- From: Ninja Marnau <nmarnau@datenschutzzentrum.de>
- Date: Sun, 22 Jan 2012 14:02:18 +0100
- To: Frank.Wagner@telekom.de
- CC: aleecia@aleecia.com, public-tracking@w3.org
Hi Frank, great to hear that you want to participate. I am looking forward to meeting you on Tuesday. Do I remember correctly that you and Rob work on the issue in which way 1st party/3rd party relate to data controller/data processor? I think it would be very helpful to combine these two topics. Do you already have a draft for this issue, which I can read to prepare for the meeting? Best regards, Ninja Am 22.01.2012 12:12, schrieb Frank.Wagner@telekom.de: > Greetings, > > I am highly interested in participating on this issue. Let's talk at the > f2f meeting how to organize it. > > Best, have good trip ! > Frank > > > > Deutsche Telekom AG > Service Headquarters, Group Privacy > Frank Wagner > Deutsche-Telekom-Allee 7, 64295 Darmstadt, Germany > +49 6151 937-3514 (Phone) > +49 521 9210-1175 (Fax) > +49 175 181-9770 (Mobile) > E-Mail: frank.wagner@telekom.de <mailto:frank.wagner@telekom.de> > www.telekom.com <http://www.telekom.com> > > Life is for sharing. > > Deutsche Telekom AG > Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman) > Board of Management: René Obermann (Chairman), > Dr. Manfred Balz, Reinhard Clemens, Niek Jan van Damme, > Timotheus Höttges, Claudia Nemat, Thomas Sattelberger > Commercial register: Amtsgericht Bonn HRB 6794 > Registered office: Bonn > > Big changes start small – conserve resources by not printing every e-mail. > > > Am 10.01.2012 um 11:27 schrieb "Aleecia M. McDonald" > <aleecia@aleecia.com <mailto:aleecia@aleecia.com>>: > >> Greetings, >> >> I've been giving some thought to how we can make our work relevant in >> the EU and US, despite some strong differences. Nations have borders >> but the Internet does not. How can we support different regional >> cultures, norms, and laws on the Internet? I am putting this out as >> some things to think about and discuss further. >> >> Here are a few of my starting assumptions: >> >> * In the US, a first v. third party distinction is very important to >> businesses. >> In many (but not all) EU countries, first party is not an interesting >> or meaningful way to look at things. >> * Key word in Europe: Consent >> - Users who do not consent to data practices must have their privacy >> protected. >> - A global consent may not be sufficient; consent must be particular >> to a company and to a description of data use (in at least some countries) >> - We should at least address Article 5(3) of the 2002 ePrivacy >> Directive [1] >> - There is wide interest in finding a way to implement the revised >> framework of the Article 5(3) ePrivacy Directive without a deeply >> painful (on business or users) implementation, and DNT may help [2] >> - The exemptions we consider would not be valid in the EU without >> specific consent [3] >> * Key word in US: Choice >> - Users who choose to interact with a site do not need as much privacy >> protection as they do from sites they do not choose to interact with >> - We should at least fulfill the requirements for DNT set out in the >> FTC staff report [4] >> - We should co-exist with existing industry self-regulation mechanisms [5] >> >> Here are three areas where I think we can have a uniform underlying >> technical standard that is flexible enough to accommodate different >> national and regional policy priorities: >> >> (A) As we have discussed, a tri-part DNT signal. DNT: 1 means enable >> DNT, DNT: 0 means do not enable DNT, and nothing sent means users have >> not made a selection. >> In the US, no DNT signal gets viewed as "users did not choose to >> enable DNT" and treated as DNT: 0. >> In some of the EU, no DNT signal gets viewed as "users did not consent >> to tracking" and treated as DNT: 1. >> (B) In the US, site-specific exceptions will allow users to "opt back >> in" for specific first and third party pairs (perhaps along the likes >> of what Shane and Nick co-authored). In the EU, some (but not all) >> countries will require consent on a site-by-site basis, rather than a >> global "DNT: 0" signal or no DNT signal at all. The site-specific >> exemptions mechanism becomes the path to enable users to consent per site. >> (C) In the US, first parties have minimal responsibilities when >> receiving a DNT: 1 signal (perhaps along the lines of what Jonathan >> and Tom co-authored). In some (but not all) EU countries, there may be >> nothing that applies globally to all first and third parties, (and >> more to the point, the data controller) perhaps making the first/third >> party distinction irrelevant. >> >> I think this could be good enough in enough different ways for enough >> different interests. I'd like to hear other reactions. Does anyone >> have better or simpler ideas? Is this still too US-centric to work in >> Europe? >> >> If we find something we think will work, we could add a non-normative >> section to one of the specifications, or we could issue a note. Either >> way, I think specifications shouldn't be hard-coded to specific >> regulations and laws. However, since I think this approach could be >> confusing to those implementing the specification, I would like to >> give implementors a fighting chance by providing our opinions (and not >> legal advice!) with pointers to additional information. How does this >> approach sound? >> >> And last but not least: any volunteers to work on these topics? >> >> Aleecia >> >> Thanks to a few TPWG members for taking time to step me through some >> of the issues here. All mistakes are, of course, my own. Citations and >> useful reading: >> >> [1] For the before & after versions of 5(3), see [7], p 7 >> [2] See slides from Carl Christian Buhr, a member of Commissioner >> Kroes' Cabinet (European Commission), particularly slides 11-13, >> suggesting DNT could satisfy 5(3): >> http://www.slideshare.net/ccbuhr/20111206-buhr-cookieconundrum >> [3] As per 5(3), "Exceptions to the obligation to provide information >> and offer the right to refuse should be limited to those situations >> where the technical storage or access is strictly necessary for the >> legitimate purpose of enabling the use of a specific service >> explicitly requested by the subscriber or user" is a given, but are >> other exemptions allowed? Recital 25 reads to me as: yes with consent, >> and no without consent. For example, billing for ad impressions is not >> part of the service explicitly requested, and seems to require >> informed consent. See [7], p 8 >> [4] FTC staff report, starting p 63, >> http://www.ftc.gov/os/2010/12/101201privacyreport.pdf >> [5] In particular, it would be unfortunate if DNT off with an opt-out >> cookie was interpreted one way by self-regulatory bodies, and another >> way in the DNT recommendations. We likely will reach different end >> points than the self-regulation guidelines, but they remain a very >> fruitful source of background information, including the recent >> multi-site data principles (http://www.aboutads.info/msdprinciples) >> and the OBA principles (http://www.aboutads.info/obaprinciples). >> [6] A very readable summary of [7] discussing where industry >> self-regulation is seen to fall short of >> 5(3):http://www.edri.org/edrigram/number9.17/article-29-oba-industry-cookie. >> >> [7] The actual report itself: >> ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf >> <http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf> >> (COCOM10-34, Implementation of the revised Framework– Article 5(3) of >> the ePrivacy Directive) >> [8] The whole text is worth at least skimming, including a brief note >> on children under 12. In particular the section on consent for cookies >> starting on p 8, and examples of consent not using pop ups on p 9: >> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp188_en.pdf -- Ninja Marnau mail: NMarnau@datenschutzzentrum.de - http://www.datenschutzzentrum.de Telefon: +49 431/988-1285, Fax +49 431/988-1223 Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein Independent Centre for Privacy Protection Schleswig-Holstein
Received on Sunday, 22 January 2012 13:01:00 UTC