RE: Doodle poll for meeting, please respond ASAP & DNT:0 action-346 issue-189

 

The European Parliament's Civil Liberties, Justice & Home Affairs committee
has published a report on the draft General Data Protection Regulation
(DGDPR) which introduces alleviations on data controllers for the use of
pseudonymous identifiers. This is similar in concept to the
"de-identification" of data for which the meetings in Washington DC and
Brussels have been called to discuss. The report also explicitly refers to
our W3C Tracking Protection standards.

 

This report is therefore extremely germane to one of the topics for this
group, namely the definition of DNT:0

 

The new Regulation is expected to come into force this year (although Member
States have a further 2 years to enact it) and the views of this crucial
committee of democratically elected representatives will inevitably be
strongly represented in the final draft. This is important as it refers
explicitly to our work and points to the legal context our standard  will
ultimately operate under in Europe.

 

Referring to this report, in the Explanatory Statement paragraph headed
Strengthening individuals' rights our standard is referenced:

 

As the Regulation implements a fundamental right, a limitation of the
material scope, particularly as regards the definition of “personal data”,
by for instance introducing subjective elements relating to the efforts the
data controller should make to identify personal data is rejected. The
concept of personal data is further clarified with objective criteria
(Article 4(1); Recitals 23 24) . Legitimate concerns regarding specific
business models can be addressed without denying individuals their
fundamental rights. In this context the rapporteur encourages the
pseudonymous and anonymous use of services. For the use of pseudonymous
data, there could be alleviations with regard to obligations for the data
controller (Articles 4(2)(a), 10), Recital 23).

 

Consent should remain a cornerstone of the EU approach to data protection,
since this is the best way for individuals to control data processing
activities. Information to data subjects should be presented in easily
comprehensible form, such as by standardised logos or icons (Article
11(2a),(2b)). Technical standards that express a subject’s clear wishes may
be seen as a valid form of providing explicit consent (Articles 7(2a), 23).

 

This is made more explicit in Amendment 105 to Article 7 of the DGDPR which
introduces a new paragraph (2 a):

 

If the data subject's consent is to be given in the context of the use of
information society services where personal data are processed only in the
form of pseudonyms, consent may be given by automated means using a
technical standard with general validity in the Union in accordance with
paragraph 4c, which allows the data subject to clearly express his or her
wishes without collecting identification data.

 

Justification

This allows for the use of standards such as "Do Not Track", combined with
an incentive to use only pseudonymous data based as found e.g. in §15 of the
German Tele-Media Law. In order to ensure such a standard is in line with
this Regulation, it needs to be approved by the Commission. See related
amendments to Articles 4(2a), 7(4c) and Recital 23.

 

Pseudonymous identifiers are defined in Amendment 85 to Article 4 –
introducing new text:

 

'pseudonym' means a unique identifier which is specific to one given context
and which does not permit the direct identification of a natural person, but
allows the singling out of a data subject;

 

Note the qualification that pseudonyms are specific “to one given context”.
This requirement is repeated in Amendment 117 to Article 10

 

If the data processed by a controller do not permit the controller to
identify or single out a natural person, or consist only of data relating to
pseudonyms, the controller shall not be obliged to acquire additional
information in order to identify the data subject for the sole purpose of
complying with any provision of this Regulation.

 

Justification

Data controllers may use a unique identifier for the same person across
different services and contexts, while still not being able to identify a
natural person on their basis. Pseudonyms as defined in the amendment to
Article 4 are limited to a specific context. The amendment makes clear that
the article applies to both cases…

 

Two points arise from this that we should discuss:

·        The DNT signal is referred to as a Consent signal (for pseudonymous
identifiers). This must mean the DNT:0 User Granted Exception. In this
context the absence of a DNT signal or if it is set (DNT:1) would mean that
consent had not been given and so no unique identifiers should be used,
pseudonymous or otherwise.

·        If DNT:0 is indicated, taken as the signaling of explicit user
consent by automated means, then pseudonymous identifiers may be used but
only in a single context. This must mean that an advertiser, say using their
domain origin clickads.com, can only use identifiers within that domain i.e.
they must not be shared with other entities, and they must not be associated
with other data that could identify the user as a natural person, such as
their name, address, email address etc.

 

The current compliance document is incompatible with both these points
because 

a.      It assumes that an unset DNT signal is equivalent to DNT:0.

b.      The DNT:0 signal would signify that identifying data can be shared
between entities without a need for further explicit informed consent

 

Cheers,

 

Mike

 

-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org] 
Sent: 08 January 2013 18:54
To: David Wainberg
Cc: public-tracking-international@w3.org
Subject: Re: Doodle poll for meeting, please respond ASAP

 

David, Chris, 

 

the topics in this task force are very limited. I enumerated them in the
kick-off email: 

 

 
<http://lists.w3.org/Archives/Public/public-tracking-international/2012Nov/0
000.html>
http://lists.w3.org/Archives/Public/public-tracking-international/2012Nov/00
00.html

 

1/ Definition of DNT:0 (which will more or less define what one can do) 2/
TPE additions 3/ Which form should the EU How-to take (Note, best practice,
document for webplatform.org)

 

Those are my main topics. But I'm open to a debate about more urgent things.


 

I think this is not interesting for people who only want to make sure the
things created do not interfere with their solutions. Because the entire
work will be brought back to the entire group anyway for decision. But then,
it will be bundled and the ability to influence in detail will be less.
After all nobody wants to negotiate all the stuff twice..

 

But if you're really interested in the solutions found for a regulated
market, I think you should closely monitor. We also hope to be able to
provide an audio link. But the times will be inconvenient. 

 

Does that answer your questions?

 

-- Rigo

 

On Tuesday 08 January 2013 10:21:44 David Wainberg wrote:

> Hi Rigo,

> 

> Can you state the agenda for the meeting? I know there have been 

> conversations, and I think some thoughts have been tossed around, but 

> as we get to making concrete plans it would be helpful to know the 

> goals and agenda for the meeting. Thanks much.

> 

> Best,

> 

> David

> 

> On 1/8/13 10:16 AM, Rigo Wenning wrote:

> > Hi all,

> > 

> > this is to select the meeting days. We can not go earlier than 21 

> > Feb, because people have to prepare for traveling. From that I 

> > created the doodle poll for a meeting in Berlin/Germany:

> > 

> >  <http://www.doodle.com/4nxv7trzb34xdvqk>
http://www.doodle.com/4nxv7trzb34xdvqk

> > 

> > Known conferences so far:

> > 6-8 March IAPP Washington DC

> > 

> > Please fill out the poll ASAP so we can prepare the invitation and 

> > the logistics in time.

> > 

> > Best,

> > 

> > Rigo

 

Received on Saturday, 12 January 2013 15:52:56 UTC