RE: Summary of First Party vs. Third Party Tests

We would appreciate if our OBA solution is interoperable with DNT - that is IAB Europe position.
On legal compliance being not that relevant: I would like to see the reaction of a European publishers being told, 'you have to deliver legal compliance and by the way, you also have to implement DNT (i.e. another solution that would require another compliance policy internally).
Maybe we should ask some European publishers to get some real business feedback from the experts advising on compliance? Just a thought.

From: Rob van Eijk [mailto:rob@blaeu.com]
Sent: 28 November 2011 19:22
To: public-tracking@w3.org
Subject: Re: Summary of First Party vs. Third Party Tests

Kimon, I agree with you that "we have a legal framework we can not entirely ignore and DNT has to somehow take it into account." However, I have to disagree on the disctinction you make: the distinction between first party and third party is a technical distinction.

I think it is a nice-to-have if the DNT solution from the standards community solves legal problems, but it shouldn't be the main goal. I argue that the main goal should be transparancy for the user by offering technical means to express explicit consent.

I am favouring the prcess that we let the effort reflected in e.g. the cross-site discussion-thread take it's turn before taking the legal aspect (issue-98) by the horns. By the way, issue-98 is a possible item, that could be declared out of scope. The tracking protection group doesn't do legal, as agreed in the Face 2 Face meeting in San Jose.

Kind regards,
Rob van Eijk (Speaking for himself)

On 28-11-2011 17:37, Kimon Zorbas wrote:
I think Jeff raises an important point: The distinction of first party - third party is really a legal distinction in relation to cookies. I agree with Jeff as far as the IT world is moving very fast. But trying to capture first parties is very problematic for us. There are a number of subcontractors working for first parties that could appear being third parties. However, in such cases, the legal obligations are addressing first parties. (At least in Europe, where we use the controller / processor approach - the legal obligations lie with the controller, not the processor.) Again the problem that we have a legal framework we can not entirely ignore and DNT has to somehow take it into account.

Kind regards,
Kimon


From: Jeffrey Chester [mailto:jeff@democraticmedia.org]
Sent: 28 November 2011 16:25
To: public-tracking@w3.org<mailto:public-tracking@w3.org>>
Subject: Re: Summary of First Party vs. Third Party Tests

Privacy policymakers in the EU and US are examining the implications of the ad exchange process, where first parties incorporate a broad range of third party data in real-time.  The distinctions between first and third parties have dramatically eroded as a result of real-time bidding, in my opinion.  Consequently, first party providers must be obligated under a DNT system to respect the wishes of users regarding the use of incorporated third party data sets.  We will be following up on this point with a submission on the draft comments.


Jeffrey Chester
Center for Digital Democracy
1621 Connecticut Ave, NW, Suite 550
Washington, DC 20009
www.democraticmedia.org<http://www.democraticmedia.org>

On Nov 27, 2011, at 10:14 AM, Rob van Eijk wrote:



Just to make sure, I want to repeat that a technical definition of 1st and 3rd party is not necessarily the same as a legal definition nor is it a definition that resembles what a user perceives to be intended/not intended interaction.

A legal definition is connected to the use of data. In the context of OBA it is connected with the use of data across sites. The use of data across sites is in many cases not transparent at all to the user.

Just quoting a sentence will likely distort the true meaning of the passage in WP171.
The full quote of the relevant paragraphs is therefor:

"As recently pointed out by the Article 29 Working Party28, whether a publisher can be
deemed to be a joint controller with the ad network provider will depend on the conditions of
collaboration between the publisher and the ad network provider. In this context, the Article
29 Working Party notes that in a typical scenario where ad network providers serve tailored
advertising, publishers contribute to it by setting up their web sites in such a way that when a
user visits a publisher's web site, his/her browser is automatically redirected to the webpage
of the ad network provider. In doing so, the user's browser will transmit his/her IP address to
the ad network provider which will proceed to send the cookie and tailored advertising. In
this scenario, it is important to note that publishers do not transfer the IP address of the visitor
to the ad network provider. Instead, it is the visitor's browser that automatically transfers such
information to the ad network provider. However, this only happens because the publisher has
set up its web site in such a way that the visitor to its own web site is automatically redirected
to the ad network provider web site. In other words, the publisher triggers the
transfer of the IP address, which is the first necessary step that will allow the subsequent
processing, carried out by the ad network provider for the purposes of serving tailored
advertising. Thus, even if, technically the data transfer of the IP address is carried out by the
browser of the individual who visits the publisher web site, it is not the individual who
triggers the transfer. The individual only intended to visit the publisher's web site. He did
not intend to visit the ad network provider's web site. Currently this is a common scenario.

Taking this into account, the Article 29 Working Party considers that publishers have a
certain responsibility for the data processing, which derives from the national implementation
of Directive 95/46 and/or other national legislation29. This responsibility does not cover all
the processing activities necessary to serve behavioural advertising, for example, the
processing carried out by the ad network provider consisting of building profiles which are
then used to serve tailored advertising. However, the publishers' responsibility covers the first
stage, i.e. the initial part of the data processing, namely the transfer of the IP address that
takes place when individuals visit their web sites. This is because the publishers facilitate
such transfer and co-determine the purposes for which it is carried out, i.e. to serve visitors
with tailored adverting. In sum, for these reasons, publishers will have some responsibility as
data controllers for these actions. This responsibility cannot, however, require compliance
with the bulk of the obligations contained in the Directives."

