- From: Robin Berjon via GitHub <sysbot+gh@w3.org>
- Date: Mon, 28 Feb 2022 22:37:10 +0000
- To: public-patcg@w3.org
We should make sure that we stay on topic (which the deceptive retitling of the issue might not be helping with). The question at hand and that warrants documentation in the forthcoming principles document is: does notice and choice provide appropriate data protection and privacy in such a way that it supports adequate levels of personal autonomy and aligns with the Web's ethical principles? The answer to this question is a clear and resounding "no." The topic has been studied in great detail and notice and choice fails on all counts. What does this mean? It means that technologies produced by this group cannot _rely_ on notice and choice in order to claim to be appropriate in terms of privacy. What we deliver needs to intrinsically support privacy and not shirk that responsibility the way that consent-based systems do. There are a few things that this does _not_ mean: * **It does not mean that legal requirements get magicked away.** If there's a law somewhere that says your privacy policy has to be at least as long as Kant's _Kritik der reinen Vernunft_ then that will stay the same no matter what we build. This could potentially require the browser to obtain consent but I would refrain from speculating on that now (see below). * **It does not mean that controls can't also be nice to have.** Just because people get privacy by default doesn't mean that they can't also get control, notably after-the-fact control (aka "data rights"), and in some jurisdictions that's required. My experience with most privacy control centres is that their primary purpose is to make it look like the company cares about privacy (but knows you won't use the controls) or wants you to give you the false impression that they need the data in order to deliver the service (if we can't use your data for our own purposes then you don't get to use it yourself, eg. for history). But it's true that there are some occasionally useful controls and there's no reason to prevent them as added niceties. * **It does not require us to come up with a legal interpretation.** We should be careful with these, if only because there are lots of legal regimes out there and they change often (including just in terms of interpretation of regulatory focus). For instance, stating that browsers might need to obtain consent for attribution processing in the EEA _might_ be true but if so then there's no reason they wouldn't also need consent as themselves data controllers for passing any manner of data to third parties (under _Fashion ID_). If browsers should be treated as data controllers for site-related processing, that would have rather far-reaching consequences right now, notably on group participants who act as third parties. Rather than engage in this kind of risky speculation, we should focus on building the best tech possible. When we get to something concrete enough, we can a subgroup of legally-minded folks look at legal theories for it. The consequence might be that browsers need to do something, or that an alternative path can be built with regulators. But we shouldn't cross that bridge before it's built — legal matters hinge on the slimmest details. -- GitHub Notification of comment by darobin Please view or discuss this issue at https://github.com/patcg/proposals/issues/5#issuecomment-1054731935 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 28 February 2022 22:37:11 UTC