft) and US (class actions or
> enforcement actions against original site or even analytics provider based
> on DNT or privacy statements). I also think the reality is that a
> fraudulent analytics company would quite likely to sell data on a broad
> scale - in other words, breaching its obligation to a single site (the
> scenario raised in discussions) is unlikely.
> 
> Believe Rigo is going to write up at least EU portion.
> 
> Sent from my Windows Phone
> ________________________________
> From: MeMe Rasmussen
> Sent: 1/25/2012 3:30 PM
> To: Amy Colando (LCA); Rigo Wenning
> Subject: RE: Outsourcing Language
> 
> I agree.  Rigo – where was this left.  Were you going to take a stab at some
> language and then circulate?
> 
> MeMe
> 
> From: Amy Colando (LCA) [mailto:acolando@microsoft.com]
> Sent: Wednesday, January 25, 2012 2:58 AM
> To: Rigo Wenning; MeMe Rasmussen
> Subject: Outsourcing Language
> 
> Hi Rigo and Meme,
> 
> I wanted to start an email thread about the issue that was identified in the
> outsourcing discussion. Namely, the current text requires a first party to
> have a legally enforceable contract with its provider so that the provider
> can only use data collected on first party site for the benefit of the
> first party only. The text then goes on to say that end users and
> regulators must also have the rights to legally enforce this obligation
> against the provider.
> 
> Quite frankly, I think that it would legally extremely challenging to make
> this latter part enforceable, and I would recommend removing language
> regarding user/regulator enforceability as unworkable.
> 
> Sent from my Windows Phone
> 
> ________________________________
> Confidentiality Notice: The contents of this e-mail (including any
> attachments) may be confidential to the intended recipient, and may contain
> information that is privileged and/or exempt from disclosure under
> applicable law. If you are not the intended recipient, please immediately
> notify the sender and destroy the original e-mail and any attachments (and
> any copies that may have been made) from your system or otherwise. Any
> unauthorized use, copying, disclosure or distribution of this information
> is strictly prohibited. <ACL>

Received on Friday, 3 February 2012 20:27:23 UTC