RE: Request for thoughts: US, EU, and international DNT

I feel we have enough challenges with meeting our aggressive dates without adding additional complexity to the mix. I would prefer to see us address this in the next version.

JC
Twitter

-----Original Message-----
From: Ninja Marnau [mailto:nmarnau@datenschutzzentrum.de] 
Sent: Sunday, January 22, 2012 5:02 AM
To: Frank.Wagner@telekom.de
Cc: aleecia@aleecia.com; public-tracking@w3.org
Subject: Re: Request for thoughts: US, EU, and international DNT

Hi Frank,

great to hear that you want to participate. I am looking forward to meeting you on Tuesday.

Do I remember correctly that you and Rob work on the issue in which way 1st party/3rd party relate to data controller/data processor? I think it would be very helpful to combine these two topics. Do you already have a draft for this issue, which I can read to prepare for the meeting?

Best regards,

Ninja

Am 22.01.2012 12:12, schrieb Frank.Wagner@telekom.de:
> Greetings,
>
> I am highly interested in participating on this issue. Let's talk at 
> the f2f meeting how to organize it.
>
> Best, have good trip !
> Frank
>
>
>
> Deutsche Telekom AG
> Service Headquarters, Group Privacy
> Frank Wagner
> Deutsche-Telekom-Allee 7, 64295 Darmstadt, Germany
> +49 6151 937-3514 (Phone)
> +49 521 9210-1175 (Fax)
> +49 175 181-9770 (Mobile)
> E-Mail: frank.wagner@telekom.de <mailto:frank.wagner@telekom.de> 
> www.telekom.com <http://www.telekom.com>
>
> Life is for sharing.
>
> Deutsche Telekom AG
> Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman) Board of 
> Management: René Obermann (Chairman), Dr. Manfred Balz, Reinhard 
> Clemens, Niek Jan van Damme, Timotheus Höttges, Claudia Nemat, Thomas 
> Sattelberger Commercial register: Amtsgericht Bonn HRB 6794 Registered 
> office: Bonn
>
> Big changes start small – conserve resources by not printing every e-mail.
>
>
> Am 10.01.2012 um 11:27 schrieb "Aleecia M. McDonald"
> <aleecia@aleecia.com <mailto:aleecia@aleecia.com>>:
>
>> Greetings,
>>
>> I've been giving some thought to how we can make our work relevant in 
>> the EU and US, despite some strong differences. Nations have borders 
>> but the Internet does not. How can we support different regional 
>> cultures, norms, and laws on the Internet? I am putting this out as 
>> some things to think about and discuss further.
>>
>> Here are a few of my starting assumptions:
>>
>> * In the US, a first v. third party distinction is very important to 
>> businesses.
>> In many (but not all) EU countries, first party is not an interesting 
>> or meaningful way to look at things.
>> * Key word in Europe: Consent
>> - Users who do not consent to data practices must have their privacy 
>> protected.
>> - A global consent may not be sufficient; consent must be particular 
>> to a company and to a description of data use (in at least some 
>> countries)
>> - We should at least address Article 5(3) of the 2002 ePrivacy 
>> Directive [1]
>> - There is wide interest in finding a way to implement the revised 
>> framework of the Article 5(3) ePrivacy Directive without a deeply 
>> painful (on business or users) implementation, and DNT may help [2]
>> - The exemptions we consider would not be valid in the EU without 
>> specific consent [3]
>> * Key word in US: Choice
>> - Users who choose to interact with a site do not need as much 
>> privacy protection as they do from sites they do not choose to 
>> interact with
>> - We should at least fulfill the requirements for DNT set out in the 
>> FTC staff report [4]
>> - We should co-exist with existing industry self-regulation 
>> mechanisms [5]
>>
>> Here are three areas where I think we can have a uniform underlying 
>> technical standard that is flexible enough to accommodate different 
>> national and regional policy priorities:
>>
>> (A) As we have discussed, a tri-part DNT signal. DNT: 1 means enable 
>> DNT, DNT: 0 means do not enable DNT, and nothing sent means users 
>> have not made a selection.
>> In the US, no DNT signal gets viewed as "users did not choose to 
>> enable DNT" and treated as DNT: 0.
>> In some of the EU, no DNT signal gets viewed as "users did not 
>> consent to tracking" and treated as DNT: 1.
>> (B) In the US, site-specific exceptions will allow users to "opt back 
>> in" for specific first and third party pairs (perhaps along the likes 
>> of what Shane and Nick co-authored). In the EU, some (but not all) 
>> countries will require consent on a site-by-site basis, rather than a 
>> global "DNT: 0" signal or no DNT signal at all. The site-specific 
>> exemptions mechanism becomes the path to enable users to consent per site.
>> (C) In the US, first parties have minimal responsibilities when 
>> receiving a DNT: 1 signal (perhaps along the lines of what Jonathan 
>> and Tom co-authored). In some (but not all) EU countries, there may 
>> be nothing that applies globally to all first and third parties, (and 
>> more to the point, the data controller) perhaps making the 
>> first/third party distinction irrelevant.
>>
>> I think this could be good enough in enough different ways for enough 
>> different interests. I'd like to hear other reactions. Does anyone 
>> have better or simpler ideas? Is this still too US-centric to work in 
>> Europe?
>>
>> If we find something we think will work, we could add a non-normative 
>> section to one of the specifications, or we could issue a note. 
>> Either way, I think specifications shouldn't be hard-coded to 
>> specific regulations and laws. However, since I think this approach 
>> could be confusing to those implementing the specification, I would 
>> like to give implementors a fighting chance by providing our opinions 
>> (and not legal advice!) with pointers to additional information. How 
>> does this approach sound?
>>
>> And last but not least: any volunteers to work on these topics?
>>
>> Aleecia
>>
>> Thanks to a few TPWG members for taking time to step me through some 
>> of the issues here. All mistakes are, of course, my own. Citations 
>> and useful reading:
>>
>> [1] For the before & after versions of 5(3), see [7], p 7 [2] See 
>> slides from Carl Christian Buhr, a member of Commissioner Kroes' 
>> Cabinet (European Commission), particularly slides 11-13, suggesting 
>> DNT could satisfy 5(3):
>> http://www.slideshare.net/ccbuhr/20111206-buhr-cookieconundrum

