Re: Mapping DNT to GDPR

Dear Aleecia,

RE: DNT was never designed with the GDPR/ePR Dir. in mind.

I would refer you to this email on the WG… by Rob Van Eijk https://lists.w3.org/Archives/Public/public-tracking/2017Oct/0035.html where he says..

If the aim is to convey a personalized contract through DNT, I think you overload the protocol. It was not designed to do that.

Also reading your latest responses to the WG where in this one you state… My concern is name space collisions. We need some way to disambiguate *which* [1] in the array, yes?

It is clear that there are some serious issues with the current CR of Do Not Track as it relates to being useful for GDPR.

But I digress let’s return to Robin’s questions - he does a great job as posing them as ‘use cases’ - so my response will be a use case.

I will therefore formulate my question in terms of use cases.

1) Is the intent of the Tracking Preference Expression that `DNT:0` would convey consent in the sense of GDPR Article 4, definition 11, and Article 7?

2) Is the intent of the TPE that `DNT:1` would convey a user's objection to processing in the sense of GDPR Article 21, specifically paragraph 5 concerning the "right to object by automated means using technical specifications".

From the CR version of the Do Not Track protocol it states in Section 5.1: https://w3c.github.io/dnt/drafts/CRc-tracking-dnt.html#expression-format that:

DNT:1 means the following:

This user prefers not to be tracked on this request.

DNT:0 means the following:

This user prefers to allow tracking on this request.

GDPR Article 4, definition 11 states -

'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

GDPR Article 7 states: Conditions for Consent

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

So the answer to Robin's use case is NO.

DNT:0 cannot express consent because it does not meet the definition of the Conditions for Consent. Why not?


  1.  You cannot consent to something PRIOR to seeing what you are being asked to consent to, and yet that is what the DNT:0 signal would be transmitting to the origin server
  2.  DNT:0 is a global binary setting - The GDPR Conditions for Consent are Local, Regional, and more importantly PER PERSON PER WEB WEBSITE i.e contextual

So the answer to question 1 is NO unless you can show a use case where If I send a DNT:0 signal to an EU server it means I’ve consented to having my data processed. I very much doubt that is possible but please show me.

Now the second question - I now change my Global DNT setting from a 0 to a 1… would this convey a user’s objection to processing in the sense of GDPR Article 21, specifically paragraph 5 concerning the "right to object by automated means using technical specifications”.

Let’s review Article 21, paragraph 5…

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

Here again the answer to Robin’s use case is NO - why not?


  1.  DNT:1 is a global binary setting - The GDPR Conditions for Consent are Local, Regional, and more importantly PER PERSON PER WEB WEBSITE i.e contextual. It means that I don’t want to be tracked it does not mean I’m exercising my right to object.
  2.  If I change my setting from DNT:0 to :1 it means that it’s the same for every web site.

So in conclusion DNT is very specific in what it says - don’t track, track or unset (track). It is a binary setting and cannot mean more than that.

GDPR is a personal setting - it is contextual.

The current protocol while extensible cannot transmit contextual data because that would be a violation of my privacy. So you will need individual per person/per web site settings for the browser. You will need to enable a way for me to access those easily and remove them and transmit that information to the correct web site.

If you believe there is something in the current CR spec that enables that then please show via a use case how it can answer Robin’s questions.

Otherwise I'll let you get back to solving the current crop of GDPR related issues which Shane has correctly raised and which point directly to Robin’s questions.

My best,




Peter

Peter Cranstone
CEO, 3PHealth

COMS:
Mobile/Signal: +1 - <tel:303-246-9954> 303-809-7342<tel:303-246-9954> UTC -6hrs
Skype: cranstone
Website | www.3phealth.com<http://www.3phealth.com>  (Healthcare Patient Engagement and Data Interoperability)
Website | www.3pmobile.com<http://www.3pmobile.com> (Privacy by Design Platform for GDPR and ePrivacy reg.)

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you.





On Oct 13, 2017, at 4:32 PM, Aleecia M. McDonald <aleecia@aleecia.com<mailto:aleecia@aleecia.com>> wrote:


On Oct 13, 2017, at 2:25 PM, Peter Cranstone <peter.cranstone@3phealth.com<mailto:peter.cranstone@3phealth.com>> wrote:

DNT was never designed with the GDPR/ePR Dir. in mind.

This is factually incorrect. Rigo had EU compliance in mind from the very first workshop. Many architectural decisions happened specifically to support the EU, and continue to be made that way.

The rest, I’m not going to feed you further. You waste my time.

Aleecia

Received on Friday, 13 October 2017 23:26:20 UTC