Agenda: Global considerations F2F meeting 11-12 Berlin

Hi Kimon,

 

A29 said browser storage to support analytics was less of a risk when the
there is a single data controller, i.e. the controller of the first party
document origin handles their own analytics, or a data processor does it for
them without having the right to use the data for their own purpose. They
also said this does not apply to joint controllers, where the data can be
used for other purposes by  another controller. So even if the cookie used
is first-party in the technical sense if the identifier  is shared with
another data controller without contracts in place to limit usage then it is
a privacy risk.

 

Mike

 

From: Kimon Zorbas [mailto:vp@iabeurope.eu] 
Sent: 06 March 2013 17:20
To: Vinay Goel (Adobe); Rigo Wenning
Cc: David Wainberg; Haakon Bratsberg; public-tracking-international@w3.org
Subject: Re: Agenda: Global considerations F2F meeting 11-12 Berlin

 

And I want to emphasise that there is disagreement among the regulators on
the interpretation of the cookies not requesting consent. The French, as an
example, do not require consent for web analytics. Others do. I refer to
this, because even Art. 29 WP states that web analytics (first party
analytics) does not pose a privacy risk.

Very messy and we need to drill down to details, as the Directive is
transposed differently across the EU/EEA.

Kind regards,
Kimon

----- Reply message -----
From: "Vinay Goel" <vigoel@adobe.com>
To: "Rigo Wenning" <rigo@w3.org>
Cc: "David Wainberg" <david@networkadvertising.org>, "Haakon Bratsberg"
<haakonfb@opera.com>, "public-tracking-international@w3.org"
<public-tracking-international@w3.org>
Subject: Agenda: Global considerations F2F meeting 11-12 Berlin
Date: Wed, Mar 6, 2013 6:10 pm

 

Hi Rigo

I agree with you that the EU law has not made distinctions between first and
third parties, although some DPAs within the member states' have given
guidance on e-privacy that do create different rules when using data in a
first vs third party setting. For example, the ICO has said that an implied
consent model may be sufficient for website analytics, whereas an implied
consent model likely isn't sufficient when using the data for cross-site
advertising. 

Adobe is not saying we're exempt from EU law. What I'm saying is that I
expect many global companies will not be able to equate honoring DNT with
ePrivacy compliance (because the law doesn't make the party distinctions
that DNT does).  Because there's that disconnect, Adobe (and I expect other
global companies) will not be able to completely switch how it processes DNT
in the EU to make it equal to ePrivacy compliance. I expect global companies
to honor the DNT signal the same way globally, and then take other steps to
fill the gap between DNT and local law. In the EU example, that means
honoring DNT as it relates to interest based cross-site advertising and then
using a window shade/some other consent mechanism for use cases covered by
law but not by DNT. 

I don't think DNT will get rid of those ugly window shades for global
companies unless the laws change. And understanding that changing the laws
is highly unlikely, I think the window shades are going to stay (for global
companies). 

I think the worst outcome for consumers is when different companies treat
DNT differently because consumers would not understand what their choice
means.  I think your goal is admirable. But, I question the practicality
when thinking about deployments. That's why I suggest we focus on what
deployments look like, in particular how both global and local-only
companies can implement DNT.

I look forward to your first session on Monday. I just want to make sure the
group remembers: a) there is not consistency across the DPAs on what is
currently required by ePrivacy; and 2) how both global and local companies
can implement DNT.  I know there's a pending regulation that will hopefully
reduce the inconsistencies across the member states; but as we know that
regulation is a moving target as to what the consent requirements will be. 

Vinay

Sent from my phone

On Mar 6, 2013, at 9:34 AM, "Rigo Wenning" <rigo@w3.org> wrote:

> Vinay, 
> 
> On Wednesday 06 March 2013 06:57:36 Vinay Goel wrote:
>> I don't think your statement "So everybody has to behave like a 3rd
>> party in DNT" is how it will play out.
> 
> If you find a legal way of having first/third party distinction in the 
> EU, I'd be interested in your argumentation. If we specify knowingly in 
> contradictions to legal imperatives, IMHO we will not achieve what my 
> goal here is.
>> 
>> I don't expect most global companies to modify its web servers,
>> analytics practices, and onsite optimization services so that it will
>> treat itself as a first party on www.company.com, www.company.ch,
>> etc., but treat itself as a third party on www.company.uk.  It will
>> not be easy for a company to programmatically treat itself as a 3rd
>> party for its EU websites; especially when the site is
>> www.company.com/uk.  For global companies that set global policies
>> and need consistent systems/approaches/privacy policies across the
>> globe, I expect them to treat the DNT signal the same regardless of
>> market; and those global companies will do whatever they need to do
>> outside of DNT for legal compliance.  
> 
> This is interesting. I did not think a company would treat parts of 
> itself as a third party. If the company is claiming "safe harbor" we are 
> back to the question whether first/third party distinction is legally 
> possible in Europe and as "safe harbour". 
>> 
>> I can't speak for other global companies, but I can speak for how
>> Adobe is considering its global compliance obligations.
> 
> If Adobe is thinking that it isn't bound by EU compliance or safe 
> harbor, Adobe will not benefit from global considerations, as this is 
> trying to make EU compliance very easy for the Web - part of data 
> processing. 
>> 
>> I still think a fair discussion at the Global Considerations workshop
>> is how companies actually plan to implement this globally.
> 
> This is my goal. I want to find a viable easy solution. My benchmark is 
> to achieve endorsement by the authorities with something that good faith 
> companies consider (rather easily) implementable. 
> 
> Of course we will first have to discuss if other people share that goal 
> or what the goal should be. I imagined the first session to do this. My 
> plan was to present something and have people reflect on it and make 
> their own suggestions. (mainly 13:30 - 15:00 on Monday)
> 
> What do you think?
> 
> --Rigo

Received on Wednesday, 6 March 2013 18:43:36 UTC