W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

Re: Request for thoughts: US, EU, and international DNT

From: Ninja Marnau <nmarnau@datenschutzzentrum.de>
Date: Sun, 22 Jan 2012 14:02:18 +0100
Message-ID: <4F1C08DA.6030900@datenschutzzentrum.de>
To: Frank.Wagner@telekom.de
CC: aleecia@aleecia.com, public-tracking@w3.org
Hi Frank,

great to hear that you want to participate. I am looking forward to 
meeting you on Tuesday.

Do I remember correctly that you and Rob work on the issue in which way 
1st party/3rd party relate to data controller/data processor? I think it 
would be very helpful to combine these two topics. Do you already have a 
draft for this issue, which I can read to prepare for the meeting?

Best regards,


Am 22.01.2012 12:12, schrieb Frank.Wagner@telekom.de:
> Greetings,
> I am highly interested in participating on this issue. Let's talk at the
> f2f meeting how to organize it.
> Best, have good trip !
> Frank
> Deutsche Telekom AG
> Service Headquarters, Group Privacy
> Frank Wagner
> Deutsche-Telekom-Allee 7, 64295 Darmstadt, Germany
> +49 6151 937-3514 (Phone)
> +49 521 9210-1175 (Fax)
> +49 175 181-9770 (Mobile)
> E-Mail: frank.wagner@telekom.de <mailto:frank.wagner@telekom.de>
> www.telekom.com <http://www.telekom.com>
> Life is for sharing.
> Deutsche Telekom AG
> Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman)
> Board of Management: René Obermann (Chairman),
> Dr. Manfred Balz, Reinhard Clemens, Niek Jan van Damme,
> Timotheus Höttges, Claudia Nemat, Thomas Sattelberger
> Commercial register: Amtsgericht Bonn HRB 6794
> Registered office: Bonn
> Big changes start small – conserve resources by not printing every e-mail.
> Am 10.01.2012 um 11:27 schrieb "Aleecia M. McDonald"
> <aleecia@aleecia.com <mailto:aleecia@aleecia.com>>:
>> Greetings,
>> I've been giving some thought to how we can make our work relevant in
>> the EU and US, despite some strong differences. Nations have borders
>> but the Internet does not. How can we support different regional
>> cultures, norms, and laws on the Internet? I am putting this out as
>> some things to think about and discuss further.
>> Here are a few of my starting assumptions:
>> * In the US, a first v. third party distinction is very important to
>> businesses.
>> In many (but not all) EU countries, first party is not an interesting
>> or meaningful way to look at things.
>> * Key word in Europe: Consent
>> - Users who do not consent to data practices must have their privacy
>> protected.
>> - A global consent may not be sufficient; consent must be particular
>> to a company and to a description of data use (in at least some countries)
>> - We should at least address Article 5(3) of the 2002 ePrivacy
>> Directive [1]
>> - There is wide interest in finding a way to implement the revised
>> framework of the Article 5(3) ePrivacy Directive without a deeply
>> painful (on business or users) implementation, and DNT may help [2]
>> - The exemptions we consider would not be valid in the EU without
>> specific consent [3]
>> * Key word in US: Choice
>> - Users who choose to interact with a site do not need as much privacy
>> protection as they do from sites they do not choose to interact with
>> - We should at least fulfill the requirements for DNT set out in the
>> FTC staff report [4]
>> - We should co-exist with existing industry self-regulation mechanisms [5]
>> Here are three areas where I think we can have a uniform underlying
>> technical standard that is flexible enough to accommodate different
>> national and regional policy priorities:
>> (A) As we have discussed, a tri-part DNT signal. DNT: 1 means enable
>> DNT, DNT: 0 means do not enable DNT, and nothing sent means users have
>> not made a selection.
>> In the US, no DNT signal gets viewed as "users did not choose to
>> enable DNT" and treated as DNT: 0.
>> In some of the EU, no DNT signal gets viewed as "users did not consent
>> to tracking" and treated as DNT: 1.
>> (B) In the US, site-specific exceptions will allow users to "opt back
>> in" for specific first and third party pairs (perhaps along the likes
>> of what Shane and Nick co-authored). In the EU, some (but not all)
