W3C home > Mailing lists > Public > public-tracking@w3.org > May 2012

Re: explicit-explicit exception pairs

From: Rigo Wenning <rigo@w3.org>
Date: Mon, 07 May 2012 10:17:45 +0200
To: public-tracking@w3.org, ifette@google.com
Cc: rob@blaeu.com, Nicholas Doty <npdoty@w3.org>, Matthias Schunter <mts-std@schunter.org>
Message-ID: <3766319.cybNKGxmQv@hegel.sophia.w3.org>

thanks for that quote. This is helpful. And I think it is in line with my 
thinking that we have to only enumerate the third parties the first party 
knows of. 

In Detail: In the case you're taking up, the user gave his consent to a 
particular directory service. Now this particular directory service was 
transferring data to another directory service (e.g. because of a merger) 
The court says: You've given your data to A for purpose directory service 
and only because of a merger and no other change, there is no need to ask 
every single person in the phone-directory again. This is reasonable. But it 
does not compare to the situation we have, where we start already with an 
undefined amount and identity of the data collectors (data controllers). 

If you add your right to access and rectify the data about you, it is clear 
that knowledge about the data controllers is needed. It may be possible to 
have a publication of your data to unbound unknown third parties, but this 
would equal to a generic web-wide exception for everybody. And in this case, 
your browser would just spawn DNT;0 on all requests.

While I see the burden you're invoking, I have trouble to get around naming 
the third parties used by (and known to) the first party. Now how can we 
minimize the burden technically?


On Saturday 05 May 2012 16:21:21 Ian Fette wrote:
> I'm curious what you mean by "implied" consent? If the user grants an
> exception in response to a dialog presented by the browser on behalf of
> the website, that's rather explicit, is it not? I fail to see how that is
> "implied".
> I'm not a lawyer and I don't pretend to be one, I'm just trying to figure
> out if there's some distinction here that you're drawing that i'm missing.
> I looked through the opinion you linked to, and in particular, I'm having
> trouble reconciling your statement with the following:
> "Recently the ECJ issued a preliminary ruling
> 22
>  regarding Article 12(2) of the ePrivacy
> Directive, concerning the need for renewed consent of subscribers who had
> already
> consented to have their personal data published in one directory, to have
> their personal
> data transferred to be published by other directory services.  The Court
> held that where
> the subscriber has been correctly informed of the possibility that his
> personal data may
> be passed to a third-party undertaking and s/he has already consented to
> the publication
> of those data in such a directory, renewed consent is not needed from the
> subscriber for
> the transfer of those same data, if it is guaranteed that the data in
> question will not be
> used for purposes other than those for which the data were collected with
> a view to their
> first publication (paragraph 65). "
> Wouldn't this imply that if you inform the user that their data may be
> passed on to third party advertisers for the following (X,Y,Z) purposes,
> the addition of another advertiser down the line would not be material?
> Also, I don't think you should take the prompt presented by the browser as
> the full context of the request for consent. The prompt by the browser is
> generated by the user clicking something on the page, the text
> surrounding that something on the page is part of the context under which
> the consent is given, and can do things like explain what third parties
> the site uses and what purposes the site wishes to use your data for.
> On Sat, May 5, 2012 at 8:40 AM, Rob van Eijk <rob@blaeu.com> wrote:
> > This thread starts to overlap with 'ACTION-172: Write up more detailed
> > list of use cases for origin/origin exceptions'
> > 
> > My assumption in this answer is that the browser reflects valid user
> > consent. As a prerequisite, this implies that the user has made an
> > informed choice, preferably in the install/update flow of the browser
> > to use DNT technology as a granular consent expression mechanism.
> > 
> > Taking this assumption into account, my answer is easy, and I can be
> > crystal clear on this:
> > 1) Implied consent for * for an unknown list of parties is unacceptable
> > for it does not lead to compliance.
> > 2) Implied consent can only be valid for a select list of third parties
> > operating in a first party context: the processors who have a legal
> > processor-agreement with the first party (controller).
> > 
> > In Brussels I gave a detailed presentation on the criteria for consent
> > to
> > be valid. They are well published in the Art. 29 Working Parties
> > opinion.
> > 
> > Preso: http://lists.w3.org/Archives/**Public/public-tracking/**
> > 2012Jan/att-0268/W3C_v2.pdf<http://lists.w3.org/Archives/Public/public-t
> > racking/2012Jan/att-0268/W3C_v2.pdf> Opinion 15/2011 on Consent:
> > http://ec.europa.eu/justice/**
> > data-protection/article-29/**documentation/opinion-**
> > recommendation/files/2011/**wp187_en.pdf<http://ec.europa.eu/justice/dat
> > a-protection/article-29/documentation/opinion-recommendation/files/2011/
> > wp187_en.pdf>
> > 
> > Rob
> > 
> > On 4-5-2012 22:31, Rigo Wenning wrote:
> >> Ian,
> >> 
> >> this is very clear and I think we are at the core of the issue. I have
> >> to
> >> leave it to Rob (and it may take some time) to answer the question
> >> whether informed consent can be given to an unknown list of third
> >> parties tracking me. From my german and french law roots, I have a
> >> feeling it doesn't work, but maybe I'm wrong.
Received on Monday, 7 May 2012 08:18:18 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:48 UTC