W3C home > Mailing lists > Public > public-tracking@w3.org > October 2012

Re: Linkability & European reality

From: Kimon Zorbas <vp@iabeurope.eu>
Date: Tue, 23 Oct 2012 10:10:36 +0000
To: Walter van Holst <walter.van.holst@xs4all.nl>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <CCAC38E2.3D7BB%vp@iabeurope.eu>
Hi Walter,

I am not aware any of my members using birth dates for display advertising in non-authenticated scenarios. Arguably, this constitutes personal data. I think it is good having such examples to approach business practices vs theoretically possible approaches.

On ePrivacy transposition, you can find most legal texts adopted across the EU /EEA on our website, including a map, which shows the different approaches taken by the countries:
http://www.iabeurope.eu/knowledge-bank/knowledge-bank/public-affairs.aspx


For the German reference, check article 15.3 of the German Telemedia Law – that includes pseudonymisation.


Kind regards,
Kimon

From: Walter van Holst <walter.van.holst@xs4all.nl<mailto:walter.van.holst@xs4all.nl>>
Organization: COMECON
Date: Tuesday 23 October 2012 11:59
To: "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: Linkability & European reality
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>>
Resent-Date: Tuesday 23 October 2012 11:59

On 2012-10-23 10:27, Kimon Zorbas wrote:

Many countries in Europe will accept many datasets as anonymous,
whereas Germany takes (surprise, surprise…) a much stricter approach
and only recognises such datasets as pseudonymous. In this context we
cannot disregard pseudonymous data. Whether you can link such data
and
do so in practice (again, I believe theoretical debates are
important,
but what matters more to consumers and business is the actual
practice, i.e. what 95% of companies do) is a question involved
stakeholders might interpret differently. Striving towards a concept
that takes a "strict US approach" on anonymisation (as I believe you
suggest) would create a paradox with the strict data protection
regulation in Germany…

Dear Kimon,

Given that the harmonisation achieved by the Data Protection Directive
is suboptimal to say the least, I am not going to doubt your assertion
that there is variation across European Data Protection Authorties'
opinions on what constitutes 'anonymous' data, despite all the guidance
provided by the Article 29 Working Group. Nonetheless it would be
helpful if you could provide some references for that assertion, if
necessary off-list.

entirely disregard. We want one global standard that can respond much
better to privacy needs than blanket legislation.

Given that the area of what is actually anonymous is governed by the
harsh reality of statistics and information theory (the examples Dan
gave are particularly enlightening in this regard), I think this should
be one of the subjects that should lend itself best for global
standardisation.

This PhD dissertation deals with the subject:
http://cyberwar.nl/d/PhD-thesis_Measuring-and-Predicting-Anonymity_2012.pdf

One of its conclusions was that 67% of Dutch citizens are identifiable
by their postal code and date of birth alone. I think this illustrates
the need for aggressive hashing.

Regards,

  Walter
Received on Tuesday, 23 October 2012 10:11:21 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:36 UTC