- From: Rob van Eijk <rob@blaeu.com>
- Date: Wed, 15 Nov 2017 18:18:11 +0000
- To: Jeff Jaffe <jeff@w3.org>, Mike O'Neill <michael.oneill@baycloud.com>, 'Matthias Schunter (Intel Corporation)' <mts-std@schunter.org>, public-tracking@w3.org <public-tracking@w3.org>
- Message-ID: <0102015fc0e71697-fce4c629-a90c-4064-accf-2a23956eb453-000000@eu-west-1.amazonse>
Hi Jeff,
Obviously there is support from WP29. Let there be no confusion about this.
See my last email.
>> (...) I don't understand why the opinion is unlikely to show support for DNT.
My mistake, support is not the right wording. It is a matter of scope, i.e. DNT is addressed in other guidance (for instance guidance on the ePR).
Rob
—
PGP fingerprint: 704F 4955 F7E3 044E 4084 19E2 2844 CDDC A655 DB3C [public_key]
PGP verification is published in DNS which is secured by DNSSEC [rob._pka.blaeu.com]
-----Original message-----
From: Jeff Jaffe
Sent: Wednesday, November 15 2017, 5:50 pm
To: Mike O'Neill; Rob van Eijk; 'Matthias Schunter (Intel Corporation)'; public-tracking@w3.org
Subject: Re: Topics for tomorrow
On 11/15/2017 11:14 AM, Mike O'Neill wrote:
We said it was critical to EU privacy and data protection law, which includes both the GDPR and the EPR (E-Privacy Regulation). The former does refer to DNT in effect, for example, in in A21(5),
So now I am even more confused why WP29 is unlikely to show support for DNT.
Rob had indicated that there is support for DNT in ePR, but based on what you say there could be support in both ePR and GDPR.
but the current European Parliament agreed draft of the EPR [http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&reference=A8-2017-0324&language=EN] is more specifically relevant to online and the web, and refers to many aspects of DNT in much more detail, for example in Recital 22, and parts of Article 9 and Article 10. Note that EPR A10 cross-references A21(5) of the GDPR, and that A10 is a requirement on browser companies, to be complied with no later than 6 months after the EPR comes into force..
Recital 22:
The methods used for providing information and obtaining end-user's consent should be as user-friendly as possible. Given the ubiquitous use of tracking cookies and other tracking techniques, users are increasingly requested to provide consent to store such tracking cookies in their terminal equipment. As a result, users are overloaded with requests to provide consent. This Regulation should prevent the use of so- called “cookie walls” and “cookie banners” that do not help users to maintain control over their personal information and privacy or become informed about their rights. The use of technical means to provide consent, for example, through transparent and user-friendly settings, may address this problem. Therefore, this Regulation should provide for the possibility to express consent by technical specifications, for instance by using the appropriate settings of a browser or other application. Those settings should include choices concerning the storage of information on the user's terminal equipment as well as a signal sent by the browser or other application indicating the user's preferences to other parties. The choices made by users when establishing the general privacy settings of a browser or other application should be binding on, and enforceable against, any third parties. Web browsers are a type of software application that permits the retrieval and presentation of information on the internet. Other types of applications, such as the ones that permit calling and messaging or provide route guidance, have also the same capabilities. Web browsers mediate much of what occurs between the user and the website. >From this perspective, they are in a privileged position to play an active role to help the end-user to control the flow of information to and from the terminal equipment. More particularly web browsers, or applications or operating systems may be used as the executor of a user's choices, thus helping end-users to prevent information from their terminal equipment (for example smart phone, tablet or computer) from being accessed or stored.
Article 9(2):
Without prejudice to paragraph 1, where technically possible and feasible, for the purposes of point (b) of Article 8(1), consent may be expressed or withdrawn by using technical specifications for electronic communications services or information society services which allow for specific consent for specific purposes and with regard to specific service providers actively selected by the user in each case, pursuant to paragraph 1. When such technical specifications are used by the user's terminal equipment or the software running on it, they may signal the user's choice based on previous active selections by him or her. These signals shall be binding on, and enforceable against, any other party.
