Re: [proposals] Why would notice and consent not be adequate? (#5)

@darobin you seem to assume that notice and consent regimes can't coexist with effective mechanisms. I don't believe this to be the case. I think that while Privacy Enhanced Technology are definitely a good thing for users, that doesn't mean notice and consent are no longer required. Foundation of privacy under GDPR is transparency and control. If you build a complex system which eventually prevent bad actors from doing things they weren't allowed in the first place, but the user doesn't understand it, I don't think this will help in the long term for restoring user's confidence in the internet.
That said, I imagine we could argue about the above and not reach consensus, so not a great way to spend time and resources.
However, even if we don't necessary agree on the above, it remains that we must work in the scope of the law. As you said so yesterday in the call, a standard must be more restrictive than laws, otherwise no one would, or at least should use it. In EMEA, device access require consent and notice. Personal Data Processing is more flexible with regards to legal basis, but if we assume either consent or legitimate interest, both require at the very least transparency and control.
As per @martinthomson presentation yesterday, if we start with the assumption that those new mechanisms should be "on by default with opt-out", then we are designing solutions that will not work for EMEA. I don't think this is right. And we can't assume that regulation will eventually evolve (ePrivacy Regulation) to meet our needs. We must work within the existing constraints, and eventually adapt our solution as law evolve.

-- 
GitHub Notification of comment by jdelhommeau
Please view or discuss this issue at https://github.com/patcg/proposals/issues/5#issuecomment-1034686561 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 10 February 2022 09:26:46 UTC