Re: Summary of First Party vs. Third Party Tests

The revised e-priv directive addresses prior consent for storing and of 
accessing information in the device. This is a technology neutral way of 
addressing the legal issues of user transparancy, or even better: the 
lack of it. The current OBA solution is opt-out and limited to the 
delivery of targeted ads only and does not prevent the collection and 
use of web tracking data across sites. DNT is most likely not going to 
solve EU compliance for it is not binary and as far as consensus reaches 
at the moment, not on by default. DNT does at the moment have three 
states, 'on', 'off' and an 'undetermined'state in which the user hasn't 
expressed his consent.

Connecting the legal principle and compliance issue of consent to Mike 
Zaneis's posting on Nov 17, 2011', I assume that IAB Europe's aspiration 
for interoperability with DNT contradicts with IAB's position:
 >>This is where there is a fundamental split amongst the parties. We 
had a discussion several weeks ago about the first party
 >>obligations and I pointed out that IAB and my member companies 
generally support the U.S. FTC position that consumers don't
 >> expect first parties to be subject to such restrictions.  Those 
positions have not changed.

Please correct me if I am wrong on this assumption.

The legal and compliance issues should be dealt with later, is my opinion.

Rob
(Speaking for himself)

On 28-11-2011 19:40, Kimon Zorbas wrote:
>
> We would appreciate if our OBA solution is interoperable with DNT -- 
> that is IAB Europe position.
>
> On legal compliance being not that relevant: I would like to see the 
> reaction of a European publishers being told, 'you have to deliver 
> legal compliance and by the way, you also have to implement DNT (i.e. 
> another solution that would require another compliance policy 
> internally).
>
> Maybe we should ask some European publishers to get some real business 
> feedback from the experts advising on compliance? Just a thought.
>
> *From:*Rob van Eijk [mailto:rob@blaeu.com]
> *Sent:* 28 November 2011 19:22
> *To:* public-tracking@w3.org
> *Subject:* Re: Summary of First Party vs. Third Party Tests
>
> Kimon, I agree with you that "we have a legal framework we can not 
> entirely ignore and DNT has to somehow take it into account." However, 
> I have to disagree on the disctinction you make: the distinction 
> between first party and third party is a technical distinction.
>
> I think it is a nice-to-have if the DNT solution from the standards 
> community solves legal problems, but it shouldn't be the main goal. I 
> argue that the main goal should be transparancy for the user by 
> offering technical means to express explicit consent.
>
> I am favouring the prcess that we let the effort reflected in e.g. the 
> cross-site discussion-thread take it's turn before taking the legal 
> aspect (issue-98) by the horns. By the way, issue-98 is a possible 
> item, that could be declared out of scope. The tracking protection 
> group doesn't do legal, as agreed in the Face 2 Face meeting in San Jose.
>
> Kind regards,
> Rob van Eijk (Speaking for himself)
>
> On 28-11-2011 17:37, Kimon Zorbas wrote:
>
> I think Jeff raises an important point: The distinction of first party 
> -- third party is really a legal distinction in relation to cookies. I 
> agree with Jeff as far as the IT world is moving very fast. But trying 
> to capture first parties is very problematic for us. There are a 
> number of subcontractors working for first parties that could appear 
> being third parties. However, in such cases, the legal obligations are 
> addressing first parties. (At least in Europe, where we use the 
> controller / processor approach -- the legal obligations lie with the 
> controller, not the processor.) Again the problem that we have a legal 
> framework we can not entirely ignore and DNT has to somehow take it 
> into account.
>
> Kind regards,
>
> Kimon
>
> *From:*Jeffrey Chester [mailto:jeff@democraticmedia.org]
> *Sent:* 28 November 2011 16:25
> *To:* public-tracking@w3.org <mailto:public-tracking@w3.org>>
> *Subject:* Re: Summary of First Party vs. Third Party Tests
>
> Privacy policymakers in the EU and US are examining the implications 
> of the ad exchange process, where first parties incorporate a broad 
> range of third party data in real-time.  The distinctions between 
> first and third parties have dramatically eroded as a result of 
> real-time bidding, in my opinion.  Consequently, first party providers 
> must be obligated under a DNT system to respect the wishes of users 
> regarding the use of incorporated third party data sets.  We will be 
> following up on this point with a submission on the draft comments.
>
> Jeffrey Chester
>
> Center for Digital Democracy
>
> 1621 Connecticut Ave, NW, Suite 550
>
> Washington, DC 20009
>
> www.democraticmedia.org <http://www.democraticmedia.org>
>
> On Nov 27, 2011, at 10:14 AM, Rob van Eijk wrote:
>
>
>
>
> Just to make sure, I want to repeat that a technical definition of 1st 
> and 3rd party is not necessarily the same as a legal definition nor is 
> it a definition that resembles what a user perceives to be 
> intended/not intended interaction.
