Re: Mapping DNT to GDPR from Peter Cranstone on 2017-10-23 (public-tracking-comments@w3.org from October 2017)

From: Peter Cranstone <peter.cranstone@3phealth.com>
Date: Mon, 23 Oct 2017 14:32:58 +0000
To: public-tracking-comments w3.org <public-tracking-comments@w3.org>
Message-ID: <41559BDF-710E-4DCC-8332-945F50E47265@3phealth.com>
Some very important reading for privacy folks…

The official e-privacy draft document showing the original Commission draft alongside the agreed Parliament amendments. link<http://www.europarl.europa.eu/sed/doc/news/flash/20215/A8-0324_2017_EN.docx>

I would suggest doing a search for the word ‘consent’ and then reading the latest amendments. The one on page 26 is particularly revealing. I’ve copied it into this email below and left the formatting intact from the original document, only to highlighting words in red to draw your attention to them.

(23)     The principles of data protection by design and by default are codified under Article 25 of Regulation (EU) 2016/679. Currently, the default settings for cookies are set in most current browsers to ‘accept all cookies’. Therefore providers of software permitting electronic communications (such as browsers, operating systems and communication apps), irrespective of whether the software is obtained separately or bundled with hardware, shall configure the software so that privacy is protected, the cross- domain tracking and the storing of information on the terminal equipment by third parties is prohibited by default. In addition, providers of such software are required to offer sufficiently granular options to consent to each distinct category of purposes. These distinct categories include, at least, the following categories: (i) tracking for commercial purposes or for direct marketing for non-commercial purposes (behavioural advertising); (ii) tracking for personalised content; (iii) tracking for analytical purposes; (iv) tracking of location data; (v) providing personal data to third parties (including providing unique identifiers to match with personal data held by third parties) No consent is required for information that is collected from end-users’ terminal equipment when it is strictly necessary for providing an information society service requested by the end-user, for example in order to adapt the screen size to the device, or to remember items in a shopping basket. Web browsers, operating systems and communication apps should allow the end-user to consent to cookies or other information that is stored on, or read from terminal equipment (including the browser on that equipment) by a specific website or originator even when the general settings prevent the interference and vice versa. With regard to a specific party, web browsers and communication apps should also allow users to separately consent to internet-wide tracking. Privacy settings should also include options to allow the user to decide for example, whether multimedia players, interactive programming language viewers, or similar software can be executed, if a website can collect geo-location data from the user, or if it can access specific hardware such as a webcam or microphone. Such privacy settings should be presented in an easily visible and intelligible manner, and at the moment of installation or first use, users should be informed about the possibility to change the default privacy settings among the various options. Information provided should not dissuade users from selecting higher privacy settings and should include relevant information about the risks associated to allowing cross-domain trackers, including the compilation of long-term records of individuals’ browsing histories and the use of such records to send targeted advertising or sharing with more third parties. Software manufacturers should be required to provide easy ways for users to change the privacy settings at any time during use and to allow the user to make exceptions for or to specify for such services websites trackers and cookies are always or never allowed.

DNT is going to need extensions and UGE database with a UI to be even remotely viable as a privacy protocol for the Internet. And we haven’t even discussed revocation of consent yet. Which is also going to be legally binding like consent.


Peter

Peter Cranstone
CEO, 3PHealth

COMS:
Mobile/Signal: +1 - <tel:303-246-9954> 303-809-7342<tel:303-246-9954> UTC -6hrs
Skype: cranstone
Website | www.3phealth.com<http://www.3phealth.com>  (Healthcare Patient Engagement and Data Interoperability)
Website | www.3pmobile.com<http://www.3pmobile.com> (Privacy by Design Platform for GDPR and ePrivacy reg.)

CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or previous e-mail messages attached to it may contain information that is confidential or legally privileged. Any unauthorized review, use, disclosure or distribution of such information is prohibited. If you are not the intended recipient, please notify the sender by telephone or return e-mail and delete the original transmission and its attachments and destroy any copies thereof. Thank you.
Received on Monday, 23 October 2017 14:33:28 UTC