RE: Status of First-Party Sets

I believe that is a matter for the CMA rather than ING. ING monitor rather than make decisions. They need to monitor these discussions and more at the W3C.

However we don't need to ask the CMA to settle the matter. Google are bound<https://assets.publishing.service.gov.uk/media/62052c6a8fa8f510a204374a/100222_Appendix_1A_Google_s_final_commitments.pdf> to GDPR on all matters related to privacy.

"Applicable Data Protection Legislation" means all applicable data protection and privacy legislation in force in the UK, including the Data Protection Act 2018, the UK General Data Protection Regulation (and regulations made thereunder) and the Privacy and Electronic Communications (EC Directive) Regulations 2003

First parties and third parties have no meaning under GDPR as confirmed<https://ico.org.uk/media/about-the-ico/documents/2619797/cma-ico-public-statement-20210518.pdf> by the ICO and CMA.

Box B: what is the difference between first-party and third-party data? Data is sometimes categorised according to the relationship between the party collecting and processing it and the individual or circumstance it relates to: * First-party data: data that is collected by a business through direct interaction with an individual providing or generating the data. For example, data collected by an online retailer regarding purchases made by consumers on its site. * Third-party data: data collected by a business not in direct interaction with the individual providing or generating the data, for example, through business partners. Digital firms that do not have a direct relationship with users frequently rely on third-party data. The boundaries between first and third-party data according to the above definition are not always clear, particularly when large companies own a variety of businesses, some of which have a relationship with the user and some of which do not. Both first-party and third-party data as defined above can include personal and nonpersonal data. Whether information is personal data depends on whether it relates to an identified or identifiable individual. There is no explicit reference to the distinction between first-party and third-party data in data protection law. 9 The descriptions of 'first party' and 'third party' are also used (though with a different meaning) in the context of cookies and similar technologies,10 which collectively form the key means by which information (including personal data) is collected and disseminated in online advertising. A cookie is generally identified as being first-party if the domain of the cookie matches the domain of the page visited and as being third-party in instances where the domain of the cookie does not match the domain of the website. This is not a rigid distinction. Some functions typically delivered through third party cookies can be done via first party cookies, even if a third party's code and associated service is still involved. The rules on the use of cookies and similar technologies are specified in Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (as amended) ('PECR'), and oversight of these rules is one of the ICO's regulatory functions. PECR provides more specific rules than the UK GDPR in a number of areas such as cookie use. It is also important to note that PECR's provisions in this area apply whether or not personal data is processed.

Any proposal, change, or discussion that uses first and third party as justification will be a flagrant breach of the agreement between Google and the CMA as there is no distinction under GDPR.

James

From: Zucker-Scharff, Aram <Aram.Zucker-Scharff@washpost.com>
Sent: 06 June 2022 19:22
To: Travis Leithead <travis.leithead@microsoft.com>; James Rosewell <james@51degrees.com>; Kaustubha Govind <kaustubhag@google.com>; Theresa O'Connor <hober@apple.com>; Chris Wilson <cwilso@google.com>; yoavweiss@chromium.org; Léonie Watson <lwatson@tetralogical.com>; matthew.hancox@ing.com; david.verroken@ing.com
Cc: public-privacycg@w3.org
Subject: Re: Status of First-Party Sets

Since Matthew and David are on this email, presumably they could tell us if FPS is or is not against the agreements Google has made with the CMA? I think a definitive statement in this matter would presumably help lead participants towards a best next step.

