Re: Linkability & European reality from Ninja Marnau on 2012-10-23 (public-tracking@w3.org from October 2012)

From: Ninja Marnau <nmarnau@datenschutzzentrum.de>
Date: Tue, 23 Oct 2012 18:42:13 +0200
To: Lee Tien <tien@eff.org>
CC: Kimon Zorbas <vp@iabeurope.eu>, Walter van Holst <walter.van.holst@xs4all.nl>, "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <5086C8E5.9090801@datenschutzzentrum.de>
Article 15 (3) of the German Telemedia Law is really complex. Although 
the wording implies an oup-out, the German Government has stated that 15 
(3) should be interpreted according to 5 (3) of the E-Privacy-Directive 
(opt-in). This is subject to an ongoing discussion.

The last sentence means that these behaviour-based pseudonymous 
user-profiles (might be a more accurate translation) have strict purpose 
limitations and must not be combined with any other user data or user 
profiles.

Ninja

Am 23.10.2012 18:12, schrieb Lee Tien:
> Kimon,
>
> Thanks for the pointer to the German Telemedia Law.  According to Google Translate, 15.3 says:
>
> "(3) The service provider may for the purposes of advertising, market research or for tailoring the Telemedia create user profiles using pseudonyms, provided that the user does not object. The service provider must inform the users of his right under the disclosure according to § 13 para 1. These user profiles can not be combined with information about the pseudonym."
>
> I was wondering if there is a statutory definition of "pseudonym," and what the last sentence means.
>
> Thanks,
> Lee
>
> On Oct 23, 2012, at 3:10 AM, Kimon Zorbas wrote:
>
>> Hi Walter,
>>
>> I am not aware any of my members using birth dates for display advertising in non-authenticated scenarios. Arguably, this constitutes personal data. I think it is good having such examples to approach business practices vs theoretically possible approaches.
>>
>> On ePrivacy transposition, you can find most legal texts adopted across the EU /EEA on our website, including a map, which shows the different approaches taken by the countries:
>> http://www.iabeurope.eu/knowledge-bank/knowledge-bank/public-affairs.aspx
>>
>>
>> For the German reference, check article 15.3 of the German Telemedia Law – that includes pseudonymisation.
>>
>>
>> Kind regards,
>> Kimon
>>
>> From: Walter van Holst <walter.van.holst@xs4all.nl>
>> Organization: COMECON
>> Date: Tuesday 23 October 2012 11:59
>> To: "public-tracking@w3.org" <public-tracking@w3.org>
>> Subject: Re: Linkability & European reality
>> Resent-From: <public-tracking@w3.org>
>> Resent-Date: Tuesday 23 October 2012 11:59
>>
>> On 2012-10-23 10:27, Kimon Zorbas wrote:
>>
>>> Many countries in Europe will accept many datasets as anonymous,
>>> whereas Germany takes (surprise, surprise…) a much stricter approach
>>> and only recognises such datasets as pseudonymous. In this context we
>>> cannot disregard pseudonymous data. Whether you can link such data
>>> and
>>> do so in practice (again, I believe theoretical debates are
>>> important,
>>> but what matters more to consumers and business is the actual
>>> practice, i.e. what 95% of companies do) is a question involved
>>> stakeholders might interpret differently. Striving towards a concept
>>> that takes a "strict US approach" on anonymisation (as I believe you
>>> suggest) would create a paradox with the strict data protection
>>> regulation in Germany…
>>
>> Dear Kimon,
>>
>> Given that the harmonisation achieved by the Data Protection Directive
>> is suboptimal to say the least, I am not going to doubt your assertion
>> that there is variation across European Data Protection Authorties'
>> opinions on what constitutes 'anonymous' data, despite all the guidance
>> provided by the Article 29 Working Group. Nonetheless it would be
>> helpful if you could provide some references for that assertion, if
>> necessary off-list.
>>
>>> entirely disregard. We want one global standard that can respond much
>>> better to privacy needs than blanket legislation.
>>
>> Given that the area of what is actually anonymous is governed by the
>> harsh reality of statistics and information theory (the examples Dan
>> gave are particularly enlightening in this regard), I think this should
>> be one of the subjects that should lend itself best for global
>> standardisation.
>>
>> This PhD dissertation deals with the subject:
>> http://cyberwar.nl/d/PhD-thesis_Measuring-and-Predicting-Anonymity_2012.pdf
>>
>> One of its conclusions was that 67% of Dutch citizens are identifiable
>> by their postal code and date of birth alone. I think this illustrates
>> the need for aggressive hashing.
>>
>> Regards,
>>
>>    Walter
>>
>>
>>
>
>
>

-- 

Ninja Marnau
mail: NMarnau@datenschutzzentrum.de - http://www.datenschutzzentrum.de
Telefon: +49 431/988-1285, Fax +49 431/988-1223
Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein
Independent Centre for Privacy Protection Schleswig-Holstein
Received on Tuesday, 23 October 2012 16:41:39 UTC