Re: Proposed Text for Local Law and Public Purpose

Hi David,

not sure, how much DNT reflects EU style law: EU law regulates storing of data on a device (not technology neutral), DNT  is about tracking (not sure what that is yet) and is (so far) technology neutral.

Rigo is trying to bridge both (a difficult task – and Rigo correct me if I got it wrong).

I think some of the confusion comes from different legal interpretations. The reality is that because of the very binary approach to data protection / privacy in Europe (only personal data is protected under the law – with exception of the cookies-related provisions; non-personal data is not regulated): Data Protection Authorities seek to increase privacy protection by interpreting many types of data as personal (e.g. IP addresses). Industry needs data to operate and more often than not has no intention to ever identify an individual with the data it processes (e.g. IP addresses), arguing (legally correct in my view) that such data is not personal. (NB: linking e.g. anonymous cookies data with personal information is not possible without consent or another legitimate interest, according to the law).

Thought that brief (and, I admit somehow superficial) but neutral explanation would add some clarity to the debates happening here and the differing views we sometimes see (e.g. I and Rob).

Whether we need different policy approaches is something that adds complexity and needs to be carefully considered in this group.

Hope that helps,
Kimon


From: David Wainberg <david@networkadvertising.org<mailto:david@networkadvertising.org>>
Date: Thursday 25 October 2012 22:29
To: Rigo Wenning <rigo@w3.org<mailto:rigo@w3.org>>
Cc: "public-tracking@w3.org<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>>, Kimon Zorbas <vp@iabeurope.eu<mailto:vp@iabeurope.eu>>, Walter van Holst <walter.van.holst@xs4all.nl<mailto:walter.van.holst@xs4all.nl>>
Subject: Re: Proposed Text for Local Law and Public Purpose

Hi Rigo,

First, I do not disagree with taking EU concerns or needs into
consideration. Though I do think we've been confused about the extent
we're doing so, or what it means. Perhaps your Global Considerations
effort will clarify things.

However, the way I read Walter's statements, and, frankly, some
statements of others, is that he would use this W3C process to apply EU
style privacy regulation across the Internet, including in the US. This
is not the proper venue for that. In my view, there's little interest in
the US to have EU-style regulation, but even if there is, it is not for
this working group to provide it. As we're all aware, the U.S. has a
different approach to privacy regulation, as well as a very mature and
complementary self-regulatory program in the digital advertising
industry. We could have an interesting conversation about whether the US
approach or the EU approach is better, but we will never get an answer,
and it's irrelevant. The reality is that approaches to privacy vary
across jurisdictions, and we should honor that. We need a DNT policy
that fits well within existing frameworks in the jurisdictions where it
will be enforced.

-David

On 10/25/12 12:54 PM, Rigo Wenning wrote:
David,

I think Walter is an invited expert and offered his opinion on why
he thinks we should also take the EU system into account. I think
Walter gave a pretty accurate view on current EU feelings as I also
saw them in the hearing of the EU parliament on the new regulation.
There is much emphasis that privacy is a human right and that it
should not under all circumstances be trumped by commercial
considerations. I think you should read his statement like a report
rather than an opinion.

And his EU comments are important for me as I think that global
considerations are important. I think we are much closer to
usefulness of DNT in Europe than many believe. And this is a big
thing if you consider the current UK solution that is not as nice.
So killing the European solution for an alleged impossibility to
comply with MRC raises heat that we should take out again.

Note further that IMHO he is not threatening in any way. I was at
the OECD this week and last week. There are discussions about
transborder data flow and how to achieve that. Many OECD countries
have appropriate protections in place and now urge to create a level
playing field to avoid a race to the bottom. And there are serious
voices questioning the transborder data flow to countries not having
the right protection level. Again, this is rather a report. I do not
have the intention to say: "see you should do this or that". And I
see DNT as an opportunity. Because it can't be mandated by W3C
anyway it can only be an opportunity and never a threat. The threat
is elsewhere.

Apart from that I concur to Kimon. Measures are done anonymously and
this is part of the innovation challenge. Then outreach is out of
the way. This is why I talked about "transition". In the sixties we
had nice cars, but consumption was 7mpg. Now we still have nice cars
and consumption is 60mpg and they are even faster. Better outreach
measures with less personal data. We can talk about how far we get
with Version 1 if there is a will to innovate. But just saying: "DNT
will not change my business" would misunderstand the commitments and
the unease in the market and between the regulators.