Kind regards,
Rob (speaking for himself)

On 7-11-2011 11:46, Kimon Zorbas wrote:

Dear all,



as requested by Rigo, I wanted to shed some light on the distinction between 1st and 3rd party in Europe. In a nutshell, there is a distinction, maybe not as clear as in the USA but nuanced enough to justify the approach proposed by colleagues on differentiating the scenarios.



The answer to the question depends primarily on the definition of tracking for each case. (As I explained earlier, the tracking concept does not fit the European legal data protection tradition & legal framework). To simplify things, below explanation assumes tracking refers to cookie use, as this use is what has gained (politically) traction and what can already be managed at browser level, irrespective of UI questions.



It's important to keep in mind, that data protection law is not harmonised in the EU and different countries have transposed European directives differently and interpretations vary sometimes significantly. At EU level, there's no agreed view that gives one response. The closest to a European uniform view/approach is Article 29 Working Party. However, that group is just an advisory body, its opinions are not legally binding and it tends often to take the strictest positions / interpretations on data protection. I say this as arguing along those opinions puts you on the safe side.



Art. 5.3 of the revised E-Privacy directive does not differentiate between 1st and 3rd parties but sets out special provisions for 1st parties for the storing data on a user's device that are necessary for technical purposes or services specifically requested by a user. I quote the respective provision that excludes from the consent provision the following scenarios (that are interpreted differently at national level):
"This [EXCEPTION FROM CONSENT REQUIREMENT] shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

In general, those exceptions apply to services for which the first party is responsible, as e.g. is the case with web analytics (following here CNIL's position, the French data protection authority).



The general data protection directive (95/46/EC) makes a distinction between controller and processor. While there is a question if and when that directive applies to storing technologies - e.g. cookies- (as the E-Privacy directive is lex specialis), let's argue with the stricter view & assuming the applicability. In this case, one would need to understand who is controller and who is processor in 3rd party scenarios.



Even Article 29 WP acknowledges different responsibilities in its opinion paper WP171, 00909/10/EN, 2/2010 (that relate to the concepts of data controller and processor), arguing that meeting the legal requirements in the case of OBA (notice & consent) are primarily the third party's responsibility. That clearly builds on a disctinction between 1st and 3rd parties:

"In sum, for these reasons, publishers will have some responsibility as data controllers for these actions. This responsibility cannot, however, require compliance with the bulk of the obligations contained in the Directives."



I hope that helps with the distinction between 1st and 3rd parties in Europe. If you have any questions on this, please let me know.



As disclaimer, I would like to add that I do not necessarily share the views expressed above, but I try to argue with the strictest possible view to demonstrate that authorities make a nuanced distinction between first and third parties.



Kind regards,

Kimon



Kimon Zorbas

Vice President IAB Europe



IAB Europe - The Egg - Rue Barastraat 175 - 1070 Brussels - Belgium

Phone +32 (0)2 5265 568

Mob +32 494 34 91 68

Fax +32 2 526 55 60

vp@iabeurope.eu<mailto:vp@iabeurope.eu>

Twitter: @kimon_zorbas



www.iabeurope.eu<http://www.iabeurope.eu/>







IAB Europe supports the .eu domain name www.eurid.eu<http://www.eurid.eu/>



IAB Europe is supported by:

Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Russia, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey, Ukraine and United Kingdom representing their 5.000 members. The IAB network represents over 90% of European digital revenues and is acting as voice for the industry at National and European level.



IAB Europe is powered by:

Adconion Media Group, Adobe, ADTECH, Alcatel-Lucent, AOL Advertising Europe, AudienceScience, BBC, CNN, comScore Europe, CPX Interactive, Criteo, eBay International Advertising, Ernst & Young, Expedia Inc, Fox Interactive Media, Gemius, Goldbach Media Group, Google, GroupM, Hi-media, InSites Consulting, Koan, Microsoft Europe, Millward Brown, MTV Networks International, Netlog, News Corporation, nugg.ad, Nielsen Online, Orange Advertising Network, Prisa, Publicitas Europe, Sanoma Digital, Selligent, Specific Media, The Walt Disney Company, Tradedoubler, Truvo, United Internet Media, ValueClick, White & Case, Yahoo! and zanox.



IAB Europe is associated with:

Advance International Media, Banner, Emediate, NextPerformance, OMD, Right Media and Turn Europe



-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org]
Sent: 04 November 2011 00:46
To: Kimon Zorbas
Cc: Amy Colando (LCA); Shane Wiley (yahoo); David Wainberg; public-tracking@w3.org<mailto:public-tracking@w3.org>; Jonathan Mayer
Subject: Re: Summary of First Party vs. Third Party Tests



Kimon,



could you expand on the distinction between 1st & 3rd parties by European regulators? This was one of the reasons why I argued against the distinction.

(to better align and make DNT usable in the EU context) So I'm really curious here as this may be a game changer.



All,



there is the legal issue, but also the technical issue to transport the information on who is a first and who is a third party to the user. The well- known-location would have to reflect which parties have a legal relationship to the owner of the requested URI/domain and what that legal relation is. As things can get complex (Kai Scheppe from Dt. Telekom talked about 250

contributors) there is an issue of boundaries here that we have to solve if we distinguish.



Best,



Rigo



On Thursday 03 November 2011 22:15:09 Kimon Zorbas wrote:

> Fully support Amy & Shane - common sense applies and also reflects

> what even European regulators express on distinction between 1st & 3rd

> parties. Works for us too.

>