W3C home > Mailing lists > Public > public-tracking-comments@w3.org > October 2017

RE: Mapping DNT to GDPR

From: Rob van Eijk <rob@blaeu.com>
Date: Thu, 19 Oct 2017 14:51:32 +0000
To: Rob van Eijk <rob@blaeu.com>, Robin Berjon <robin.berjon@nytimes.com>, public-tracking-comments w3.org <public-tracking-comments@w3.org>
Message-ID: <0102015f351e3319-be6008ad-7cff-4b2e-8b67-432b43b437a0-000000@eu-west-1.amazonses.com>

Today's vote on the LIBE report of the ePrivacy Regulation is important for DNT. Article 8 (d) contains an opt-out for audience measurement. It is an angle DNT may play an important role. Two points that relate to Robin's question.

"If it is technically necessary for measuring the reach of an information society service requested by the user; provided that such measuement is carried out by the provider or on behalf of the provider, or by a web analytics agency acting in the public intrest including for acientific purpose; that the data is aggregated and the user is given the possibility to object; and further provided that no personal data is made accessible to any third party and that such measurement does not adversely affect the fundamental rights of the user; Where audience measuring takes place on behalf of an information society service provider, the data collected shall be kept separate from the data collected in the course of audience measuring on behalf of other providers;

Another interesting element I picked up is that DNT is still a key element.

Article 10 "For the purpose of (...) giving or withdrawing consent persuant to Article 9(2) of this (ePrivacy) Regulation, and objecting to the processing of personal data persuant to Article 21(5) of the GDPR, the settings shall lead to a signal based on thechnical specifications which is sent to the other parties to inform them about the users's intentions with regards to consent or objection. The signal shall be legally valid and be binding on, and enforceable against, any other party."

The ePR text is not final yet, but this is an imortant milestone in the legislative process.


-----Original message-----
From: Rob van Eijk
Sent: Monday, October 16 2017, 10:37 pm
To: Robin Berjon; public-tracking-comments w3.org
Subject: RE: Mapping DNT to GDPR

Hi Robin,

Let me say a few words speaking for myself, as an engineer, not claiming to ba a lawyer. Also, I am not joining the discussion with Peter on the same thread. I am not trying to do a legal assessment of DNT. I am just trying to put your question into context, based on my view of the articles.

ad 1. The intent, yes, but more specifically we should refer to consent under the ePR, which (most likely) is the same as consent under the GDPR. I say most likely, because the ePR must be read in conjunction with the GDPR when it comes to online tracking and  the ePR text is not final yet.

ad 2. The intent, yes, but the answer needs some clarification. Article 21 is about direct marketing, Article 21 should be read in conjunction with, e.g., recitals 69 and 70. Moreover, we should distinguish offline and online. Direct marketing is a concept that includes offline and online activities. Examples of offline direct marketing are, e.g., an advertising brochure, or a telemarketing call. Examples of online direct marketing are, e.g. direct marketing by email.In short, if a company presents a value proposition off-line, it may rely on the legal ground of legitimate interest and it has to offer an opt-out. For example, they can include an special telephone number, or e-mail address. Many countries have codes of conduct for, e.g., direct response advertising, direct marketing by email, telemarketing.See, e.g. FEDMA's code of conduct. 
However, if a company presents a value proposition via a digital channel, e.g., email, fax or text message, it requires prior consent and it has to offer the possibility to revoke consent. In short, for online direct marketing the 'right to object object' is not the right term. It is about revoking consent. In any case, companies must inform people how they can exercise their rights (opt-out or revoke consent). Note that in (most) online cases we are talking about an existing client relationship.Otherwise it may be just spam..In closing, publishers and third parties performing, e.g., behavioral online (re)targeting based on tracking techniques would require prior consent and they would have to offer its audience a way to easily revoke consent. DNT may contain the right building blocks to do parts of the consent job. It is clear however, that it cannot contain all that is needed for valid consent. Eg., the UI is left out of scope, and other forms of valid consent exist (e.g. out of bound consent in a customer loyalty program).

I hope this is helpful and answers your questions,.
Happy to take clarifying questions offline,
Kind regards,
 -----Original message-----
From: Robin Berjon
Sent: Tuesday, October 10 2017, 5:07 pm
To: public-tracking-comments w3.org
Subject: Mapping DNT to GDPR

Dear TPWG,
 I have walked through your documents and mailing list archives in search for an answer to my question but I cannot seem to find it. It is essentially two-fold and concerns the relationship between DNT and the GDPR from the point of view of a website. While I understand that legal questions may be tricky my understanding, which may be wrong, is that your current charter is designed to allow for better alignment with European privacy laws. I will therefore formulate my question in terms of use cases.
 1) Is the intent of the Tracking Preference Expression that `DNT:0` would convey consent in the sense of GDPR Article 4, definition 11, and Article 7?
 2) Is the intent of the TPE that `DNT:1` would convey a user's objection to processing in the sense of GDPR Article 21, specifically paragraph 5 concerning the "right to object by automated means using technical specifications".
 Thank you very much for any information!
 PS: Please do not read this message as indicating that the NYT will necessarily deploy DNT (or do so by the GDPR deadline); at this stage it is simply one aspect (amongst numerous others) that we are looking at.

Robin Berjon
The New York Times Company
Executive Director, Data Governance
Received on Thursday, 19 October 2017 14:51:58 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 19 October 2017 14:51:59 UTC