Re: AW: Request for thoughts: US, EU, and international DNT

Anyone watching this discussion has to be thinking about the relationship with consent...

NYT: Europe Weighs Tough Law on Online Privacy
http://www.nytimes.com/2012/01/24/technology/europe-weighs-a-tough-law-on-online-privacy-and-user-data.html?_r=1&partner=rss&emc=rss


On Jan 23, 2012, at 1:33 AM, <Frank.Wagner@telekom.de> <Frank.Wagner@telekom.de> wrote:

> Hi Ninja,
> 
> You are right. It's Issue-14, "How do what we talk about with 1st/3rd party relate to European law about data controller vs data processor?" rob and me are working on. I drafted a first text, still the feedback from rob is pending. He just wanted to do some aditional work, a bit more related to the EU Directive than my first draft was. Results are still pending... Sorry.
> 
> 
> Best regards, CU tomorrow
> Frank
> 
> 
> Deutsche Telekom AG
> Service Headquarters, Group Privacy
> Frank Wagner
> Deutsche-Telekom-Allee 7, 64295 Darmstadt, Germany
> +49 6151 937-3514 (Phone)
> +49 521 9210-1175 (Fax)
> +49 175 181-9770 (Mobile)
> E-Mail: frank.wagner@telekom.de
> www.telekom.com
> 
> Life is for sharing.
> 
> Deutsche Telekom AG
> Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman)
> Board of Management: René Obermann (Chairman),
> Dr. Manfred Balz, Reinhard Clemens, Niek Jan van Damme,
> Timotheus Höttges, Claudia Nemat, Thomas Sattelberger
> Commercial register: Amtsgericht Bonn HRB 6794
> Registered office: Bonn
> 
> Big changes start small - conserve resources by not printing every e-mail.
> 
> -----Ursprüngliche Nachricht-----
> Von: Ninja Marnau [mailto:nmarnau@datenschutzzentrum.de]
> Gesendet: Sonntag, 22. Januar 2012 14:02
> An: Wagner, Frank
> Cc: aleecia@aleecia.com; public-tracking@w3.org
> Betreff: Re: Request for thoughts: US, EU, and international DNT
> 
> Hi Frank,
> 
> great to hear that you want to participate. I am looking forward to
> meeting you on Tuesday.
> 
> Do I remember correctly that you and Rob work on the issue in which way
> 1st party/3rd party relate to data controller/data processor? I think it
> would be very helpful to combine these two topics. Do you already have a
> draft for this issue, which I can read to prepare for the meeting?
> 
> Best regards,
> 
> Ninja
> 
> Am 22.01.2012 12:12, schrieb Frank.Wagner@telekom.de:
>> Greetings,
>> 
>> I am highly interested in participating on this issue. Let's talk at the
>> f2f meeting how to organize it.
>> 
>> Best, have good trip !
>> Frank
>> 
>> 
>> 
>> Deutsche Telekom AG
>> Service Headquarters, Group Privacy
>> Frank Wagner
>> Deutsche-Telekom-Allee 7, 64295 Darmstadt, Germany
>> +49 6151 937-3514 (Phone)
>> +49 521 9210-1175 (Fax)
>> +49 175 181-9770 (Mobile)
>> E-Mail: frank.wagner@telekom.de <mailto:frank.wagner@telekom.de>
>> www.telekom.com <http://www.telekom.com>
>> 
>> Life is for sharing.
>> 
>> Deutsche Telekom AG
>> Supervisory Board: Prof. Dr. Ulrich Lehner (Chairman)
>> Board of Management: René Obermann (Chairman),
>> Dr. Manfred Balz, Reinhard Clemens, Niek Jan van Damme,
>> Timotheus Höttges, Claudia Nemat, Thomas Sattelberger
>> Commercial register: Amtsgericht Bonn HRB 6794
>> Registered office: Bonn
>> 
>> Big changes start small - conserve resources by not printing every e-mail.
>> 
>> 
>> Am 10.01.2012 um 11:27 schrieb "Aleecia M. McDonald"
>> <aleecia@aleecia.com <mailto:aleecia@aleecia.com>>:
>> 
>>> Greetings,
>>> 
>>> I've been giving some thought to how we can make our work relevant in
>>> the EU and US, despite some strong differences. Nations have borders
>>> but the Internet does not. How can we support different regional
>>> cultures, norms, and laws on the Internet? I am putting this out as
>>> some things to think about and discuss further.
>>> 
>>> Here are a few of my starting assumptions:
>>> 
>>> * In the US, a first v. third party distinction is very important to
>>> businesses.
>>> In many (but not all) EU countries, first party is not an interesting
>>> or meaningful way to look at things.
>>> * Key word in Europe: Consent
>>> - Users who do not consent to data practices must have their privacy
>>> protected.
>>> - A global consent may not be sufficient; consent must be particular
>>> to a company and to a description of data use (in at least some countries)
>>> - We should at least address Article 5(3) of the 2002 ePrivacy
>>> Directive [1]
>>> - There is wide interest in finding a way to implement the revised
>>> framework of the Article 5(3) ePrivacy Directive without a deeply
>>> painful (on business or users) implementation, and DNT may help [2]
>>> - The exemptions we consider would not be valid in the EU without
>>> specific consent [3]
>>> * Key word in US: Choice
>>> - Users who choose to interact with a site do not need as much privacy
>>> protection as they do from sites they do not choose to interact with
>>> - We should at least fulfill the requirements for DNT set out in the
>>> FTC staff report [4]
>>> - We should co-exist with existing industry self-regulation mechanisms [5]
>>> 
>>> Here are three areas where I think we can have a uniform underlying
