Re: First-Party sets and the potential application of the JournalList trust.txt specification from Ralph Brown on 2022-01-13 (public-privacycg@w3.org from January 2022)

From: Ralph Brown <ralph@brownwolfconsulting.com>
Date: Thu, 13 Jan 2022 08:47:36 -0700
To: Robin Berjon <robin@berjon.com>
Cc: Don Marti <dmarti@cafemedia.com>, public-privacycg@w3.org, Scott Yates <scott@journallist.net>
Message-Id: <955C3B15-4CB2-4E6D-B33F-BB0CCF4C9F44@brownwolfconsulting.com>

Robin,

Couldn’t agree more with your comment on content-related control. See my response below.

> On Jan 13, 2022, at 7:51 AM, Robin Berjon <robin@berjon.com> wrote:
> 
> Hey Don,
> 
> On 2022-01-10 14:28, Don Marti wrote:
>> Right now there is still an open topic of discussion about how First-Party Sets will define common control for members of a set.
>> There is a workable definition of "controller" in GDPR: "natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data." FPS is intended to be international, but this definition is the best one I have found so far.
> 
> I'm not a lawyer, but I would like to caution against having any expectation that FPS and the notion of GDPR controller are aligned.
> 
> If using FPS for purely technical reasons inside of what is clearly a single service (basic-service.com and basic-service-usercontent.com), then that's likely fine. However, there is regulator guidance indicating that different services of the same company, even if on the same domain (and therefore even if they're in a FPS), are distinct data controllers and data sharing between them is subject to controller-to-controller expectations.
> 
> It's generally a violation of users' trust to share data between distinct services even if they are owned by the same company, shown with the same brand, etc. So in this at least the GDPR seems to be aligned with privacy principles. Folks might wish to be cautious before expecting FPS to hand out freebies in terms of data sharing, at least in that kind of jurisdiction.
> 
>> (For purposes of trust in journalism, data controller would probably be necessary but not sufficient--the definition of control would have to include content-related control.)
> 
> For entirely different reasons, I would be cautious about content-related control as well! There are media groups that own different titles with widely varying commitments to integrity and accountability.

This is why each entity within a FPS has its own trust.txt file indicating its membership in trade associations as well as “disclosure” entries that could point to a disclosure of its own editorial practices. Not all entities within an FPS necessarily have the same set of memberships, social media accounts, etc. An example of this is https://www.bizjournals.com/ <https://www.bizjournals.com/>. They have 40+ city business journal publications under https://www.bizjournals.com/ <https://www.bizjournals.com/> , but the publication entity of each city may belong to a different state press association. While in this case they likely have the same editorial practices across all of them, they could conceivably have different ones.

> 
> -- 
> Robin Berjon
> VP Data Governance
> The New York Times Company

Regards,

Ralph

Received on Thursday, 13 January 2022 15:47:51 UTC