-- Aram Zucker-Scharff
The Washington Post
+1-703-829-0532


From: Travis Leithead <travis.leithead@microsoft.com<mailto:travis.leithead@microsoft.com>>
Date: Monday, June 6, 2022 at 2:10 PM
To: James Rosewell <james@51degrees.com<mailto:james@51degrees.com>>, Kaustubha Govind <kaustubhag@google.com<mailto:kaustubhag@google.com>>, Theresa O'Connor <hober@apple.com<mailto:hober@apple.com>>, Chris Wilson <cwilso@google.com<mailto:cwilso@google.com>>, yoavweiss@chromium.org<mailto:yoavweiss@chromium.org> <yoavweiss@chromium.org<mailto:yoavweiss@chromium.org>>, Léonie Watson <lwatson@tetralogical.com<mailto:lwatson@tetralogical.com>>, matthew.hancox@ing.com<mailto:matthew.hancox@ing.com> <matthew.hancox@ing.com<mailto:matthew.hancox@ing.com>>, david.verroken@ing.com<mailto:david.verroken@ing.com> <david.verroken@ing.com<mailto:david.verroken@ing.com>>
Cc: public-privacycg@w3.org<mailto:public-privacycg@w3.org> <public-privacycg@w3.org<mailto:public-privacycg@w3.org>>
Subject: Re: Status of First-Party Sets
CAUTION: EXTERNAL SENDER
> [..] I'm unsure how one would go about removing FPS from WICG. Perhaps the WICG chairs can advise?

The WICG is home to over 120 [wicg.io]<https://urldefense.com/v3/__https:/wicg.io/__;!!M9LbjjnYNg9jBDflsQ!DT4A_609B6yiRxGLK4nQf6Gba25tsuH2agDoPU-xBAvTPr5Dj7n_1Pn9uQ2jnmTYs6qdsGbhTuKlmYbP-QtrU9U3t7RtLNxqZq-pV717$> unique incubations at varying stages of maturity and implementation. While I have been a co-chair, we have graduated numerous proposals into other venues, and archived others at the request of their owners, but we've never forcibly removed any incubations (even when they appear inactive for years). I think it would set a bad precedent to start now. The WICG is a field for sowing ideas; for this reason our criteria for acceptance is very low.
________________________________
From: James Rosewell <james@51degrees.com<mailto:james@51degrees.com>>
Sent: Saturday, June 4, 2022 12:50 AM
To: Kaustubha Govind <kaustubhag@google.com<mailto:kaustubhag@google.com>>; Theresa O'Connor <hober@apple.com<mailto:hober@apple.com>>; Chris Wilson <cwilso@google.com<mailto:cwilso@google.com>>; yoavweiss@chromium.org<mailto:yoavweiss@chromium.org> <yoavweiss@chromium.org<mailto:yoavweiss@chromium.org>>; Léonie Watson <lwatson@tetralogical.com<mailto:lwatson@tetralogical.com>>; Travis Leithead <travis.leithead@microsoft.com<mailto:travis.leithead@microsoft.com>>; matthew.hancox@ing.com<mailto:matthew.hancox@ing.com> <matthew.hancox@ing.com<mailto:matthew.hancox@ing.com>>; david.verroken@ing.com<mailto:david.verroken@ing.com> <david.verroken@ing.com<mailto:david.verroken@ing.com>>
Cc: public-privacycg@w3.org<mailto:public-privacycg@w3.org> <public-privacycg@w3.org<mailto:public-privacycg@w3.org>>
Subject: RE: Status of First-Party Sets


Adding Matthew Hancox and David Verroken in their role as Monitoring Trustee<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.gov.uk%2Fcma-cases%2Finvestigation-into-googles-privacy-sandbox-browser-changes%23monitoring-trustee-report&data=05%7C01%7Ctravis.leithead%40microsoft.com%7Cdf15ecae4f4e4378020808da45fef700%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637899258635149241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QTqAadlA6ffoshp%2BTzTNi9EedtCMLGGme5SQ%2BtmTzRw%3D&reserved=0> of Google's commitments with the CMA.



Adding the chairs of Web Incubation Community Group (WICG) as the future home of FPS to seek their advice on removing FPS from WICG.



To summarise the situations.



