W3C home > Mailing lists > Public > www-p3p-public-comments@w3.org > August 2000

Re: P3P and the privacy legislation in Germany:

From: Rigo Wenning <rigo@w3.org>
Date: Thu, 24 Aug 2000 20:28:05 +0200
To: Ruediger Grimm <grimm@darmstadt.gmd.de>
Cc: "Joseph M. Reagle Jr." <reagle@mit.edu>, rosnagel@uni-kassel.de, www-p3p-public-comments@w3.org, www-p3p-policy@w3.org
Message-ID: <20000824202805.D900@rigo.uni-sb.de>
I want to redirect this discussion to the new mailing-list,
established for that purpose. If you all are interested in 
that discussion, please subscribe to www-p3p-policy@w3.org:

To subscribe, please send mail to www-p3p-policy-request@w3.org
with 'subscribe' in the Subject: - Field.

On Mon, Aug 21, 2000 at 11:19:22AM +0200, Ruediger Grimm wrote:
> Hi Joseph,
[...]
> 
> > I still don't follow. Is your bad case the following: if a site A says they
> > give the data to sites that have similar practices (such as those that don't
> > use it for marketing) including site B. Site B has similar practices (no
> > marketing, etc.) also gives it to site C? This could go on for a while. But
> > the goal is to provide the use with the assurance that if they don't want
> > marketing, they won't get marketing, and to give them a sense of the scope
> > of distribution, not a complete audit trail (which I think is infeasible).
> > What is the alternative and how does it prevent this scenario?
> 
> The rules just prevent transitivity: a user would agree to transfer data
> to a service A. The user can also allow service A to transfer the date
> further to services B, C, D (but no others) for the puropse of
> (B: outsourced billing, C: market research, D: making sales offers
> to the user). Any other service who would like to get those user

This should already be covered by <ours/>:
<ours/> 
Ourselves and/or our agents: Ourselves and our agents. An agent in this
instance is defined as a third party that processes data only on behalf of the
service provider for the completion of the stated purposes. (e.g., The service
provider and its printing bureau which prints address labels and does nothing
further with the information.) 

What is not covered yet is, that A can ask, whether it would be also 
ok to share with B. We have discussed that. It can be expressed in 
a long-description field. But it won't be machine-readable, as the WG 
expressed the concern, that a declaration would be much to complex. 

If we would allow the use of (a special subset of) the  base-data-set 
in the recipient-field, the WG was quite confident, that it won't 
be used.

> data from A would have to ask the user first.
> Of course, the user could also allow the service A to "transfer the
> user data to anyone A wants to, under the restriction that..." But this
> would be rather an exceptional case. Ths standard case is: explicit
> recipients for excplicit purposes.
> 
> This is one of the strict rules of the German (and European)
> privacy protection laws. This rationale behind this is: the strong binding
> between data and the puropse of their use as a basic principle of
> privacy protection.
> 
Received on Thursday, 24 August 2000 15:04:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.1 : Tuesday, 21 September 2004 12:14:16 GMT