Re: PING - areas where contributions are needed


2015-10-06 15:06 GMT+01:00 Mike O'Neill <>:

> Hi Lukasz,
> In 4.1 the other party has to be a “service provider”, i.e. a party who is
> contracted never to use collected personal data on its own behalf (unless
> it is “permanently de-identified”).

Where, let's highlight, it's challenging to properly and permanently
de-identify certain types of data ;-) Especially if they on their own may
form identifiers.
It is quite tricky.

> It is very close in concept to the Data Processor in EU DP law. It is
> simply acting on behalf of the DNT receiving party i.e. similar to an agent
> acting “in their shoes”.

Do you mean the upcoming GDPR in EU? It has (or at least had the last time
I looked) rather strict and very general definitions here. Specifically in
regards to anonymization, assigning PII-like treatment to a plethora of

> From the definition:
> For the data received in a given network interaction, a *service provider*
> is considered to be the same party as its *contractee* if the service
> provider:
>    1. processes the data on behalf of the contractee;
>    2. ensures that the data is only retained, accessed, and used as
>    directed by the contractee;
>    3. has no independent right to use the data other than in a permanently
>    de-identified
>    <>
>    form (e.g., for monitoring service integrity, load balancing, capacity
>    planning, or billing); and,
>    4. has a contract in place with the contractee which is consistent
>    with the above limitations.
> So I think it is OK.

In Real-Time Bidding, bidders might sometimes collect GPS-like positioning.
This tied to others, would it be also covered? If yes, is it fine? If no,
isn't this possibly inhibiting adoption? I am still following the very well
idea in 4.1 to use ad exchange as the example.

> Thanks for giving your input!

Your welcome!


Received on Friday, 9 October 2015 22:07:53 UTC