>>> technical standard that is flexible enough to accommodate different
>>> national and regional policy priorities:
>>> 
>>> (A) As we have discussed, a tri-part DNT signal. DNT: 1 means enable
>>> DNT, DNT: 0 means do not enable DNT, and nothing sent means users have
>>> not made a selection.
>>> In the US, no DNT signal gets viewed as "users did not choose to
>>> enable DNT" and treated as DNT: 0.
>>> In some of the EU, no DNT signal gets viewed as "users did not consent
>>> to tracking" and treated as DNT: 1.
>>> (B) In the US, site-specific exceptions will allow users to "opt back
>>> in" for specific first and third party pairs (perhaps along the likes
>>> of what Shane and Nick co-authored). In the EU, some (but not all)
>>> countries will require consent on a site-by-site basis, rather than a
>>> global "DNT: 0" signal or no DNT signal at all. The site-specific
>>> exemptions mechanism becomes the path to enable users to consent per site.
>>> (C) In the US, first parties have minimal responsibilities when
>>> receiving a DNT: 1 signal (perhaps along the lines of what Jonathan
>>> and Tom co-authored). In some (but not all) EU countries, there may be
>>> nothing that applies globally to all first and third parties, (and
>>> more to the point, the data controller) perhaps making the first/third
>>> party distinction irrelevant.
>>> 
>>> I think this could be good enough in enough different ways for enough
>>> different interests. I'd like to hear other reactions. Does anyone
>>> have better or simpler ideas? Is this still too US-centric to work in
>>> Europe?
>>> 
>>> If we find something we think will work, we could add a non-normative
>>> section to one of the specifications, or we could issue a note. Either
>>> way, I think specifications shouldn't be hard-coded to specific
>>> regulations and laws. However, since I think this approach could be
>>> confusing to those implementing the specification, I would like to
>>> give implementors a fighting chance by providing our opinions (and not
>>> legal advice!) with pointers to additional information. How does this
>>> approach sound?
>>> 
>>> And last but not least: any volunteers to work on these topics?
>>> 
>>> Aleecia
>>> 
>>> Thanks to a few TPWG members for taking time to step me through some
>>> of the issues here. All mistakes are, of course, my own. Citations and
>>> useful reading:
>>> 
>>> [1] For the before & after versions of 5(3), see [7], p 7
>>> [2] See slides from Carl Christian Buhr, a member of Commissioner
>>> Kroes' Cabinet (European Commission), particularly slides 11-13,
>>> suggesting DNT could satisfy 5(3):
>>> http://www.slideshare.net/ccbuhr/20111206-buhr-cookieconundrum
>>> [3] As per 5(3), "Exceptions to the obligation to provide information
>>> and offer the right to refuse should be limited to those situations
>>> where the technical storage or access is strictly necessary for the
>>> legitimate purpose of enabling the use of a specific service
>>> explicitly requested by the subscriber or user" is a given, but are
>>> other exemptions allowed? Recital 25 reads to me as: yes with consent,
>>> and no without consent. For example, billing for ad impressions is not
>>> part of the service explicitly requested, and seems to require
>>> informed consent. See [7], p 8
>>> [4] FTC staff report, starting p 63,
>>> http://www.ftc.gov/os/2010/12/101201privacyreport.pdf
>>> [5] In particular, it would be unfortunate if DNT off with an opt-out
>>> cookie was interpreted one way by self-regulatory bodies, and another
>>> way in the DNT recommendations. We likely will reach different end
>>> points than the self-regulation guidelines, but they remain a very
>>> fruitful source of background information, including the recent
>>> multi-site data principles (http://www.aboutads.info/msdprinciples)
>>> and the OBA principles (http://www.aboutads.info/obaprinciples).
>>> [6] A very readable summary of [7] discussing where industry
>>> self-regulation is seen to fall short of
>>> 5(3):http://www.edri.org/edrigram/number9.17/article-29-oba-industry-cookie.
>>> 
>>> [7] The actual report itself:
>>> ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf
>>> <http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20111215_press_release_oba_final.pdf>
>>> (COCOM10-34, Implementation of the revised Framework- Article 5(3) of
>>> the ePrivacy Directive)
>>> [8] The whole text is worth at least skimming, including a brief note
>>> on children under 12. In particular the section on consent for cookies
>>> starting on p 8, and examples of consent not using pop ups on p 9:
>>> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp188_en.pdf
> 
> --
> 
> Ninja Marnau
> mail: NMarnau@datenschutzzentrum.de - http://www.datenschutzzentrum.de
> Telefon: +49 431/988-1285, Fax +49 431/988-1223
> Unabhaengiges Landeszentrum fuer Datenschutz Schleswig-Holstein
> Independent Centre for Privacy Protection Schleswig-Holstein
> 
> 

Lauren Gelman
BlurryEdge Strategies
415-627-8512
gelman@blurryedge.com
http://blurryedge.com

Received on Tuesday, 24 January 2012 03:19:21 UTC