Rigo

On Wednesday 24 October 2012 18:14:22 David Wainberg wrote:
Rob, Rigo, Ninja, what are your thoughts?

On 10/24/12 6:12 PM, David Wainberg wrote:
Hi Kimon,

I would not suggest that MRC is or should be relevant in Europe.
My questions to other Europeans in the group is whether they
share Walter's position, quoted below, regarding U.S. law and
the goals for the DNT standard.

-David

On 10/24/12 11:32 AM, Kimon Zorbas wrote:
David,

I am struggling to understand why MRC should be relevant in
Europe? (I am a bit lost in this debate – it seems to me that
MRC certifies products to conduct measurement - in the US). If
companies operate in Europe, they need to comply with our
strict laws.

Audience measurement in Europe is to my knowledge conducted via
anonymous data. Safe Harbor wouldn't apply to such data. If
audience data is transferred to outside the EEA (and adequate
countries), then there is no issue (with anonymous data sets).
If personal data is collected, then you could benefit of the
Safe Harbor regime as a US based company. Not sure that has
anything to do with MRC (being only a certification body, if I
understand correctly).

Kind regards,
Kimon

From: David Wainberg <david@networkadvertising.org<mailto:david@networkadvertising.org>
<mailto:david@networkadvertising.org>>
Date: Wednesday 24 October 2012 17:15
To: Walter van Holst <walter.van.holst@xs4all.nl<mailto:walter.van.holst@xs4all.nl>
<mailto:walter.van.holst@xs4all.nl>>, "public-tracking@w3.org<mailto:public-tracking@w3.org>
<mailto:public-tracking@w3.org>" <public-tracking@w3.org<mailto:public-tracking@w3.org>
<mailto:public-tracking@w3.org>>
Subject: Re: Proposed Text for Local Law and Public Purpose
Resent-From: <public-tracking@w3.org<mailto:public-tracking@w3.org>
<mailto:public-tracking@w3.org>> Resent-Date: Wednesday 24
October 2012 17:15

Is this the view of other Europeans participating in this
working group?>>
On 10/24/12 10:39 AM, Walter van Holst wrote:
              Actually, from a EU perspective this standard as a
              whole
              is unnecessary
              because most business practices, at least the one
              that
              are publicly
              known, in this field are in violation of EU-law
              already.

          So why do we keep talking about it in terms of EU law?
          Why do we
          continue to have proposals aimed at suiting EU
          requirements?

      Well, I am going to be offensive again and maybe even
      patronising, but
      the US legal context for privacy discussions is not quite
      up to
      par with
      the rest of the industrialised world. For all its defects,
      the
      European
      legal framework embodies a coherent framework of concepts
      on this
      subject matter. Which sadly the USA does not have. So,
      apart from
      my own
      geographical bias by virtue of being Dutch, other than in
      terms of consent it is difficult to discuss this in
      outside the terms of EU law.
      Not to mention that similar frameworks have been adopted by
      Canada, Australia, South-Africa, Japan, Korea and Brazil
      as well as that India
      is in the process of moving in a similar direction.

         I will be

          happy if we can once and for all determine that this

              Having a
              mechanism for consent in the form of DNT is much
              more
              significant in the
              US context than in the EU context. The fact that
              various
              EU parties are
              sitting at the table in this process is in itself a
              sign
              that the lack
              of appetite by the US to import EU concepts (unlike
              most
              other
              democracies on the planet) has been noticed in the
              EU.

          Are you saying that EU participation in this forum is
          precisely for the
          purpose of trying to impose EU concepts on US
          companies?

      No, it is an acknowledgement that EU law is not applicable
      in the USA and that merely leaning back basking in an
      ill-conceived dream of EU-superiority in this regard is
      not going to be helpful at all if large
      parts of the relevant industries are (for now) out of scope
      of EU
      law.
      Therefore it is still useful to participate in a
      self-regulatory
      approach, despite it being unnecessary in the EU-context.

          But to my previous question, if the EU can impose these
          concepts
          extra-territorially through regulation then why try to
          do it
          through
          this DNT process?

      Well, why get to what you want by asking nicely if you can
      do it by holding a gun to someone's head? The former is
      rather more constructive,
      one would think.

      Regards,

         Walter

Received on Thursday, 25 October 2012 22:46:18 UTC