W3C home > Mailing lists > Public > public-tracking-comments@w3.org > October 2017

Re: Mapping DNT to GDPR

From: Peter Cranstone <peter.cranstone@3phealth.com>
Date: Mon, 16 Oct 2017 21:20:59 +0000
To: Rob van Eijk <rob@blaeu.com>
CC: Robin Berjon <robin.berjon@nytimes.com>, public-tracking-comments w3.org <public-tracking-comments@w3.org>
Message-ID: <16BEE9A3-CB35-405F-AA7A-A3FE8201A87C@3phealth.com>
Hi Robin,

Reading through Rob’s points with interest. Privacy really is all about context, however I find myself still not following some of Rob’s logic. For example:


  *   Regarding: Ad 1: the intent = yes

If I read Aleecia’s document ‘Do Not Track Europe’ on Page 18 she correctly states - For European users, the absence of a Do Not Track signal means they have not consented to tracking, and it is not acceptable to track them. I can’t convey consent with a setting until you have informed me what I need to consent too. And as there is NO site wide capability ONLY global web wide capability I cannot transmit the necessary consent. So my answer remains = no


  *   Regarding: Ad2: the intent = yes

Here are recitals 69 and 70 - in both cases I, the data subject can revoke my consent - so a DNT setting of 1 would be acceptable - however as you cannot current set a site wide setting of DNT:1 then the current protocol cannot help. Again my answer remains  = no. This is further corroborated below.

(69)
Where personal data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on grounds of the legitimate interests of a controller or a third party, a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.

(70)
Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

Regarding this part of Rob’s email…

publishers and third parties performing, e.g., behavioral online (re)targeting based on tracking techniques would require prior consent and they would have to offer its audience a way to easily revoke consent. DNT may contain the right building blocks to do parts of the consent job. It is clear however, that it cannot contain all that is needed for valid consent. Eg., the UI is left out of scope, and other forms of valid consent exist (e.g. out of bound consent in a customer loyalty program).

Here’s my thoughts - IF every browser was updated with the complete spec as currently is, and deployed globally by May 2018 I would agree that it MAY contain the building blocks to do the parts of consent. However as Rob states, it is clear that it cannot contain all that is needed for valid consent as the two APIs - Navigator.storeTrackingException and Navigator.revokeTrackingException don’t connect to anything. The item they need to connect to is ‘out of scope of the protocol’. (See section https://w3c.github.io/dnt/drafts/CRc-tracking-dnt.html#exception-overview)

In conclusion - until you or somebody creates a consent management solution that meets the requirements of both GDPR and ePR and then resolves how to embed that into both mobile and desktop browsers and all mobile apps that rely on advertising, then the current Do Not Track protocol as it stands is not a viable mechanism for GDPR or ePR.

I’m sure the lawyers will let us know the final answer on May 25 2018.


Peter

Peter Cranstone
CEO, 3PHealth

COMS:
Mobile/Signal: +1 - <tel:303-246-9954> 303-809-7342<tel:303-246-9954> UTC -6hrs
Skype: cranstone
Website | www.3phealth.com<http://www.3phealth.com>  (Healthcare Patient Engagement and Data Interoperability)
Website | www.3pmobile.com<http://www.3pmobile.com> (Privacy by Design Platform for GDPR and ePrivacy reg.)

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you.





On Oct 16, 2017, at 2:36 PM, Rob van Eijk <rob@blaeu.com<mailto:rob@blaeu.com>> wrote:

Hi Robin,

Let me say a few words speaking for myself, as an engineer, not claiming to ba a lawyer. Also, I am not joining the discussion with Peter on the same thread. I am not trying to do a legal assessment of DNT. I am just trying to put your question into context, based on my view of the articles.

ad 1. The intent, yes, but more specifically we should refer to consent under the ePR, which (most likely) is the same as consent under the GDPR. I say most likely, because the ePR must be read in conjunction with the GDPR when it comes to online tracking and  the ePR text is not final yet.

ad 2. The intent, yes, but the answer needs some clarification. Article 21 is about direct marketing, Article 21 should be read in conjunction with, e.g., recitals 69 and 70. Moreover, we should distinguish offline and online. Direct marketing is a concept that includes offline and online activities. Examples of offline direct marketing are, e.g., an advertising brochure, or a telemarketing call. Examples of online direct marketing are, e.g. direct marketing by email.In short, if a company presents a value proposition off-line, it may rely on the legal ground of legitimate interest and it has to offer an opt-out. For example, they can include an special telephone number, or e-mail address. Many countries have codes of conduct for, e.g., direct response advertising, direct marketing by email, telemarketing.See, e.g. FEDMA's code of conduct.
However, if a company presents a value proposition via a digital channel, e.g., email, fax or text message, it requires prior consent and it has to offer the possibility to revoke consent. In short, for online direct marketing the 'right to object object' is not the right term. It is about revoking consent. In any case, companies must inform people how they can exercise their rights (opt-out or revoke consent). Note that in (most) online cases we are talking about an existing client relationship.Otherwise it may be just spam..In closing, publishers and third parties performing, e.g., behavioral online (re)targeting based on tracking techniques would require prior consent and they would have to offer its audience a way to easily revoke consent. DNT may contain the right building blocks to do parts of the consent job. It is clear however, that it cannot contain all that is needed for valid consent. Eg., the UI is left out of scope, and other forms of valid consent exist (e.g. out of bound consent in a customer loyalty program).

I hope this is helpful and answers your questions,.
Happy to take clarifying questions offline,
Kind regards,
Rob

-----Original message-----
From: Robin Berjon
Sent: Tuesday, October 10 2017, 5:07 pm
To: public-tracking-comments w3.org<http://w3.org>
Subject: Mapping DNT to GDPR

Dear TPWG,

I have walked through your documents and mailing list archives in search for an answer to my question but I cannot seem to find it. It is essentially two-fold and concerns the relationship between DNT and the GDPR from the point of view of a website. While I understand that legal questions may be tricky my understanding, which may be wrong, is that your current charter is designed to allow for better alignment with European privacy laws. I will therefore formulate my question in terms of use cases.

1) Is the intent of the Tracking Preference Expression that `DNT:0` would convey consent in the sense of GDPR Article 4, definition 11, and Article 7?

2) Is the intent of the TPE that `DNT:1` would convey a user's objection to processing in the sense of GDPR Article 21, specifically paragraph 5 concerning the "right to object by automated means using technical specifications".

Thank you very much for any information!

PS: Please do not read this message as indicating that the NYT will necessarily deploy DNT (or do so by the GDPR deadline); at this stage it is simply one aspect (amongst numerous others) that we are looking at.

--
Robin Berjon
The New York Times Company
Executive Director, Data Governance
robin.berjon@nytimes.com<mailto:robin.berjon@nytimes.com>

Received on Monday, 16 October 2017 21:21:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 16 October 2017 21:21:23 UTC