Re: [proposals] Why would notice and consent not be adequate? (#5)

There will always be personal data processing. Just by less people. Taking topic as an example, but same logic applies to all propositions I believe: Before, hundreds of vendors would be tracking users across domains to infer their interest. In Topics API, the browser (so Google Chrome for example) is doing this Personal Data processing. The fact that the personal data processing is happening on the browser instead of a third party server doesn't change the fact that personal data processing is happening, and as such, falls under GDPR. In that case, it means that Chrome will require some legal base (likely consent) in order to do that.
Maybe a more recent example, the Belgium DPA ruling against IAB Europe that happened last week. As per this ruling, the ability to evaluate user's choice about their data processing is itself a personal data processing and requires a valid legal base. So there is no escaping GDPR.

Finally, GDPR is only one of the applicable law. The other one, ePrivacy, regulates device access, whether it is for personal data or not. Since most solutions out there (IPA, topics, FLEDGE, PARAKEET, etc.) require device storage (so device access), it means they are all subject to consent under current law. 

-- 
GitHub Notification of comment by jdelhommeau
Please view or discuss this issue at https://github.com/patcg/proposals/issues/5#issuecomment-1034865927 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 10 February 2022 12:29:38 UTC