>> countries will require consent on a site-by-site basis, rather than a
>> global "DNT: 0" signal or no DNT signal at all. The site-specific
>> exemptions mechanism becomes the path to enable users to consent per site.
>> (C) In the US, first parties have minimal responsibilities when
>> receiving a DNT: 1 signal (perhaps along the lines of what Jonathan
>> and Tom co-authored). In some (but not all) EU countries, there may be
>> nothing that applies globally to all first and third parties, (and
>> more to the point, the data controller) perhaps making the first/third
>> party distinction irrelevant.
>> I think this could be good enough in enough different ways for enough
>> different interests. I'd like to hear other reactions. Does anyone
>> have better or simpler ideas? Is this still too US-centric to work in
>> Europe?
>> If we find something we think will work, we could add a non-normative
>> section to one of the specifications, or we could issue a note. Either
>> way, I think specifications shouldn't be hard-coded to specific
>> regulations and laws. However, since I think this approach could be
>> confusing to those implementing the specification, I would like to
>> give implementors a fighting chance by providing our opinions (and not
>> legal advice!) with pointers to additional information. How does this
>> approach sound?
>> And last but not least: any volunteers to work on these topics?
>> Aleecia
>> Thanks to a few TPWG members for taking time to step me through some
>> of the issues here. All mistakes are, of course, my own. Citations and
>> useful reading:
>> [1] For the before & after versions of 5(3), see [7], p 7
>> [2] See slides from Carl Christian Buhr, a member of Commissioner
>> Kroes' Cabinet (European Commission), particularly slides 11-13,
>> suggesting DNT could satisfy 5(3):
>> http://www.slideshare.net/ccbuhr/20111206-buhr-cookieconundrum
>> [3] As per 5(3), "Exceptions to the obligation to provide information
>> and offer the right to refuse should be limited to those situations
>> where the technical storage or access is strictly necessary for the
>> legitimate purpose of enabling the use of a specific service
>> explicitly requested by the subscriber or user" is a given, but are
>> other exemptions allowed? Recital 25 reads to me as: yes with consent,
>> and no without consent. For example, billing for ad impressions is not
>> part of the service explicitly requested, and seems to require
>> informed consent. See [7], p 8
>> [4] FTC staff report, starting p 63,
>> http://www.ftc.gov/os/2010/12/101201privacyreport.pdf
>> [5] In particular, it would be unfortunate if DNT off with an opt-out
>> cookie was interpreted one way by self-regulatory bodies, and another
>> way in the DNT recommendations. We likely will reach different end
>> points than the self-regulation guidelines, but they remain a very
>> fruitful source of background information, including the recent
>> multi-site data principles (http://www.aboutads.info/msdprinciples)
>> and the OBA principles (http://www.aboutads.info/obaprinciples).
>> [6] A very readable summary of [7] discussing where industry
>> self-regulation is seen to fall short of
>> 5(3):http://www.edri.org/edrigram/number9.17/article-29-oba-industry-cookie.
>> [7] The actual report itself:
>> ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf
>> <http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf>
>> (COCOM10-34, Implementation of the revised Framework– Article 5(3) of
>> the ePrivacy Directive)
>> [8] The whole text is worth at least skimming, including a brief note
>> on children under 12. In particular the section on consent for cookies
>> starting on p 8, and examples of consent not using pop ups on p 9:
>> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp188_en.pdf


Ninja Marnau
mail: NMarnau@datenschutzzentrum.de - http://www.datenschutzzentrum.de
Telefon: +49 431/988-1285, Fax +49 431/988-1223
Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein
Independent Centre for Privacy Protection Schleswig-Holstein
Received on Sunday, 22 January 2012 13:01:00 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:43 UTC