- From: Robin Berjon <robin@berjon.com>
- Date: Thu, 13 Jan 2022 09:51:17 -0500
- To: Don Marti <dmarti@cafemedia.com>, Ralph Brown <ralph@brownwolfconsulting.com>
- Cc: public-privacycg@w3.org, Scott Yates <scott@journallist.net>
Hey Don, On 2022-01-10 14:28, Don Marti wrote: > Right now there is still an open topic of discussion about how > First-Party Sets will define common control for members of a set. > > There is a workable definition of "controller" in GDPR: "natural or > legal person, public authority, agency or other body which, alone or > jointly with others, determines the purposes and means of the processing > of personal data." FPS is intended to be international, but this > definition is the best one I have found so far. I'm not a lawyer, but I would like to caution against having any expectation that FPS and the notion of GDPR controller are aligned. If using FPS for purely technical reasons inside of what is clearly a single service (basic-service.com and basic-service-usercontent.com), then that's likely fine. However, there is regulator guidance indicating that different services of the same company, even if on the same domain (and therefore even if they're in a FPS), are distinct data controllers and data sharing between them is subject to controller-to-controller expectations. It's generally a violation of users' trust to share data between distinct services even if they are owned by the same company, shown with the same brand, etc. So in this at least the GDPR seems to be aligned with privacy principles. Folks might wish to be cautious before expecting FPS to hand out freebies in terms of data sharing, at least in that kind of jurisdiction. > (For purposes of trust in journalism, data controller would probably be > necessary but not sufficient--the definition of control would have to > include content-related control.) For entirely different reasons, I would be cautious about content-related control as well! There are media groups that own different titles with widely varying commitments to integrity and accountability. -- Robin Berjon VP Data Governance The New York Times Company
Received on Thursday, 13 January 2022 14:51:34 UTC