RE: [ACTION-48] Re-phrase

Thanks Rigo.  We are in agreement in rephrasing the language of the specification to remove the specific obligation of the third party to create legal enforceability by individual users and regulators via its contracts, as it lands on the practically unworkable or impossible end of the spectrum.

After thinking about the proposed  non-normative text on legal regimes in US and EU a little more, I'm reluctant to include this discussion in the specification. I don't want readers relying on a technical specification for legal advice ... and as a more practical level it is very possible (indeed probable) that there will be future changes in privacy laws that of course we cannot describe here.  (The ongoing overall of the Data Protection Regulation in the EU, and recent proposed bills for comprehensive privacy legislation in the US being two examples I can think of.) This is in no way meant to dismiss the value of this text or this discussion, just that I don't feel that it has a place in the specification.

In the context of the mailing list, I would note that in the US not only have there been private class actions for various privacy issues (including deceptive practices), but there is also existing federal and state jurisdiction for deceptive or unfair practices related to privacy.


-----Original Message-----
From: Rigo Wenning [] 
Sent: Friday, February 03, 2012 12:27 PM
To: Amy Colando (LCA)
Cc: MeMe Rasmussen; Tracking Protection Working Group WG
Subject: [ACTION-48] Re-phrase

Hi Amy and Meme, 

we wanted to provide legal text for the outsourcing scenario.

the current wording of the Specification[1] is: 
the third party makes commitments that are consistent with {the requirements 
of|adhering to} this standard in a form that is legally enforceable 
or indirectly) by the first party, individual users, and regulators; data retention by the third party must not survive the end of this legal enforceability;

What this tries to achieve is to make sure the first party benefiting from that exemption does not lightly take a third party into its privilege and to make sure the third party behaves like a "data-processor" in the EU sense. Namely that the third party does not have own rights on the data processed. Not trusting our first party, David Singer wanted to give the user/consumer an independent right against the third party to comply. 

As we realized, this would go beyond what a compliance specification could possibly prescribe as we attempted to create a right for an independent third party. This is normally reserved to laws for a certain jurisdiction. We could mimic this by obliging the first party to contract a specific clause with the third party to the benefit of the user. But this is of a contractual complexity that creates exactly the legal overkill that we want to avoid here. 

Instead, we wanted to make sure that the user/consumer and also the service understands that despite the absence of such complex contractual construct, there are legal remedies at the fingertips of the user. We wanted to have those legal remedies written down in a footnote to the section as they are only informative and not normative. 

Amy and Meme committed to provide some remedies for the US legal system. I was tasked to provide the (easier, because regulated) description for the EU environment. 

Here is my suggested text: 
For the EU, the outsourcing scenario is clearly regulated. In the current EU Directive 95/46/EC, but also in the suggested regulation reforming the data protection regime, an entity using or processing data is subject to data protection law. An entity acting as a first party and contracting services of another party is responsible for the overall processing. If the third party has own rights and privileges concerning the processing of the data collected by the first party, it isn't a data processor anymore and thus not covered by exemptions. This third party is then considered as a second data controller with all duties attached to that status. As the pretensions of users are based on law, they apply to first and third party alike unless the third party acts as a mere data processor. 

Ninja, Rob, feel free to correct if this is wrong. I tried to keep it comprehensible. 

Now Amy said, in the US, somebody mimicking being a data processor and claiming that he only processes on behalf of the first party but then taking data for own purposes would be in risk of liability for deceptive practices and could be subject to class actions (note, class actions do not exist in most civil law jurisdictions). I'm sure Amy or Meme have a better wording here. 





On Wednesday 25 January 2012 16:10:22 Amy Colando wrote:
> We are without reliable email/Internet today.
> Rigo is in agreement with the conclusion below. He wants to provide a 
> textual explanation to the group to explain the difficulty here, and 
> the reality that there are alternate protections without creating 
> third party beneficiaries. In particular, we thought we could point 
> out that there are existing protections in the EU (Rigo to draft) and 
> US (class actions or enforcement actions against original site or even 
> analytics provider based on DNT or privacy statements). I also think 
> the reality is that a fraudulent analytics company would quite likely 
> to sell data on a broad scale - in other words, breaching its 
> obligation to a single site (the scenario raised in discussions) is unlikely.
> Believe Rigo is going to write up at least EU portion.
> Sent from my Windows Phone
> ________________________________
> From: MeMe Rasmussen
> Sent: 1/25/2012 3:30 PM
> To: Amy Colando (LCA); Rigo Wenning
> Subject: RE: Outsourcing Language
> I agree.  Rigo – where was this left.  Were you going to take a stab 
> at some language and then circulate?
> MeMe
> From: Amy Colando (LCA) []
> Sent: Wednesday, January 25, 2012 2:58 AM
> To: Rigo Wenning; MeMe Rasmussen
> Subject: Outsourcing Language
> Hi Rigo and Meme,
> I wanted to start an email thread about the issue that was identified 
> in the outsourcing discussion. Namely, the current text requires a 
> first party to have a legally enforceable contract with its provider 
> so that the provider can only use data collected on first party site 
> for the benefit of the first party only. The text then goes on to say 
> that end users and regulators must also have the rights to legally 
> enforce this obligation against the provider.
> Quite frankly, I think that it would legally extremely challenging to 
> make this latter part enforceable, and I would recommend removing 
> language regarding user/regulator enforceability as unworkable.
> Sent from my Windows Phone
> ________________________________
> Confidentiality Notice: The contents of this e-mail (including any
> attachments) may be confidential to the intended recipient, and may 
> contain information that is privileged and/or exempt from disclosure 
> under applicable law. If you are not the intended recipient, please 
> immediately notify the sender and destroy the original e-mail and any 
> attachments (and any copies that may have been made) from your system 
> or otherwise. Any unauthorized use, copying, disclosure or 
> distribution of this information is strictly prohibited. <ACL>

Received on Wednesday, 8 February 2012 19:07:18 UTC