>> [3] As per 5(3), "Exceptions to the obligation to provide information 
>> and offer the right to refuse should be limited to those situations 
>> where the technical storage or access is strictly necessary for the 
>> legitimate purpose of enabling the use of a specific service 
>> explicitly requested by the subscriber or user" is a given, but are 
>> other exemptions allowed? Recital 25 reads to me as: yes with 
>> consent, and no without consent. For example, billing for ad 
>> impressions is not part of the service explicitly requested, and 
>> seems to require informed consent. See [7], p 8 [4] FTC staff report, 
>> starting p 63, http://www.ftc.gov/os/2010/12/101201privacyreport.pdf

>> [5] In particular, it would be unfortunate if DNT off with an opt-out 
>> cookie was interpreted one way by self-regulatory bodies, and another 
>> way in the DNT recommendations. We likely will reach different end 
>> points than the self-regulation guidelines, but they remain a very 
>> fruitful source of background information, including the recent 
>> multi-site data principles (http://www.aboutads.info/msdprinciples)
>> and the OBA principles (http://www.aboutads.info/obaprinciples).
>> [6] A very readable summary of [7] discussing where industry 
>> self-regulation is seen to fall short of 
>> 5(3):http://www.edri.org/edrigram/number9.17/article-29-oba-industry-cookie.

>>
>> [7] The actual report itself:
>> ec.europa.eu/justice/data-protection/article-29/press-material/press-
>> release/art29_press_material/20111215_press_release_oba_final.pdf
>> <http://ec.europa.eu/justice/data-protection/article-29/press-materia

>> l/press-release/art29_press_material/20111215_press_release_oba_final
>> .pdf> (COCOM10-34, Implementation of the revised Framework– Article 
>> 5(3) of the ePrivacy Directive) [8] The whole text is worth at least 
>> skimming, including a brief note on children under 12. In particular 
>> the section on consent for cookies starting on p 8, and examples of 
>> consent not using pop ups on p 9:
>> http://ec.europa.eu/justice/data-protection/article-29/documentation/

>> opinion-recommendation/files/2011/wp188_en.pdf

-- 

Ninja Marnau
mail: NMarnau@datenschutzzentrum.de - http://www.datenschutzzentrum.de

Telefon: +49 431/988-1285, Fax +49 431/988-1223 Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein Independent Centre for Privacy Protection Schleswig-Holstein

Received on Sunday, 22 January 2012 13:49:37 UTC