Article 10:
Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall:
1. by default, have privacy protective settings activated to prevent other parties from transmitting to or storing information on the terminal equipment of a user and from processing information already stored on or collected from that equipment, except for the purposes laid down by Article 8(1), points (a) and (c);
2. upon installation, inform and offer the user the possibility to change or confirm the privacy settings options defined in point (a) by requiring the user's consent to a setting and offer the option to prevent other parties from processing information transmitted to, already stored on or collected from the terminal equipment for the purposes laid down by Article 8(1) points (a), (c), (d) and (da);
3. offer the user the possibility to express specific consent through the settings after the installation of the software.
Before the first use of the software, the software shall inform the user about the privacy settings and the available granular setting options according to the information society service accessed. These settings shall be easily accessible during the use of the software and presented in a manner that gives the user the possibility for making an informed decision.
1a. For the purpose of.:
1. points (a) and (b) of paragraph 1,
2. giving or withdrawing consent pursuant to Article 9(2) of this Regulation, and
3. objecting to the processing of personal data pursuant to Article 21(5) of Regulation (EU) 2017/679,
the settings shall lead to a signal based on technical specifications which is sent to the other parties to inform them about the user's intentions with regard to consent or objection. This signal shall be legally valid and be binding on, and enforceable against, any other party.
1b. In accordance with Article 9 paragraph 2, such software shall ensure that a specific information society service may allow the user to express specific consent. A specific consent given by a user pursuant to point (b) of Article 8(1) shall prevail over the existing privacy settings for that particular information society service. Without prejudice to paragraph 1, where a specified technology has been authorised by the data protection board for the purposes of point (b) of Article 8(1), consent may be expressed or withdrawn at any time both from within the terminal equipment and by using procedures provided by the specific information society service.
3. In the case of software which has already been installed on [xx.xx.xxxx], the requirements under paragraphs 1, 1a and 1b shall be complied with at the time of the first update of the software, but no later than six months after [the date of entry into force of this Regulation].
From: Jeff Jaffe [mailto:jeff@w3.org]
Sent: 15 November 2017 14:51
To: Rob van Eijk <rob@blaeu.com>; Matthias Schunter (Intel Corporation) <mts-std@schunter.org>; public-tracking@w3.org (public-tracking@w3.org) <public-tracking@w3.org>
Subject: Re: Topics for tomorrow
On 11/15/2017 6:29 AM, Rob van Eijk wrote:
Hi Matthias,
Just read the minutes.
>> schunter: If the WP29 opinion shows support for automated means such as DNT, that will help get interest.
The Working Party is working on Consent Guidelines in article 4(11) of the GDPR. This is mentioned in the public agenda of the working party [1].
The notion of consent in the draft ePR is linked to the notion of consent in the GDPR. Because DNT is linked to ePR-consent, and given the guidance by the working group on the ePR, it is unlikely that the opinion will show support for DNT.
I can't claim to understand the politics of what shows support for what, but I don't understand why the opinion is unlikely to show support for DNT.
W3M was on a path to close TPWG 18 months ago. We reversed that path because we were told that DNT was critical for GDPR. I infer that it is not the case that DNT is critical for GDPR and we were mistaken when we reversed path 18 months ago. Am I understanding this correctly?
Rob
[1] http://ec.europa.eu/newsroom/document.cfm?doc_id=47530
—
PGP fingerprint: 704F 4955 F7E3 044E 4084 19E2 2844 CDDC A655 DB3C [public_key]
PGP verification is published in DNS which is secured by DNSSEC [rob._pka.blaeu.com]
-----Original message-----
From: Matthias Schunter (Intel Corporation)
Sent: Sunday, November 12 2017, 9:18 am
To: public-tracking@w3.org (public-tracking@w3.org)
Subject: Topics for tomorrow
Hi Folks,
I suggest to discuss three topics:
1. How to get text proposals for issue 60 (purposes)
2. Actions to kick-off 2018 charter and to get new members joining
3. Status of implementations (needed for REC).
Regards,
matthias
Received on Wednesday, 15 November 2017 18:18:37 UTC