- From: Rigo Wenning <rigo@w3.org>
- Date: Mon, 21 Jul 2003 11:23:36 +0200
- To: Ari Schwartz <ari@cdt.org>
- Cc: public-p3p-spec@w3.org
On Fri, Jul 18, 2003 at 02:15:23PM -0400, Ari Schwartz wrote: > > Hi Rigo, > > My definitions were not meant to be from a US cultural perspective. > In fact, if I understand them correctly, your definitions are much > closer to the experience (legal interpretations) of the US Privacy > Act of 1974 then mine are. Ok, that makes sense as the Act of 1974 was in concerto and in sync with the development in Europe. It only touches the public sector, but the definitions of scope (identifiable in our case) are still the same. > > The reason that I strayed from this view is because of the use of > relational databases. A data collector may create a system where > fields are not searched at the time of collection but the person is > still generally identified within the system. That is exactly the point. Initially, data protection in national legislations did _not_ apply to paper-collections. The Directive extends the scope to well-organized paper-collections. The parallel I see is the distinction between raw logfile data and data organized in a relational database. A simple cross-reference of the tables would link a lot of data to someone's identity. This is much harder to do for raw logfiles where you'd have to resolve all the pseudonyms (like IP etc), chase for ID's in refererrers and re-organize the raw data in a relational database (or in RDF). In a relational database, I consider the identifying already be done as soon as there is a link to some identity qualifier like name, address, Social security number, email-address etc. I don't want to explore the fuzzy edge between pseudonyms and 'identified' here, as this is another potential rathole. But if a company had good profile-data in a well-organized relational database tied to a pseudonym and the same company would have the ability to resolve that pseudonym to the real name of a person without external data and help, I would consider this identified as the decision of identifying (purpose, processing) lies in their hands unless there are specific means to prevent the identification of a pseudonym (third party e.g.) > > My understanding from Europe was that different countries were > interpreting this differently and it hadn't been worked out. If you > can point to some definitive writing on this subject, I'd definitely > like to see it. No, I don't think so. In fact, the commission just decided to follow-up with every diverging definition and remedy the situation so that laws are more homogenius. I will verify, but you could help me by giving me a more concrete example of what you mean by diverging interpretations. (I think the variety is more on the side of permissions than on the side of scope and definition of identity and identifiable) Best, Rigo >
Received on Monday, 21 July 2003 05:26:27 UTC