AW: Request for thoughts: US, EU, and international DNT

Hi Ninja,

You are right. It's Issue-14, "How do what we talk about with 1st/3rd party relate to European law about data controller vs data processor?" rob and me are working on. I drafted a first text, still the feedback from rob is pending. He just wanted to do some aditional work, a bit more related to the EU Directive than my first draft was. Results are still pending... Sorry.


Best regards, CU tomorrow
Frank


Deutsche Telekom AG
Service Headquarters, Group Privacy
Frank Wagner
Deutsche-Telekom-Allee 7, 64295 Darmstadt, Germany
+49 6151 937-3514 (Phone)
+49 521 9210-1175 (Fax)
+49 175 181-9770 (Mobile)
E-Mail: frank.wagner@telekom.de
www.telekom.com

Life is for sharing.

Deutsche Telekom AG
Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman)
Board of Management: René Obermann (Chairman),
Dr. Manfred Balz, Reinhard Clemens, Niek Jan van Damme,
Timotheus Höttges, Claudia Nemat, Thomas Sattelberger
Commercial register: Amtsgericht Bonn HRB 6794
Registered office: Bonn

Big changes start small - conserve resources by not printing every e-mail.

-----Ursprüngliche Nachricht-----
Von: Ninja Marnau [mailto:nmarnau@datenschutzzentrum.de]
Gesendet: Sonntag, 22. Januar 2012 14:02
An: Wagner, Frank
Cc: aleecia@aleecia.com; public-tracking@w3.org
Betreff: Re: Request for thoughts: US, EU, and international DNT

Hi Frank,

great to hear that you want to participate. I am looking forward to
meeting you on Tuesday.

Do I remember correctly that you and Rob work on the issue in which way
1st party/3rd party relate to data controller/data processor? I think it
would be very helpful to combine these two topics. Do you already have a
draft for this issue, which I can read to prepare for the meeting?

