Re: PING - areas where contributions are needed from Lukasz Olejnik (W3C) on 2015-10-06 (public-privacy@w3.org from October to December 2015)

From: Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com>
Date: Tue, 6 Oct 2015 22:18:57 +0100
To: "Mike O'Neill" <michael.oneill@baycloud.com>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CAC1M5qpPUW-6xmFGujdUtsG35FFKMAoAwd2QDLqGHs5d2voUKQ@mail.gmail.com>

Hi


2015-10-06 15:06 GMT+01:00 Mike O'Neill <michael.oneill@baycloud.com>:

> Hi Lukasz,
>
>
>
> In 4.1 the other party has to be a “service provider”, i.e. a party who is
> contracted never to use collected personal data on its own behalf (unless
> it is “permanently de-identified”).
>

Where, let's highlight, it's challenging to properly and permanently
de-identify certain types of data ;-) Especially if they on their own may
form identifiers.
It is quite tricky.


> It is very close in concept to the Data Processor in EU DP law. It is
> simply acting on behalf of the DNT receiving party i.e. similar to an agent
> acting “in their shoes”.
>

Do you mean the upcoming GDPR in EU? It has (or at least had the last time
I looked) rather strict and very general definitions here. Specifically in
regards to anonymization, assigning PII-like treatment to a plethora of
data.

>
>
> From the definition:
>
> For the data received in a given network interaction, a *service provider*
> is considered to be the same party as its *contractee* if the service
> provider:
>
>    1. processes the data on behalf of the contractee;
>    2. ensures that the data is only retained, accessed, and used as
>    directed by the contractee;
>    3. has no independent right to use the data other than in a permanently
>    de-identified
>    <http://www.w3.org/TR/2015/WD-tracking-compliance-20150714/#dfn-permanently-de-identified>
>    form (e.g., for monitoring service integrity, load balancing, capacity
>    planning, or billing); and,
>    4. has a contract in place with the contractee which is consistent
>    with the above limitations.
>
> So I think it is OK.
>

In Real-Time Bidding, bidders might sometimes collect GPS-like positioning.
This tied to others, would it be also covered? If yes, is it fine? If no,
isn't this possibly inhibiting adoption? I am still following the very well
idea in 4.1 to use ad exchange as the example.



>
>
> Thanks for giving your input!
>

Your welcome!

Best
Lukasz

Received on Friday, 9 October 2015 22:07:53 UTC