Re: Agenda: Global considerations F2F meeting 11-12 Berlin

Hi Rigo,

Perhaps I'm missing something here, but unless we change what a website can no longer do when it receives DNT:1 (ie. first party analytics and/or first party customization), isn't DNT only part of the solution to handle the restrictions of the ePrivacy Directive?  I don't understand how DNT removes the entire need for websites to do window shades/other consent mechanisms for the use of cookies.  I think we should discuss in the Berlin workshop what compliance looks like for websites; and whether DNT is enough to comply with the ePrivacy Directive.

Am I missing an interpretation/analysis that DNT (as currently drafted to not restrict 1st party analytics/customization) could equal compliance with the ePrivacy directive?

-Vinay


On Mar 5, 2013, at 1:38 AM, Rigo Wenning <rigo@w3.org> wrote:

> David, 
> 
> sorry for the late answer. This was buried in a flood of other email. 
> 
> On Tuesday 26 February 2013 20:46:47 David Wainberg wrote:
>>> in a regulated market like in France, there is a general prohibition
>>> of processing personal data unless you have a legal justification.
>>> In the absence of a DNT signal, you have certain restrictions.
>>> Receiving DNT:1 just reinforces those restrictions. The
>>> restrictions may go even beyond what DNT:1 says, as local law will
>>> prevail.
>> 
>> What do you mean that it reinforces the restrictions?
> 
> DNT:1 can do 2 things in Europe: 
> 
> 1/ the definition and restrictions can be accepted as a how to implement 
> the ePrivacy Directive on the Web. (that's our plan)
> 
> 2/ Receiving DNT:1 may contradict an assumed implied consent. (that's 
> what Commissioner Kroes said when she said: "if you receive DNT:1 in the 
> EU, that isn't completely meaningless")
>> 
>>> So if DNT:0 means the absence of DNT:1, sending DNT:0 has no meaning
>>> and thus the legal restrictions remain in place. So whether you are
>>> sending DNT:1 or DNT:0, you will always be in the mode with
>>> restrictions.
>> So you're saying DNT:1 is pointless in the EU, so DNT:0 is an entirely
>> new, EU-specific policy with semantics independent of the TCS we've
>> been working on?
> 
> Not pointless. DNT is only positive in Europe as it allows to have 
> feasible solutions for the restrictions of the ePrivacy Directive (and 
> the regulation) So neither DNT:1 nor DNT:0 are pointless. But "absence 
> of DNT:1" won't give you the needed consent. 
>> 
>>> If we define DNT:0 as "you can collect whatever you feel like" there
>>> is another legal limitation kicking in. This is like going into a
>>> shop and saying: "I buy". The sales person will ask "buy what"? And
>>> you'll stubbornly keep on saying "I buy". The "I buy" simple has no
>>> object.
>> Sorry for being thick, but I'm still not getting it. With the
>> exceptions API that will generate DNT:0 signals, isn't it up to the
>> company to specify the scope of the consent?
> 
> DNT is scoping your consent as sending DNT:0 or DNT:1 with a certain 
> request scopes to this request. Current window shades in the UK just 
> say: If you continue, you agree to whatever we have written down in the 
> 22 pages of legalese over there. The weak point here is that it is like 
> shrink wrap licenses that do not work in the EU (except UK) because the 
> object is not determined enough to be part of an agreement. You can't 
> agree to things that you don't know. (shrink wrap). You can't agree to 
> unbounded data collection. In data protection, this is hooked on the 
> term "informed" consent. DNT solves that issue as the concrete DNT 
> header scopes to a concrete request. And the sending of DNT is 
> determined by user preferences. This is sufficient to give informed 
> consent IMHO (subject to further discussion with the DPAs in global 
> considerations). 
> 
> Does that help?
> 
> --Rigo
>

Received on Tuesday, 5 March 2013 16:47:31 UTC