  1.  The chairs of Privacy CG who are employed by Apple, Microsoft, and Mozilla have made a decision after two years to finish work on the proposal due to a "lack of multi-implementer interest".
  2.  The WICG, where two of the four chairs are employed by Google, and the other two Microsoft and Tetralogical, are now going to take the FPS forward because as the employee from Google asserts there is "multi-vendor and web developer interest".

I would like to understand this interest based on the merits of the proposal rather than the market dominance of the proposer's employer.



Google control the web via their Chrome web browser accounting for 64% share of the market and over 75% share of the market for Chromium based browsers of which Google have effect control. See Statcounter<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgs.statcounter.com%2Fbrowser-market-share%23monthly-200901-202205&data=05%7C01%7Ctravis.leithead%40microsoft.com%7Cdf15ecae4f4e4378020808da45fef700%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637899258635149241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=w5t51BeP1Cf4%2FmLwm2RE0BNtT%2BQQSiQuQ6Ayoqd2qQ8%3D&reserved=0>.



My interest in FPS is merely related to the fact that one cannot ignore any proposal from Google due to Google's market dominance and control of Chromium. My interest is not related to any merits of the proposal. Is this also true of others in these groups? Who is interested based purely on the technical merits of the proposal? Could anyone even answer these questions openly due to the fear of being labelled "anti-Google" or "anti-privacy"?



I do not see any merits to the proposal as drafted beyond identifying that the removal of so-called third-party cookies (3PC) by Google creates revenue problems for Google's own brands (YouTube and Google), and that the largest advertisers from which Google generates revenue will be impacted by 3PC

removal (Disney, ESPN, Hulu). Google's Directors must find a way to protected that revenue. Large publishers operating multiple domains might also consider FPS as a hobbled way of continuing to operate their business once 3PC are removed, and therefore support the proposal as the "least worst" of Google's proposals when considering their future revenues.



FPS is also flawed for the following reasons.



  1.  FPS does not align to GDPR as required under Google's commitments with the CMA.
  2.  FPS centralizes administration of the web via an Independent Enforcement Entity (IEE).
  3.  FPS continues to propagate the myth that there is a distinction between first and third parties. Only data controllers and processors matter under GDPR. Any work to improve privacy must seek to upgrade the privacy boundary of the web in these terms and move away from domain names alone.
  4.  The W3C Technical Architecture Group (TAG) in their review<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3ctag%2Fdesign-reviews%2Fblob%2Fmain%2Freviews%2Ffirst_party_sets_feedback.md%23is-this-harmful-to-the-web&data=05%7C01%7Ctravis.leithead%40microsoft.com%7Cdf15ecae4f4e4378020808da45fef700%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637899258635149241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=VD59dZ2e4gfk8bLlny%2B9bcOajdqJLSncHfEaQ%2Fdh3AU%3D&reserved=0> of FPS identified the competition impacting harm associated with FPS.

"It is likely that this proposal only benefits powerful, large entities that control both an implementation and services."



  1.  Movement for an Open Web (MOW), of which I'm Director, also analysed<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmovementforanopenweb.com%2Fin-depth-analysis-of-googles-first-quarterly-report%2F&data=05%7C01%7Ctravis.leithead%40microsoft.com%7Cdf15ecae4f4e4378020808da45fef700%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637899258635149241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XMlPMuBT0qTl3iABDi8J18FVvLESOsrg0Zc985XlHxw%3D&reserved=0> Google's first quarter report under the CMA commitments and identified the need to apply non-discriminatory definitions for proposals like FPS.

As WICG is in practice controlled by Google, and the "home" of Privacy Sandbox (PS) proposals, presumably to avoid the independence of other groups like Privacy CG which view PS proposals less favourably, I'm unsure how one would go about removing FPS from WICG. Perhaps the WICG chairs can advise?