>
> A legal definition is connected to the use of data. In the context of 
> OBA it is connected with the use of data across sites. The use of data 
> across sites is in many cases not transparent at all to the user.
>
> Just quoting a sentence will likely distort the true meaning of the 
> passage in WP171.
> The full quote of the relevant paragraphs is therefor:
>
> "As recently pointed out by the Article 29 Working Party28, whether a 
> publisher can be
> deemed to be a joint controller with the ad network provider will 
> depend on the conditions of
> collaboration between the publisher and the ad network provider. In 
> this context, the Article
> 29 Working Party notes that in a typical scenario where ad network 
> providers serve tailored
> advertising, publishers contribute to it by setting up their web sites 
> in such a way that when a
> user visits a publisher's web site, his/her browser is automatically 
> redirected to the webpage
> of the ad network provider. In doing so, the user's browser will 
> transmit his/her IP address to
> the ad network provider which will proceed to send the cookie and 
> tailored advertising. In
> this scenario, it is important to note that publishers do not transfer 
> the IP address of the visitor
> to the ad network provider. Instead, it is the visitor's browser that 
> automatically transfers such
> information to the ad network provider. However, this only happens 
> because the publisher has
> set up its web site in such a way that the visitor to its own web site 
> is automatically redirected
> to the ad network provider web site. In other words, the publisher 
> triggers the
> transfer of the IP address, which is the first necessary step that 
> will allow the subsequent
> processing, carried out by the ad network provider for the purposes of 
> serving tailored
> advertising. Thus, even if, technically the data transfer of the IP 
> address is carried out by the
> browser of the individual who visits the publisher web site, it is not 
> the individual who
> triggers the transfer. The individual only intended to visit the 
> publisher's web site. He did
> not intend to visit the ad network provider's web site. Currently this 
> is a common scenario.
>
> Taking this into account, the Article 29 Working Party considers that 
> publishers have a
> certain responsibility for the data processing, which derives from the 
> national implementation
> of Directive 95/46 and/or other national legislation29. This 
> responsibility does not cover all
> the processing activities necessary to serve behavioural advertising, 
> for example, the
> processing carried out by the ad network provider consisting of 
> building profiles which are
> then used to serve tailored advertising. However, the publishers' 
> responsibility covers the first
> stage, i.e. the initial part of the data processing, namely the 
> transfer of the IP address that
> takes place when individuals visit their web sites. This is because 
> the publishers facilitate
> such transfer and co-determine the purposes for which it is carried 
> out, i.e. to serve visitors
> with tailored adverting. In sum, for these reasons, publishers will 
> have some responsibility as
> data controllers for these actions. This responsibility cannot, 
> however, require compliance
> with the bulk of the obligations contained in the Directives."
>
> Kind regards,
> Rob (speaking for himself)
>
> On 7-11-2011 11:46, Kimon Zorbas wrote:
>
> Dear all,
>
> as requested by Rigo, I wanted to shed some light on the distinction 
> between 1st and 3rd party in Europe. In a nutshell, there is a 
> distinction, maybe not as clear as in the USA but nuanced enough to 
> justify the approach proposed by colleagues on differentiating the 
> scenarios.
>
> The answer to the question depends primarily on the definition of 
> tracking for each case. (As I explained earlier, the tracking concept 
> does not fit the European legal data protection tradition & legal 
> framework). To simplify things, below explanation assumes tracking 
> refers to cookie use, as this use is what has gained (politically) 
> traction and what can already be managed at browser level, 
> irrespective of UI questions.
>
> It's important to keep in mind, that data protection law is not 
> harmonised in the EU and different countries have transposed European 
> directives differently and interpretations vary sometimes 
> significantly. At EU level, there's no agreed view that gives one 
> response. The closest to a European uniform view/approach is Article 
> 29 Working Party. However, that group is just an advisory body, its 
> opinions are not legally binding and it tends often to take the 
> strictest positions / interpretations on data protection. I say this 
> as arguing along those opinions puts you on the safe side.
>
> Art. 5.3 of the revised E-Privacy directive does not differentiate 
> between 1^st and 3^rd parties but sets out special provisions for 1^st 
> parties for the storing data on a user's device that are necessary for 
> technical purposes or services specifically requested by a user. I 
> quote the respective provision that excludes from the consent 
> provision the following scenarios (that are interpreted differently at 
