- From: Rigo Wenning <rigo@w3.org>
- Date: Tue, 05 Mar 2013 09:38:16 +0100
- To: David Wainberg <david@networkadvertising.org>
- Cc: Haakon Bratsberg <haakonfb@opera.com>, public-tracking-international@w3.org
David, sorry for the late answer. This was buried in a flood of other email. On Tuesday 26 February 2013 20:46:47 David Wainberg wrote: > > in a regulated market like in France, there is a general prohibition > > of processing personal data unless you have a legal justification. > > In the absence of a DNT signal, you have certain restrictions. > > Receiving DNT:1 just reinforces those restrictions. The > > restrictions may go even beyond what DNT:1 says, as local law will > > prevail. > > What do you mean that it reinforces the restrictions? DNT:1 can do 2 things in Europe: 1/ the definition and restrictions can be accepted as a how to implement the ePrivacy Directive on the Web. (that's our plan) 2/ Receiving DNT:1 may contradict an assumed implied consent. (that's what Commissioner Kroes said when she said: "if you receive DNT:1 in the EU, that isn't completely meaningless") > > > So if DNT:0 means the absence of DNT:1, sending DNT:0 has no meaning > > and thus the legal restrictions remain in place. So whether you are > > sending DNT:1 or DNT:0, you will always be in the mode with > > restrictions. > So you're saying DNT:1 is pointless in the EU, so DNT:0 is an entirely > new, EU-specific policy with semantics independent of the TCS we've > been working on? Not pointless. DNT is only positive in Europe as it allows to have feasible solutions for the restrictions of the ePrivacy Directive (and the regulation) So neither DNT:1 nor DNT:0 are pointless. But "absence of DNT:1" won't give you the needed consent. > > > If we define DNT:0 as "you can collect whatever you feel like" there > > is another legal limitation kicking in. This is like going into a > > shop and saying: "I buy". The sales person will ask "buy what"? And > > you'll stubbornly keep on saying "I buy". The "I buy" simple has no > > object. > Sorry for being thick, but I'm still not getting it. With the > exceptions API that will generate DNT:0 signals, isn't it up to the > company to specify the scope of the consent? DNT is scoping your consent as sending DNT:0 or DNT:1 with a certain request scopes to this request. Current window shades in the UK just say: If you continue, you agree to whatever we have written down in the 22 pages of legalese over there. The weak point here is that it is like shrink wrap licenses that do not work in the EU (except UK) because the object is not determined enough to be part of an agreement. You can't agree to things that you don't know. (shrink wrap). You can't agree to unbounded data collection. In data protection, this is hooked on the term "informed" consent. DNT solves that issue as the concrete DNT header scopes to a concrete request. And the sending of DNT is determined by user preferences. This is sufficient to give informed consent IMHO (subject to further discussion with the DPAs in global considerations). Does that help? --Rigo
Received on Tuesday, 5 March 2013 08:38:51 UTC