Best regards,

Ninja

Am 22.01.2012 12:12, schrieb Frank.Wagner@telekom.de:
> Greetings,
>
> I am highly interested in participating on this issue. Let's talk at the
> f2f meeting how to organize it.
>
> Best, have good trip !
> Frank
>
>
>
> Deutsche Telekom AG
> Service Headquarters, Group Privacy
> Frank Wagner
> Deutsche-Telekom-Allee 7, 64295 Darmstadt, Germany
> +49 6151 937-3514 (Phone)
> +49 521 9210-1175 (Fax)
> +49 175 181-9770 (Mobile)
> E-Mail: frank.wagner@telekom.de <mailto:frank.wagner@telekom.de>
> www.telekom.com <http://www.telekom.com>
>
> Life is for sharing.
>
> Deutsche Telekom AG
> Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman)
> Board of Management: René Obermann (Chairman),
> Dr. Manfred Balz, Reinhard Clemens, Niek Jan van Damme,
> Timotheus Höttges, Claudia Nemat, Thomas Sattelberger
> Commercial register: Amtsgericht Bonn HRB 6794
> Registered office: Bonn
>
> Big changes start small - conserve resources by not printing every e-mail.
>
>
> Am 10.01.2012 um 11:27 schrieb "Aleecia M. McDonald"
> <aleecia@aleecia.com <mailto:aleecia@aleecia.com>>:
>
>> Greetings,
>>
>> I've been giving some thought to how we can make our work relevant in
>> the EU and US, despite some strong differences. Nations have borders
>> but the Internet does not. How can we support different regional
>> cultures, norms, and laws on the Internet? I am putting this out as
>> some things to think about and discuss further.
>>
>> Here are a few of my starting assumptions:
>>
>> * In the US, a first v. third party distinction is very important to
>> businesses.
>> In many (but not all) EU countries, first party is not an interesting
>> or meaningful way to look at things.
>> * Key word in Europe: Consent
>> - Users who do not consent to data practices must have their privacy
>> protected.
>> - A global consent may not be sufficient; consent must be particular
>> to a company and to a description of data use (in at least some countries)
>> - We should at least address Article 5(3) of the 2002 ePrivacy
>> Directive [1]
>> - There is wide interest in finding a way to implement the revised
>> framework of the Article 5(3) ePrivacy Directive without a deeply
>> painful (on business or users) implementation, and DNT may help [2]
>> - The exemptions we consider would not be valid in the EU without
>> specific consent [3]
>> * Key word in US: Choice
>> - Users who choose to interact with a site do not need as much privacy
>> protection as they do from sites they do not choose to interact with
>> - We should at least fulfill the requirements for DNT set out in the
>> FTC staff report [4]
>> - We should co-exist with existing industry self-regulation mechanisms [5]
>>
>> Here are three areas where I think we can have a uniform underlying
>> technical standard that is flexible enough to accommodate different
>> national and regional policy priorities:
>>
>> (A) As we have discussed, a tri-part DNT signal. DNT: 1 means enable
>> DNT, DNT: 0 means do not enable DNT, and nothing sent means users have
>> not made a selection.
>> In the US, no DNT signal gets viewed as "users did not choose to
>> enable DNT" and treated as DNT: 0.
>> In some of the EU, no DNT signal gets viewed as "users did not consent
>> to tracking" and treated as DNT: 1.
>> (B) In the US, site-specific exceptions will allow users to "opt back
>> in" for specific first and third party pairs (perhaps along the likes
>> of what Shane and Nick co-authored). In the EU, some (but not all)
>> countries will require consent on a site-by-site basis, rather than a
>> global "DNT: 0" signal or no DNT signal at all. The site-specific
>> exemptions mechanism becomes the path to enable users to consent per site.
>> (C) In the US, first parties have minimal responsibilities when
>> receiving a DNT: 1 signal (perhaps along the lines of what Jonathan
>> and Tom co-authored). In some (but not all) EU countries, there may be
>> nothing that applies globally to all first and third parties, (and
>> more to the point, the data controller) perhaps making the first/third
>> party distinction irrelevant.
>>
>> I think this could be good enough in enough different ways for enough
>> different interests. I'd like to hear other reactions. Does anyone
>> have better or simpler ideas? Is this still too US-centric to work in
>> Europe?
>>
>> If we find something we think will work, we could add a non-normative
>> section to one of the specifications, or we could issue a note. Either
>> way, I think specifications shouldn't be hard-coded to specific
>> regulations and laws. However, since I think this approach could be
>> confusing to those implementing the specification, I would like to
>> give implementors a fighting chance by providing our opinions (and not
>> legal advice!) with pointers to additional information. How does this
>> approach sound?
>>
>> And last but not least: any volunteers to work on these topics?
>>
>> Aleecia
>>
>> Thanks to a few TPWG members for taking time to step me through some
>> of the issues here. All mistakes are, of course, my own. Citations and
>> useful reading:
>>
>> [1] For the before & after versions of 5(3), see [7], p 7
>> [2] See slides from Carl Christian Buhr, a member of Commissioner
>> Kroes' Cabinet (European Commission), particularly slides 11-13,
>> suggesting DNT could satisfy 5(3):
>> http://www.slideshare.net/ccbuhr/20111206-buhr-cookieconundrum
>> [3] As per 5(3), "Exceptions to the obligation to provide information
>> and offer the right to refuse should be limited to those situations
>> where the technical storage or access is strictly necessary for the
>> legitimate purpose of enabling the use of a specific service
>> explicitly requested by the subscriber or user" is a given, but are
>> other exemptions allowed? Recital 25 reads to me as: yes with consent,
>> and no without consent. For example, billing for ad impressions is not
>> part of the service explicitly requested, and seems to require
>> informed consent. See [7], p 8
>> [4] FTC staff report, starting p 63,
>> http://www.ftc.gov/os/2010/12/101201privacyreport.pdf
>> [5] In particular, it would be unfortunate if DNT off with an opt-out
>> cookie was interpreted one way by self-regulatory bodies, and another
>> way in the DNT recommendations. We likely will reach different end
>> points than the self-regulation guidelines, but they remain a very
>> fruitful source of background information, including the recent
>> multi-site data principles (http://www.aboutads.info/msdprinciples)
>> and the OBA principles (http://www.aboutads.info/obaprinciples).
>> [6] A very readable summary of [7] discussing where industry
>> self-regulation is seen to fall short of
>> 5(3):http://www.edri.org/edrigram/number9.17/article-29-oba-industry-cookie.
>>
>> [7] The actual report itself:
>> ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf
>> <http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf>
>> (COCOM10-34, Implementation of the revised Framework- Article 5(3) of
>> the ePrivacy Directive)
>> [8] The whole text is worth at least skimming, including a brief note
>> on children under 12. In particular the section on consent for cookies
>> starting on p 8, and examples of consent not using pop ups on p 9:
>> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp188_en.pdf

--

Ninja Marnau
mail: NMarnau@datenschutzzentrum.de - http://www.datenschutzzentrum.de
Telefon: +49 431/988-1285, Fax +49 431/988-1223
Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein
Independent Centre for Privacy Protection Schleswig-Holstein

Received on Monday, 23 January 2012 09:34:25 UTC