> national level):
>
> "This [EXCEPTION FROM CONSENT REQUIREMENT] shall not prevent any 
> technical storage or access for the sole purpose of carrying out the 
> transmission of a communication over an electronic communications 
> network, or as strictly necessary in order for the provider of an 
> information society service explicitly requested by the subscriber or 
> user to provide the service."
>
> In general, those exceptions apply to services for which the first 
> party is responsible, as e.g. is the case with web analytics 
> (following here CNIL's position, the French data protection authority).
>
> The general data protection directive (95/46/EC) makes a distinction 
> between controller and processor. While there is a question if and 
> when that directive applies to storing technologies - e.g. cookies- 
> (as the E-Privacy directive is lex specialis), let's argue with the 
> stricter view & assuming the applicability. In this case, one would 
> need to understand who is controller and who is processor in 3^rd 
> party scenarios.
>
> Even Article 29 WP acknowledges different responsibilities in its 
> opinion paper WP171, 00909/10/EN, 2/2010 (that relate to the concepts 
> of data controller and processor), arguing that meeting the legal 
> requirements in the case of OBA (notice & consent) are primarily the 
> third party's responsibility. That clearly builds on a disctinction 
> between 1^st and 3^rd parties:
>
> "In sum, for these reasons, publishers will have some responsibility 
> as data controllers for these actions. This responsibility cannot, 
> however, require compliance with the bulk of the obligations contained 
> in the Directives."
>
> I hope that helps with the distinction between 1^st and 3^rd parties 
> in Europe. If you have any questions on this, please let me know.
>
> As disclaimer, I would like to add that I do not necessarily share the 
> views expressed above, but I try to argue with the strictest possible 
> view to demonstrate that authorities make a nuanced distinction 
> between first and third parties.
>
> Kind regards,
>
> Kimon
>
> Kimon Zorbas
>
> Vice President IAB Europe
>
> IAB Europe - The Egg -- Rue Barastraat 175 -- 1070 Brussels - Belgium
>
> Phone +32 (0)2 5265 568
>
> Mob +32 494 34 91 68
>
> Fax +32 2 526 55 60
>
> vp@iabeurope.eu <mailto:vp@iabeurope.eu>
>
> Twitter: @kimon_zorbas
>
> www.iabeurope.eu <http://www.iabeurope.eu/>
>
> IAB Europe supports the .eu domain name www.eurid.eu 
> <http://www.eurid.eu/>
>
> IAB Europe is supported by:
>
> Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, 
> Finland, France, Germany, Greece, Hungary, Ireland, Italy, Luxembourg, 
> Netherlands, Norway, Poland, Portugal, Romania, Russia, Serbia, 
> Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey, Ukraine and 
> United Kingdom representing their 5.000 members. The IAB network 
> represents over 90% of European digital revenues and is acting as 
> voice for the industry at National and European level.
>
> IAB Europe is powered by:
>
> Adconion Media Group, Adobe, ADTECH, Alcatel-Lucent, AOL Advertising 
> Europe, AudienceScience, BBC, CNN, comScore Europe, CPX Interactive, 
> Criteo, eBay International Advertising, Ernst & Young, Expedia Inc, 
> Fox Interactive Media, Gemius, Goldbach Media Group, Google, GroupM, 
> Hi-media, InSites Consulting, Koan, Microsoft Europe, Millward Brown, 
> MTV Networks International, Netlog, News Corporation, nugg.ad, Nielsen 
> Online, Orange Advertising Network, Prisa, Publicitas Europe, Sanoma 
> Digital, Selligent, Specific Media, The Walt Disney Company, 
> Tradedoubler, Truvo, United Internet Media, ValueClick, White & 
> Case, Yahoo! and zanox.
>
> IAB Europe is associated with:
>
> Advance International Media, Banner, Emediate, NextPerformance, OMD, 
> Right Media and Turn Europe
>
> -----Original Message-----
> From: Rigo Wenning [mailto:rigo@w3.org]
> Sent: 04 November 2011 00:46
> To: Kimon Zorbas
> Cc: Amy Colando (LCA); Shane Wiley (yahoo); David Wainberg; 
> public-tracking@w3.org <mailto:public-tracking@w3.org>; Jonathan Mayer
> Subject: Re: Summary of First Party vs. Third Party Tests
>
> Kimon,
>
> could you expand on the distinction between 1st & 3rd parties by 
> European regulators? This was one of the reasons why I argued against 
> the distinction.
>
> (to better align and make DNT usable in the EU context) So I'm really 
> curious here as this may be a game changer.
>
> All,
>
> there is the legal issue, but also the technical issue to transport 
> the information on who is a first and who is a third party to the 
> user. The well- known-location would have to reflect which parties 
> have a legal relationship to the owner of the requested URI/domain and 
> what that legal relation is. As things can get complex (Kai Scheppe 
> from Dt. Telekom talked about 250
>
> contributors) there is an issue of boundaries here that we have to 
> solve if we distinguish.
>
> Best,
>
> Rigo
>
> On Thursday 03 November 2011 22:15:09 Kimon Zorbas wrote:
>
> > Fully support Amy & Shane - common sense applies and also reflects
>
> > what even European regulators express on distinction between 1st & 3rd
>
> > parties. Works for us too.
>
> >
>