However, my preference would be for FPS to be voluntarily abandoned by Google, and for Google to consider solutions that work for all participants of the web and not just a narrow set of large entities. To this end I have proposed the modified GDPR Validated Sets<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FWICG%2Ffirst-party-sets%2Fpull%2F86&data=05%7C01%7Ctravis.leithead%40microsoft.com%7Cdf15ecae4f4e4378020808da45fef700%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637899258635149241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PY5xgAaUuyfWyclt00FtmWiWhxAv1uS7K%2FaIBpNwOY8%3D&reserved=0> (GVS) derivative.



As participants must follow every proposal from Google to ensure they can manage expectations within their businesses, with customers, and other stakeholders the removal of at least one PS proposal will be a welcome reduction in the PS "distraction tax" on the wider eco-system which is already causing much harm today.



Regards,



James



From: Kaustubha Govind <kaustubhag@google.com<mailto:kaustubhag@google.com>>
Sent: 03 June 2022 15:02
To: Theresa O'Connor <hober@apple.com<mailto:hober@apple.com>>
Cc: public-privacycg@w3.org<mailto:public-privacycg@w3.org>
Subject: Re: Status of First-Party Sets



Hi PrivacyCG chairs and community members,



Thank you for the thoughtful discussion and feedback on First-Party Sets during our time incubating in the PrivacyCG. Given that the proposal continues to have multi-vendor and web developer interest, we will continue the incubation of this work in the WICG, and we invite those of you who are interested in the proposal to continue engagement with us in that forum. You can now find our repository at https://github.com/WICG/first-party-sets<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FWICG%2Ffirst-party-sets&data=05%7C01%7Ctravis.leithead%40microsoft.com%7Cdf15ecae4f4e4378020808da45fef700%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637899258635149241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=UxxmAA6rrrSR8cPe6DkCq6yLN1CA0CL%2Ffv2vmMwG4Ck%3D&reserved=0>.



We plan to organize meetings within the WICG on a one-off basis when we've accumulated agenda items; which will be planned and announced via this GitHub issue<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FWICG%2Ffirst-party-sets%2Fissues%2F89&data=05%7C01%7Ctravis.leithead%40microsoft.com%7Cdf15ecae4f4e4378020808da45fef700%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637899258635149241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FTrNSkjF6uRg%2BPEHqQNkNgAisQAyxwmkkBuJOpT897w%3D&reserved=0>. Please Comment/Watch/Star the issue to follow along, or provide suggestions.



Thank you,

Kaustubha, Harneet, and Johann





On Thu, Jun 2, 2022 at 2:12 PM Theresa O'Connor <hober@apple.com<mailto:hober@apple.com>> wrote:

Hi all,

As chairs of the W3C Privacy Community Group, we have decided to drop
First-Party Sets as a Work Item in the group. Given the discussions the
group has had and the lack of multi-implementer interest, we see it as
unlikely to exit incubation. With regards to the concerns about the
privacy properties of First-Party Sets that were raised in issue 88,
given the discussion in that issue and during our recent meetings, the
chairs find that there is no consensus in the CG.

This does not mean that the various use cases that First-Party Sets
attempted to solve are not worth solving. We welcome alternative
proposals to address some or all of the use cases First-Party Sets aimed
to address.

We want to thank everybody who participated in discussions of
First-Party Sets over the last couple of years. Special thanks to
Kaustubha Govind, Harneet Sidhana, and Johann Hofmann for all their hard
work on it.

--
Erik, Tanvi, & Tess
This email and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose, use, store or copy the information contained herein. This is an email from 51Degrees.mobi Limited, Davidson House, Forbury Square, Reading, RG1 3EU. T: +44 118 328 7152; E: info@51degrees.com<mailto:info@51degrees.com>; 51Degrees.mobi Limited t/as 51Degrees.
This email and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose, use, store or copy the information contained herein. This is an email from 51Degrees.mobi Limited, Davidson House, Forbury Square, Reading, RG1 3EU. T: +44 118 328 7152; E: info@51degrees.com; 51Degrees.mobi Limited t/as 51Degrees.