- From: Rigo Wenning <rigo@w3.org>
- Date: Thu, 07 Mar 2013 12:06:56 +0100
- To: Vinay Goel <vigoel@adobe.com>
- Cc: David Wainberg <david@networkadvertising.org>, Haakon Bratsberg <haakonfb@opera.com>, "public-tracking-international@w3.org" <public-tracking-international@w3.org>
Vinay, our exchange is excellent to prepare the meeting. It helps me to shape my introduction on Monday. It also helps to address central issues. On Wednesday 06 March 2013 16:26:19 Vinay Goel wrote: > I'll try explaining my stance again, but I'm afraid I'm not being > clear enough. Here is where I see the disconnect. You write "There is > a provision in the regulation that allows DNT to be the thing that > allows for consent without window shades." > This is one option. I think DPAs will ack DNT beforehand. Thus creating a real stable framework the industry needs to prosper. > My understanding is that the amendments to the proposed regulation > allows for a data protection board to determine whether commonly > accepted standards meet compliance with the law. Yes, but not only. Once the board has said "yes", the Commission can issue a delegated act that binds _all_ executive instances of the European Union (even the Irish) > > Do you expect the data protection board to approve DNT as currently > drafted (which creates a distinction between first and third party > use)? No. I expect them to approve DNT in a flavor where first parties react on a DNT:1 and on a DNT:0 header. Global considerations will discuss how to enter this into the Specification without forcing the US market to give up the distinction between first and third parties. > > I don't. Because I don't, I struggle to see how DNT (as currently > being discussed in the WG) will get rid of the window shades. Because the browser setting (sending DNT:0) will allow you to determine that you don't need a window shade. And DNT:1 will tell you what you can still do or collect and how to turn it into a DNT:0 in case you need more data. It allows a user to control data collection on your site (if you offer that control). It is a tool. You can prefer window shades as a tool with unreliable cookies and unreliable DPA reaction. Or you can try to get window shades accepted by the data protection board. > > If the data protection board says that DNT could meet legal compliance > but only if all websites respond to the DNT header as though they are > a third party, then I'm saying that global companies will likely say > 'thanks, but then I'll just stick to my window shade because I can't > change my website to treat myself as a third party'. It assumes that window shades are and remain accepted (see below). I understand that. This is clearly an option. But IMHO it is a bad option as it ruins web site design and is not future proof. This may be an interesting compliance regime for the very moment, but I do not believe that window shades pointing to 22 pages of legalese will help you for a long time. Nobody wants them anyway and we can do better. Window shades were done because nobody knew what to do with Article 5.3 of the ePrivacy Directive. Many people have moved on from there. So while understanding your position I try to give a sense to our undertaking. I hold against with the aspect of "implementation how to" of DNT in Europe. As Kimon said: Some will accept your window shades, others won't. DNT will remedy this. It will be an implementation recipe that will be accepted throughout Europe. It is your platform to figure out what to do with outreach measurement and site analytics with those knowing technically what it means. It will give you the occasion to implement once for Europe and Safe Harbour and play everywhere. > > I hope that explains my worry better. I'm afraid that the data > protection board won't 'approve' DNT in a way that makes it practical > for global companies. And I just think that window shades are not future proof as a way out, especially not for safe harbour companies. I try to show a way of having easy compliance that is easily implementable because it has all the permitted uses and concrete steps. Doing DNT should give you a safe area, but will not preclude individual negotiations with DPAs. It will be a tool in your toolbox. Note that there is pending litigation before the European Court of Justice where Spain wants to know if Google is right in pretending the application of Californian law in its relation to EU consumers. There is also an appeal pending where ULD wants to know whether Facebook is only under Irish law. The latter will go away with the regulation. > > What am I missing here? What do you see the board approving? Sorry > if I'm missing something obvious or am being dense. But, I'm > struggling to see DNT being enough to satisfy all EU regulators' > desires without it requiring websites to fundamentally change how it > handles (defines) DNT for EU websites. Once we require a different > DNT implementation for websites for the EU, I believe implementing > window shades is easier/cheaper than creating different processes for > DNT. Summarizing: It is crystal clear that nobody in the EU will accept a first/third party distinction. With window shades you make promises and claim consent. I doubt this will be accepted on the long run. It is a bureaucratic solution to a problem that is seen as being just bureaucratic. It will neither help users nor industry. Window shades should be an ephemeral phenomenon because Art 5.3 was not really implementable as it wasn't done with scale in mind. Window shades don't scale either. Neither politically nor technically. The alternative is a DNT that gives industry a stable, scalable and technically savvy environment and users some control over their data. The difference becomes even clearer if you go into the stack of pseudonymous data. --Rigo
Received on Thursday, 7 March 2013 11:09:06 UTC