Re: issues 23 and 34, happy new year's initial text for all...

With the caveat that I'm certainly no expert on EU data protection law: I believe David's text may go a bit further than the "data processor" limitations by requiring a greater set of legal and technical precautions.

Jonathan

On Jan 9, 2012, at 12:14 PM, Haakon Bratsberg wrote:

> 
> On Jan 9, 2012, at 5:59 PM, Rigo Wenning wrote:
> 
>> David, 
>> 
>> I like your suggestion. We should ask Rob about it as I think the restrictions 
>> even match the definition of a data processor under the EU Directive, thus 
>> giving the entire responsibility to the first party (data controller in EU 
>> talk)
> 
> I agree that the restrictions is close the definition of "processor" in EU privacy law. 
> 
> Directive 95/46/EC Section 2 e) of the  reads: 
> 
>> 'processor' shall mean a natural or legal person, public authority, agency or any
>> other body which processes personal data on behalf of the controller;"
> 
>     <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML>
> 
> David's text reflects the limitations on the processor's ability to process the data that follows from EU privacy law. 
> 
> Haakon
> 
> 
>> 
>> Can we resolve?
>> 
>> Rigo 
>> 
>> On Tuesday 03 January 2012 15:18:30 David Singer wrote:
>>> Issue number: 23
>>> 
>>> Issue name: Possible exemption for analytics
>>> Suggested retitle: Possible exemption for outsourcing
>>> 
>>> Issue URL:
>>> http://www.w3.org/2011/tracking-protection/track/issues/23
>>> 
>>> Section number in the FPWD: 3.4 Types of Tracking
>>> Contributors to this text: (Draft) David Singer, (Edit) Jonathan Mayer
>>> 
>>> Specification:
>>> A third-party site may operate as a first-party site if all the following
>>> conditions hold: the data collection, retention, and use, complies with at
>>> least the requirements for first-parties; the data collected is available
>>> only to the first party, and the third party has no independent right to
>>> use the data; the third party makes commitments to adhere to this standard
>>> in a form that is legally enforceable (directly or indirectly) by the first
>>> party, individual users, and regulators; data retention by the third party
>>> must not survive the end of this legal enforceability; the third party
>>> undertakes reasonable technical precautions to prevent collecting data that
>>> could be correlated across first parties.
>>> 
>>> Non-normative Discussion:
>>> The rationale for rule (2) is that we allow the third party to stand in the
>>> first party’s shoes – but go no further.  The third party may not use the
>>> data it collects for “product improvement,” “aggregate analytics,” or any
>>> other purpose except to fulfill a request by a first party, where the
>>> results are shared only with the first party.
>>> 
>>> Rule (3) allows for the possibility of more than one level of outsourcing.
>>> 
>>> In rule (4), one component of reasonable technical precautions will often be
>>> using the same-origin policy to segregate information for each first-party
>>> customer.
>>> 
>>> Note that any data collected by the third party that is used, or may be
>>> used, in any way by any party other than the first party, is subject to the
>>> requirements for third parties.
>>> 
>>> Example:
>>> ExampleAnalytics collects analytic data for ExampleProducts Inc..  It
>>> operates a site under the DNS analytics.exampleproducts.com. It collects
>>> and analyzes data on visits to ExampleProducts, and provides that data
>>> solely to ExampleProducts, and does not access or use it itself.
>>> 
>>> Text that possibly belongs in other sections:
>>> When the third party sends a response header, that header must indicate that
>>> that they are a third party and that they are operating under this
>>> exception. Note that a third party that operates under a domain name or
>>> other arrangement that makes it appear to the user as if they are the first
>>> party, or a part or affiliate of the first party, is nonetheless a third
>>> party and is subject to the requirements of this clause ("DNS
>>> masquerading").
>>> 
>>> 
>>> 
>>> Issue number: 34
>>> Issue name: Possible exemption for aggregate analytics
>>> Suggested retitle: Possible exemption for unidentifiable data
>>> 
>>> Issue URL:
>>> http://www.w3.org/2011/tracking-protection/track/issues/34
>>> 
>>> Section number in the FPWD: 3.4 Types of Tracking
>>> Contributors to this text: (Draft) David Singer, (Edit) Jonathan Mayer
>>> 
>>> Specification:
>>> A third party may collect, retain, and use any information from a user or
>>> user agent that, with high probability, could not be used to: 1) identify
>>> or nearly identify a user or user agent; or
>>> 2) correlate the activities of a user or user agent across multiple network
>>> interactions.
>>> 
>>> Examples:
>>> 1. A third-party advertising network records the fact that it displayed an
>>> ad. 2. A third-party analytics service counts the number of times a popular
>>> page was loaded.
>>> 
>>> Non-Normative Discussion:
>>> This exception (like all exceptions) may not be combined with other
>>> exceptions unless specifically allowed.  A third party acting within the
>>> outsourcing exception, for example, may not make independent use of the
>>> data it has collected even though the use involves unidentifiable data.  A
>>> rule to the contrary would provide a perverse incentive for third parties
>>> to press all exceptions to the limit and then use the collected data within
>>> this exception. A potential ‘safe harbor’ under this clause could be to
>>> retain only aggregate counts, not per-transaction records.
>>> 
>>> Text that possibly belongs elsewhere:
>>> Possible advances in de-anonymization that make previously non-identifiable
>>> data, identifiable, should be considered. [Maybe need an issue: whose
>>> problem is it when data from disparate sources, all but one of which are
>>> anonymous, is combined to achieve de-anonymization?]
> 
>

Received on Monday, 9 January 2012 20:58:47 UTC