W3C home > Mailing lists > Public > public-tracking@w3.org > January 2012

Re: Request for thoughts: US, EU, and international DNT

From: Ninja Marnau <nmarnau@datenschutzzentrum.de>
Date: Sun, 22 Jan 2012 21:45:22 +0100
Message-ID: <4F1C7562.1080809@datenschutzzentrum.de>
To: JC Cannon <jccannon@microsoft.com>
CC: "Frank.Wagner@telekom.de" <Frank.Wagner@telekom.de>, "aleecia@aleecia.com" <aleecia@aleecia.com>, "public-tracking@w3.org" <public-tracking@w3.org>
Hi JC,

you are right about our tight schedule. But as I have understood 
Aleecia, this discussion shall not be included in the document. Instead, 
it may help us to locate and evaluate the DNT we are proposing compared 
to international (legal) requirements.

Aleecia, please correct me if I misunderstood this.

Best regards,

Am 22.01.2012 14:48, schrieb JC Cannon:
> I feel we have enough challenges with meeting our aggressive dates without adding additional complexity to the mix. I would prefer to see us address this in the next version.
> JC
> Twitter
> -----Original Message-----
> From: Ninja Marnau [mailto:nmarnau@datenschutzzentrum.de]
> Sent: Sunday, January 22, 2012 5:02 AM
> To: Frank.Wagner@telekom.de
> Cc: aleecia@aleecia.com; public-tracking@w3.org
> Subject: Re: Request for thoughts: US, EU, and international DNT
> Hi Frank,
> great to hear that you want to participate. I am looking forward to meeting you on Tuesday.
> Do I remember correctly that you and Rob work on the issue in which way 1st party/3rd party relate to data controller/data processor? I think it would be very helpful to combine these two topics. Do you already have a draft for this issue, which I can read to prepare for the meeting?
> Best regards,
> Ninja
> Am 22.01.2012 12:12, schrieb Frank.Wagner@telekom.de:
>> Greetings,
>> I am highly interested in participating on this issue. Let's talk at
>> the f2f meeting how to organize it.
>> Best, have good trip !
>> Frank
>> Deutsche Telekom AG
>> Service Headquarters, Group Privacy
>> Frank Wagner
>> Deutsche-Telekom-Allee 7, 64295 Darmstadt, Germany
>> +49 6151 937-3514 (Phone)
>> +49 521 9210-1175 (Fax)
>> +49 175 181-9770 (Mobile)
>> E-Mail: frank.wagner@telekom.de<mailto:frank.wagner@telekom.de>
>> www.telekom.com<http://www.telekom.com>
>> Life is for sharing.
>> Deutsche Telekom AG
>> Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman) Board of
>> Management: René Obermann (Chairman), Dr. Manfred Balz, Reinhard
>> Clemens, Niek Jan van Damme, Timotheus Höttges, Claudia Nemat, Thomas
>> Sattelberger Commercial register: Amtsgericht Bonn HRB 6794 Registered
>> office: Bonn
>> Big changes start small – conserve resources by not printing every e-mail.
>> Am 10.01.2012 um 11:27 schrieb "Aleecia M. McDonald"
>> <aleecia@aleecia.com<mailto:aleecia@aleecia.com>>:
>>> Greetings,
>>> I've been giving some thought to how we can make our work relevant in
>>> the EU and US, despite some strong differences. Nations have borders
>>> but the Internet does not. How can we support different regional
>>> cultures, norms, and laws on the Internet? I am putting this out as
>>> some things to think about and discuss further.
>>> Here are a few of my starting assumptions:
>>> * In the US, a first v. third party distinction is very important to
>>> businesses.
>>> In many (but not all) EU countries, first party is not an interesting
>>> or meaningful way to look at things.
>>> * Key word in Europe: Consent
>>> - Users who do not consent to data practices must have their privacy
>>> protected.
>>> - A global consent may not be sufficient; consent must be particular
>>> to a company and to a description of data use (in at least some
>>> countries)
>>> - We should at least address Article 5(3) of the 2002 ePrivacy
>>> Directive [1]
>>> - There is wide interest in finding a way to implement the revised
>>> framework of the Article 5(3) ePrivacy Directive without a deeply
>>> painful (on business or users) implementation, and DNT may help [2]
>>> - The exemptions we consider would not be valid in the EU without
>>> specific consent [3]
>>> * Key word in US: Choice
>>> - Users who choose to interact with a site do not need as much
>>> privacy protection as they do from sites they do not choose to
>>> interact with
>>> - We should at least fulfill the requirements for DNT set out in the
>>> FTC staff report [4]
>>> - We should co-exist with existing industry self-regulation
>>> mechanisms [5]
>>> Here are three areas where I think we can have a uniform underlying
>>> technical standard that is flexible enough to accommodate different
>>> national and regional policy priorities:
>>> (A) As we have discussed, a tri-part DNT signal. DNT: 1 means enable
>>> DNT, DNT: 0 means do not enable DNT, and nothing sent means users
>>> have not made a selection.
>>> In the US, no DNT signal gets viewed as "users did not choose to
>>> enable DNT" and treated as DNT: 0.
>>> In some of the EU, no DNT signal gets viewed as "users did not
>>> consent to tracking" and treated as DNT: 1.
>>> (B) In the US, site-specific exceptions will allow users to "opt back
>>> in" for specific first and third party pairs (perhaps along the likes
>>> of what Shane and Nick co-authored). In the EU, some (but not all)
>>> countries will require consent on a site-by-site basis, rather than a
>>> global "DNT: 0" signal or no DNT signal at all. The site-specific
>>> exemptions mechanism becomes the path to enable users to consent per site.
>>> (C) In the US, first parties have minimal responsibilities when
>>> receiving a DNT: 1 signal (perhaps along the lines of what Jonathan
>>> and Tom co-authored). In some (but not all) EU countries, there may
>>> be nothing that applies globally to all first and third parties, (and
>>> more to the point, the data controller) perhaps making the
>>> first/third party distinction irrelevant.
>>> I think this could be good enough in enough different ways for enough
>>> different interests. I'd like to hear other reactions. Does anyone
>>> have better or simpler ideas? Is this still too US-centric to work in
>>> Europe?
>>> If we find something we think will work, we could add a non-normative
>>> section to one of the specifications, or we could issue a note.
>>> Either way, I think specifications shouldn't be hard-coded to
>>> specific regulations and laws. However, since I think this approach
>>> could be confusing to those implementing the specification, I would
>>> like to give implementors a fighting chance by providing our opinions
>>> (and not legal advice!) with pointers to additional information. How
>>> does this approach sound?
>>> And last but not least: any volunteers to work on these topics?
>>> Aleecia
>>> Thanks to a few TPWG members for taking time to step me through some
>>> of the issues here. All mistakes are, of course, my own. Citations
>>> and useful reading:
>>> [1] For the before&  after versions of 5(3), see [7], p 7 [2] See
>>> slides from Carl Christian Buhr, a member of Commissioner Kroes'
>>> Cabinet (European Commission), particularly slides 11-13, suggesting
>>> DNT could satisfy 5(3):
>>> http://www.slideshare.net/ccbuhr/20111206-buhr-cookieconundrum
>>> [3] As per 5(3), "Exceptions to the obligation to provide information
>>> and offer the right to refuse should be limited to those situations
>>> where the technical storage or access is strictly necessary for the
>>> legitimate purpose of enabling the use of a specific service
>>> explicitly requested by the subscriber or user" is a given, but are
>>> other exemptions allowed? Recital 25 reads to me as: yes with
>>> consent, and no without consent. For example, billing for ad
>>> impressions is not part of the service explicitly requested, and
>>> seems to require informed consent. See [7], p 8 [4] FTC staff report,
>>> starting p 63, http://www.ftc.gov/os/2010/12/101201privacyreport.pdf
>>> [5] In particular, it would be unfortunate if DNT off with an opt-out
>>> cookie was interpreted one way by self-regulatory bodies, and another
>>> way in the DNT recommendations. We likely will reach different end
>>> points than the self-regulation guidelines, but they remain a very
>>> fruitful source of background information, including the recent
>>> multi-site data principles (http://www.aboutads.info/msdprinciples)
>>> and the OBA principles (http://www.aboutads.info/obaprinciples).
>>> [6] A very readable summary of [7] discussing where industry
>>> self-regulation is seen to fall short of
>>> 5(3):http://www.edri.org/edrigram/number9.17/article-29-oba-industry-cookie.
>>> [7] The actual report itself:
>>> ec.europa.eu/justice/data-protection/article-29/press-material/press-
>>> release/art29_press_material/20111215_press_release_oba_final.pdf
>>> <http://ec.europa.eu/justice/data-protection/article-29/press-materia
>>> l/press-release/art29_press_material/20111215_press_release_oba_final
>>> .pdf>  (COCOM10-34, Implementation of the revised Framework– Article
>>> 5(3) of the ePrivacy Directive) [8] The whole text is worth at least
>>> skimming, including a brief note on children under 12. In particular
>>> the section on consent for cookies starting on p 8, and examples of
>>> consent not using pop ups on p 9:
>>> http://ec.europa.eu/justice/data-protection/article-29/documentation/
>>> opinion-recommendation/files/2011/wp188_en.pdf
Received on Sunday, 22 January 2012 20:44:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:38:30 UTC